DNS Operations(dnsop) K. Fujiwara Internet-Draft JPRS Intended status: Informational July 3, 2014 Expires: January 4, 2015 Detection and countermeasure of forged response cache poisoning attacks draft-fujiwara-dnsop-poisoning-measures-00.txt Abstract Although the Domain Name System Security (DNSSEC) Extensions has been implemented, cache poisoning is still a big issue. "ID Guessing and Query Prediction" type cache poisoning is detectable on a full resolver. TCP transport has strong resistance to cache poisoning attacks. This document proposes an improvement of full resolvers about the detection and the measure against forged response cache poisoning attacks. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 4, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Fujiwara Expires January 4, 2015 [Page 1] Internet-Draft measure of Cache poisoning attacks July 2014 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Detection . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Measures to forged response attacks . . . . . . . . . . . . . 3 4. Possible solution . . . . . . . . . . . . . . . . . . . . . . 3 5. Security considerations . . . . . . . . . . . . . . . . . . . 3 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 7. Normative References . . . . . . . . . . . . . . . . . . . . 4 1. Introduction "Threat Analysis of the Domain Name System (DNS)" [RFC3833] described "ID Guessing and Query Prediction" and brute force attacks. Dan Kaminsky proposed effective attack method [DK2008]. "Wikipedia DNS_spoofing" [Wikipedia_DNS_spoofing] describes concrete attack patterns. It is difficult to distinguish a forged response from an authentic response as the identity fields such as port number and query ID can be guessed easily under certain circumstances. "Redirect the target domain's name server" attack is effective because it forges delegation information. Kaminsky offered the continuation attack method to increase an attack probability. "Detection" of forged response attacks is described in Section 2. A Measure to forged response attacks is described in Section 3. A possible solution is described in Section 4. 2. Detection Attacks described in Section 1 hardly success by one-time trial in almost all cases. The probability of success by one-time trial is 1 / (number of Query IDs, 2^16) / (number of ports, 2^16 - 1024) / (number of DNS servers of the domain name). A full resolver under attack receives many unmatched responses which have different query IDs, port numbers, IP addresses, or query names. Most of unmatched responses are cache poisoning attacks. These responses contain resource records which attackers want to inject to the cache of the full resolver. Attacked domain names can be picked up by parsing unmatched responses. Detailed logs are useful for DNS server operations. They should contain resource records which attackers want to inject. Fujiwara Expires January 4, 2015 [Page 2] Internet-Draft measure of Cache poisoning attacks July 2014 Log aggregation is important since number of forged responses may be too many and logging takes many resources. The log should contain summarized data from source IP addresses, destination IP address, destination port number, query names, query types, NS and glue RRs. 3. Measures to forged response attacks Using TCP as a DNS transport is a good countermeasure against forged responses attacks. First, each TCP packet has 32bit sequence number field and predicting sequence numbers and timing control are very hard. Second, the attacker need to inject at least two packets: one is to establish a TCP connection and the other is to send a forged response. Using TCP transport may cause two issues. First, it increases query response time. Second, it causes performance issues to both full resolvers and authoritative DNS servers. 4. Possible solution A feasible measure is a combination of the detection and the use of TCP transport. A full resolver detects forged response attacks described in Section 2. If an attack is detected, the full resolver invalidate name resolution states which contain target-of-attack domain names and restart the name resolution using TCP transport. If forged response attacks are stopped, the full resolver detects it and resume to use UDP transport for the attacked domains. The changing delay may be a same value as timeout of the waiting for the response from authoritative DNS servers. This idea may be well known and some products may implement it already. They may have patents. Encryption of DNS traffic discussed on the dns-privacy mailing list [dns-privacy] is good countermeasure against forged response attacks. 5. Security considerations Idea described in Section 4 may cause a new weak point. Attackers can force the full resolver to use TCP transport for a domain name by sending small number of forged responses. This attack increases the full resolver's state and load, authoritative DNS servers' states. Fujiwara Expires January 4, 2015 [Page 3] Internet-Draft measure of Cache poisoning attacks July 2014 6. IANA Considerations 7. Normative References [DK2008] "DNS 2008 and the new (old) nature of critical infrastructure, http://www.slideshare.net/dakami/dmk-bo2-k8bhfed", July 2008. [RFC3833] Atkins, D. and R. Austein, "DNS Threat Analysis", RFC 3383, August 2004. [Wikipedia_DNS_spoofing] "DNS spoofing, http://en.wikipedia.org/wiki/DNS_spoofing", . Author's Address Kazunori Fujiwara Japan Registry Services Co., Ltd. Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda Chiyoda-ku, Tokyo 101-0065 Japan Phone: +81 3 5215 8451 EMail: fujiwara@jprs.co.jp Fujiwara Expires January 4, 2015 [Page 4]