Internet DRAFT - draft-fujiwara-dnsop-poisoning-measures

draft-fujiwara-dnsop-poisoning-measures







DNS Operations(dnsop)                                        K. Fujiwara
Internet-Draft                                                      JPRS
Intended status: Informational                              July 3, 2014
Expires: January 4, 2015


Detection and countermeasure of forged response cache poisoning attacks
             draft-fujiwara-dnsop-poisoning-measures-00.txt

Abstract

   Although the Domain Name System Security (DNSSEC) Extensions has been
   implemented, cache poisoning is still a big issue.  "ID Guessing and
   Query Prediction" type cache poisoning is detectable on a full
   resolver.  TCP transport has strong resistance to cache poisoning
   attacks.  This document proposes an improvement of full resolvers
   about the detection and the measure against forged response cache
   poisoning attacks.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 4, 2015.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of



Fujiwara                 Expires January 4, 2015                [Page 1]

Internet-Draft     measure of Cache poisoning attacks          July 2014


   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Detection . . . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  Measures to forged response attacks . . . . . . . . . . . . .   3
   4.  Possible solution . . . . . . . . . . . . . . . . . . . . . .   3
   5.  Security considerations . . . . . . . . . . . . . . . . . . .   3
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
   7.  Normative References  . . . . . . . . . . . . . . . . . . . .   4

1.  Introduction

   "Threat Analysis of the Domain Name System (DNS)" [RFC3833] described
   "ID Guessing and Query Prediction" and brute force attacks.  Dan
   Kaminsky proposed effective attack method [DK2008].  "Wikipedia
   DNS_spoofing" [Wikipedia_DNS_spoofing] describes concrete attack
   patterns.

   It is difficult to distinguish a forged response from an authentic
   response as the identity fields such as port number and query ID can
   be guessed easily under certain circumstances.  "Redirect the target
   domain's name server" attack is effective because it forges
   delegation information.  Kaminsky offered the continuation attack
   method to increase an attack probability.

   "Detection" of forged response attacks is described in Section 2.  A
   Measure to forged response attacks is described in Section 3.  A
   possible solution is described in Section 4.

2.  Detection

   Attacks described in Section 1 hardly success by one-time trial in
   almost all cases.  The probability of success by one-time trial is 1
   / (number of Query IDs, 2^16) / (number of ports, 2^16 - 1024) /
   (number of DNS servers of the domain name).  A full resolver under
   attack receives many unmatched responses which have different query
   IDs, port numbers, IP addresses, or query names.  Most of unmatched
   responses are cache poisoning attacks.

   These responses contain resource records which attackers want to
   inject to the cache of the full resolver.  Attacked domain names can
   be picked up by parsing unmatched responses.

   Detailed logs are useful for DNS server operations.  They should
   contain resource records which attackers want to inject.



Fujiwara                 Expires January 4, 2015                [Page 2]

Internet-Draft     measure of Cache poisoning attacks          July 2014


   Log aggregation is important since number of forged responses may be
   too many and logging takes many resources.

   The log should contain summarized data from source IP addresses,
   destination IP address, destination port number, query names, query
   types, NS and glue RRs.

3.  Measures to forged response attacks

   Using TCP as a DNS transport is a good countermeasure against forged
   responses attacks.  First, each TCP packet has 32bit sequence number
   field and predicting sequence numbers and timing control are very
   hard.  Second, the attacker need to inject at least two packets: one
   is to establish a TCP connection and the other is to send a forged
   response.

   Using TCP transport may cause two issues.  First, it increases query
   response time.  Second, it causes performance issues to both full
   resolvers and authoritative DNS servers.

4.  Possible solution

   A feasible measure is a combination of the detection and the use of
   TCP transport.  A full resolver detects forged response attacks
   described in Section 2.  If an attack is detected, the full resolver
   invalidate name resolution states which contain target-of-attack
   domain names and restart the name resolution using TCP transport.  If
   forged response attacks are stopped, the full resolver detects it and
   resume to use UDP transport for the attacked domains.  The changing
   delay may be a same value as timeout of the waiting for the response
   from authoritative DNS servers.

   This idea may be well known and some products may implement it
   already.  They may have patents.

   Encryption of DNS traffic discussed on the dns-privacy mailing list
   [dns-privacy] is good countermeasure against forged response attacks.

5.  Security considerations

   Idea described in Section 4 may cause a new weak point.  Attackers
   can force the full resolver to use TCP transport for a domain name by
   sending small number of forged responses.  This attack increases the
   full resolver's state and load, authoritative DNS servers' states.







Fujiwara                 Expires January 4, 2015                [Page 3]

Internet-Draft     measure of Cache poisoning attacks          July 2014


6.  IANA Considerations

7.  Normative References

   [DK2008]   "DNS 2008 and the new (old) nature of critical
              infrastructure,
              http://www.slideshare.net/dakami/dmk-bo2-k8bhfed", July
              2008.

   [RFC3833]  Atkins, D. and R. Austein, "DNS Threat Analysis", RFC
              3383, August 2004.

   [Wikipedia_DNS_spoofing]
              "DNS spoofing, http://en.wikipedia.org/wiki/DNS_spoofing",
              .

Author's Address

   Kazunori Fujiwara
   Japan Registry Services Co., Ltd.
   Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda
   Chiyoda-ku, Tokyo  101-0065
   Japan

   Phone: +81 3 5215 8451
   EMail: fujiwara@jprs.co.jp

























Fujiwara                 Expires January 4, 2015                [Page 4]