untitled - PDF Free Download

Kaminsky Attack ( ) DNS DAY Tsuyoshi TOYONO (toyono@nttv6.net) ( @JPRS) ( )

( ) DNS DNS (DNS Cache Poisoning ) ( ) Pharming IP Pharming

Cache Poisoning 0 ( (RR) Cache TTL) 1000 19 (1136 ) 50% 5 (271 ) (100%) Poisoning RTT 40ms 1 1 qps ( ) 100 pps ~ 1000 pps 1 port (1port ) ( ) Poisoning RTT 40ms 1 1 qps ( ) 100 pps ~ 1000 pps 1 port (1port ) (min)

( ) Poisoning RTT 40ms 1 100 qps (100 / ) 100 pps ~ 1000 pps 1 port (1port ) [ ] 1 100 1 ~2 Poisoning ( 1 /16 ) (min) AT&T (us) 2008/7/29 metasploit blog CNC (cn) 2008/8/21 Websense blog Malware http://blog.metasploit.com/2008/0 7/on-dns-attacks-in-wild-andjournalistic.html http://securitylabs.websense.com/c ontent/alerts/3163.aspx

DNS DNS DNSSEC DNS Patch Patch DNS source port TXID(16bit) * port (16bit) = 32bit 1/65535 1/43 Brute force Caching server Resolver(Client) resolver patch (Windows )

( ) (Port randomize (1)) Poisoning Port randomize Brute Force RTT 40ms 1 1 qps ( ) 100 pps ~ 1000 pps 1 port 16bit (min) ( ) (Port randomize (2)) Poisoning 0 13 /sec 4 ~5 Patch 10 (*) (*) http://tservice.net.ru/~s0mbre/blog/devel/networking/dns/2008_08_08.html (min)

( ) patch(port randomize) / DNS Server UDP socket 2 5 Port Patch Config port NAT port DMZ ACL Filtering daemon UDP high port DNS (BIND option avoid) ( ) Recursion(Cache ) / ISP Bot Open Recursion( Cache ) Filtering/ACL Ingress Filtering urpf Authoritative IP

( ) (rate limiting) 1 1 Poisoning gtld, TTL, 1 (?) ( )Authoritative ( ) Lame delegation Authoritative TTL TTL

Monitoring (1/2) UDP port DoS Poisoning Authoritative? dns operations@dns oarc Monitoring (2/2) Authoritative BIND: http://member.wide.ad.jp/~fujiwara/ Vantio ISC SIE cache poisoning attempt detection tool https://www.dns oarc.net/node/141 NTT PF https://www.dns oarc.net/files/workshop 2008/toyono.pdf (UDP DNS Packet ) IF In/Out UDP In/Out

Monitoring ( ) (1 ) 3 xxx.cn (?) xxx.cn (DNS?) DNS Patch Poisoning Windows OS DNS SOHO Appliance box WWW MX, ENUM, ACL, Reputation, Load balancing, ID OpenID ( proxy ) Web redirect Web Pharming/Phishing, SPAM, Account Cracking

... Deploy 0x20 dns ( ) DNS FoObAr.com foobar.com 2 TCP Fallback IPv6 Dual Query DNSCurve DNSSEC!? DNSSEC DNS ( )RFC? ICANN : 2009 6 root signed Chain SOHO/dsl Firewall Appliance box / /? / Zone? /sec?

DNS DNS DNSSEC,

( ) P ( t) = P(t): P(s): 1 t ( 1 P ) 1 ( S ) = 1 1 t: Rr: (1 ) Rq: W: RTT N: Port: Query port ( port 1) ID: DNS ID (16bit = 65536) Rq Rr W N Port ID t Rq ( ) URI Security Alert JPRS ( ) http://jprs.jp/tech/security/multiple dns vuln cache poisoning update.html http://jpinfo.jp/topics column/009.pdf JPNIC ( ) http://www.nic.ad.jp/ja/topics/2008/20080709 02.html JPCERT/CC ( ) http://www.jpcert.or.jp/at/2008/at080014.txt NTTv6 ( ) http://www.nttv6.net/files/dka 20080723.pdf US CERT http://www.kb.cert.org/vuls/id/800113 CVE http://cve.mitre.org/cgi bin/cvename.cgi?name=cve 2008 1447 Dan Kaminsky http://www.doxpara.com/dmk_bo2k8.ppt http://www.doxpara.com/?p=1204 Steve Friedl's Unixwiz.net http://www.unixwiz.net/techtips/iguide kaminsky dns vuln.html OARC https://www.dns oarc.net/oarc/services/dnsentropy Dan Kaminsky s DNS Checker http://www.doxpara.com/ OARC https://www.dns oarc.net/node/131 https://www.dns oarc.net/oarc/workshop 2008/agenda CERT.at http://cert.at/static/cert.at 0802 DNS patchanalysis aug18.pdf