簡易檢索 / 詳目顯示
| 研究生: |
李昱宏 Li, Yu-Hong |
|---|---|
| 論文名稱: |
域名伺服器快取毒害攻擊之新型輕量化防禦方法 New Light-Weight Approach to Mitigate DNS Cache Poisoning Attack |
| 指導教授: |
賴溪松
Laih, Chi-Sung |
| 學位類別: |
碩士 Master |
| 系所名稱: |
電機資訊學院 - 電腦與通信工程研究所 Institute of Computer & Communication Engineering |
| 論文出版年: | 2010 |
| 畢業學年度: | 98 |
| 語文別: | 英文 |
| 論文頁數: | 100 |
| 中文關鍵詞: | 網域名稱系統 、域名伺服器快取毒害 、域名系統安全擴展 |
| 外文關鍵詞: | DNS, DNS Cache Poisoning, DNSSEC |
| 相關次數: | 點閱:102 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
網域名稱系統(Domain Name System, DNS)是一個將網域名稱(簡稱域名)對映至IP位址的分散式資料庫系統,它使人們不用記住一串複雜的IP位址即可遨遊網際網路,為現今網路環境不可或缺的網路基礎建設。一旦DNS崩潰,則如此便利的網路服務將不復存在。隨著DNS的重要性與日俱增,越來越多的網路攻擊紛紛為此而來。2008年的世界黑帽大會上,資深安全專家Dan Kaminsky提出了一種新型域名伺服器快取毒害攻擊(DNS Cache Poisoning Attack)方式,稱為Kaminsky快取毒害攻擊。攻擊者可在極短時間內偽造出帶有正確驗證項目的偽DNS傳輸封包,並將此封包內之惡意或錯誤的資訊存入遞迴域名伺服器(Recursive Domain Name Server, R-DNS)中,藉此修改遞迴域名伺服器之快取記錄,可對網路環境造成大範圍影響;自此,DNS快取機制成為DNS極為脆弱的一環,相關資安事件亦層出不窮。
本論文針對域名伺服器快取毒害攻擊提出一個輕量化的防禦方法,藉由提高DNS傳輸封包的熵(Entropy),強化遞迴域名伺服器與權威域名伺服器(Authoritative Domain Name Server, A-DNS)間的驗證機制。我們的方法是將目前DNS協定所支援的文字型態資源紀錄(TXT Resource Record, TXT-RR)搭配一組隨機產生的驗證碼放入DNS傳輸封包中,使每對於遞迴域名伺服器與權威域名伺服器間的DNS傳輸封包都帶有一組獨特的驗證訊息(authenticated TXT-RR),遞迴域名伺服器可利用此驗證訊息更準確地對DNS傳輸封包進行來源驗證。本論文有兩個主要貢獻:(1)可有效增強遞迴域名伺服器抵擋快取毒害攻擊的能力,降低攻擊成功率;(2)藉由與其他輕量化防禦方法的比較,證實我們提出的方法具有較高的可用度。
Domain Name System (DNS) is one of the most important systems on the Internet since it frees users from the requirement of remembering IP addresses of hosts. Because of the pivotal role of DNS, attack events have become more frequent. Once an attack succeeds, damage is significant and far reaching. As demonstrated by Dan Kaminsky’s poisoning attack in 2008, attackers can guess the correct authentication entries in DNS packets and update the cache information stored in Recursive DNS servers within a short timeframe. The cache mechanism of DNS is significantly vulnerable and the robustness of DNS against this kind of attack is an important issue.
In this thesis, we propose a new lightweight approach to reduce the success rate of DNS cache poisoning attacks. We increase the entropy of every DNS packet in the communication between the Recursive DNS servers and the Authoritative DNS servers by adding an authenticated TXT Resource Record (TXT-RR) that contains a unique randomly generated <Random String>. With our approach, Recursive DNS servers can accurately verify whether DNS responses are from valid Authoritative DNS servers or generated by malicious attackers. The contribution of our approach is twofold: 1) We reduce the success rate of cache poisoning attacks, including Kaminsky’s. 2) We compare our approach with other lightweight approaches and demonstrate our method has higher usability.
[1] J. Afonso and P. Veiga. “Protecting the DNS Infrastructure of a Top Level Domain: Dynamic Firewalling with Network Sensors,” 3th International Conference on Systems and Networks Communications, ICSNC 2008.
[2] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. “DNS security introduction and requirements,” RFC 4033, Internet Engineering Task Force, Mar. 2005. http://www.ietf.org/rfc/rfc4033.txt.
[3] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. “Resource records for the DNS security extensions,” RFC 4034, Internet Engineering Task Force, Mar. 2005. http://www.ietf.org/rfc/rfc4034.txt.
[4] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. “Protocol modifications for the DNS security extensions,” RFC 4035, Internet Engineering Task Force, Mar. 2005. http://www.ietf.org/rfc/rfc4035.txt.
[5] S. Ariyapperuma and C. J. Michell., Mitchell, C.J.: “Security vulnerabilities in dns and dnssec,” In: ARES 2007: Proceedings of the Second International Conference on Availability, Reliability and Security, pp. 335–342. IEEE Computer Society, Los Alamitos (2007).
[6] D. Atkins and R. Austein. “Threat Analysis of the Domain Name System (DNS),” RFC 3833, Internet Engineering Task Force, Aug. 2004. http://www.ietf.org/rfc/rfc3833.txt.
[7] D. Barr. “Common DNS Operational and Configuration Errors,” RFC 1912, Internet Engineering Task Force, Feb. 1996. http://www.faqs.org/rfcs/rfc1912.html.
[8] D.J. Bernstein. The dns_random library interface. http://cr.yp.to/djbdns/dns_random.html, 2008.
[9] M. Boesgaard, M. Vesterager and E. Zenner. “A Description of the Rabbit Stream Cipher Algorithm,” RFC 4503, Internet Engineering Task Force, May 2006. http://www.rfc-archive.org/getrfc.php?rfc=4503.
[10] X. Chen, H. Wang, S. Ren and X. Zhang. “Maintaining Strong Cache Consistency for the Domain Name System,” IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 19, NO. 8, Aug. 2007.
[11] D. Dagon, M. Antonakakis, P. Vixie, T. Jinmei, and W. Lee. “Increased DNS forgery resistance through 0x20-bit encoding,” In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), Oct. 2008.
[12] D. Dagon, M. Antonakakis, K. Day, X. Luo, C. P. Lee, and W. Lee. “Recursive DNS Architectures and Vulnerability Implications,” 16th Annual Network & Distributed System Security Symposium, NDSS 2009.
[13] C. R. Dougherty. “Vulnerability note VU#800113,” 2008. https://www.kb.cert.org/vuls/id/800113.
[14] D. Eastlake and C. Kaufman. “Domain name system security extensions,” RFC 2065, Internet Engineering Task Force, Jan. 1997. http://www.ietf.org/rfc/rfc2065.txt.
[15] I. Green, “DNS spoofing by the man in the middle,” http://www.sans.org/rr/whitepapers/dns/1567.php, 2005.
[16] J. G. Høy. “Anti DNS spoofing - extended query ID (XQID),” Apr. 2008. http://www.jhsoft.com/dns-xqid.htm.
[17] K. Haugsness and the ISC Incident Handlers, “DNS cache poisoning detailed analysis report version 2,” http://isc.sans.org/presentations/dnspoisoning.php, 2005.
[18] A. Hubert. and R. V. Mook. “Measures for Making DNS More Resilient against Forged Answers,” RFC 5452, Internet Engineering Task Force, Jan. 2009. http://tools.ietf.org/html/rfc5452.
[19] Y. W. Ju, K. H. Song, E. J. Lee and Y. T. Shin. “Cache Poisoning Detection Method for Improving Security of Recursive DNS,” 18th ICACT International Congress On Anti Cancer Treatment, ICACT 2007.
[20] A. Kalafut and M. Gupta. “Pollution Resilience for DNS Resolvers,” Proceedings of the International Conference on Communications 2009, IEEE ICC 2009.
[21] D. Kaminsky. Black ops 2008 – its the end of the cache as we know it. Presented at BlackHat 2008, 2008.
[22] D. Leonard and D. Loguinov. “Turbo king: Framework for large-scale internet delay measurements,” In IEEE INFOCOM, 2008.
[23] P. Mockapetris. “Domain names: Concepts and facilities,” RFC 882, Internet Engineering Task Force, Nov. 1983. http://www.ietf.org/rfc/rfc882.txt.
[24] P. Mockapetris. “Domain names: Implementation specification,” RFC 883, Internet Engineering Task Force, Nov. 1983. http://www.ietf.org/rfc/rfc883.txt.
[25] P. Mockapetris. “Domain Names—Concepts and Facilities,” RFC 1034, Internet Engineering Task Force, Nov. 1987. http://www.ietf.org/rfc/rfc1034.txt.
[26] P. Mockapetris. “Domain Names—Implementation and Specification,” RFC 1035, Internet Engineering Task Force, Nov. 1987. http://www.ietf.org/rfc/rfc1035.txt.
[27] R. Perdisci, M. Antonakakis, X. Luo, and W. Lee. “WSEC DNS: Protecting Recursive DNS Resolvers from Poisoning Attacks,” DSN-DCCS’09, 2009.
[28] J. Postel, “Internet Protocol,” RFC 791, Internet Engineering Task Force, Sep. 1981. http://www.ietf.org/rfc/rfc791.txt.
[29] J. Postel and J. Reynolds, “Domain Requirements - Specified original top-level domains,” RFC 920, Internet Engineering Task Force, Oct. 1984. http://www.ietf.org/rfc/rfc920.txt.
[30] H. M. Sun, W. H. Chang, S. Y. Chang and Y. H. Lin. “DepenDNS: Dependable Mechanism against DNS Cache Poisoning,” 8th International Conference on Cryptology and Network Security, CANS 2009.
[31] A. Szmit, M. Tomaszewski, and M. Szmit. “Domain name servers’s pseudo-random number generators and DNS cache poisoning attack,” Polish Journal of Environmental Studies, 15(4C), 2006.
[32] M. Wong and W. Schlitt. “Sender policy framework (SPF) for authorizing use of domains in e-mail, version 1,” RFC 4408, Internet Engineering Task Force, Apr. 2006. http://www.ietf.org/rfc/rfc4408.txt.
[33] L. Yuan, K. Kant, P. Mohapatra and C. N. Chuah. “Dox: A peer-to-peer antidote for DNS cache poisoning attacks,” In: ICC 2006: Proceedings of the International Conference on Communications, vol. 5, pp. 2345–2350 (2006).
[34] Common Vulnerabilities and Exposures (CVE). http://cve.mitre.org.
[35] Denial-of-service attack. http://en.wikipedia.org/wiki/Denial-of-service_attack.
[36] DNS Expertise-The Measurement Factory. http://dns.measurement-factory.com/surveys/index.html.
[37] Internet Assigned Numbers Authority: Port Numbers. http://www.iana.org/assignments/port-numbers, 2008.
[38] Internet Engineering Task Force (IETF). http://www.ietf.org/.
[39] Root Server Technical Operations Assn. http://www.root-servers.org.
[40] The eSTREAM Project. http://www.ecrypt.eu.org/stream/.
校內:2011-07-29公開校外:不公開