- Forward


DNS Spoofing/Poisoning
An Introduction


Prof. David Bernstein
James Madison University

Computer Science Department
bernstdh@jmu.edu

Print

Motivation
Back SMYC Forward
  • Pharming:
    • Re-directing one site's traffic to another site
  • DNS Spoofing/Poisoning:
    • A pharming technique that exploits weaknesses in DNS
Recall
Back SMYC Forward
  • Recursive Queries:
    • If the DNS server does not know the answer it will ask another DNS server
    • The answer may be cached
  • Transport Protocol:
    • DNS often uses a connectionless transport protocol that is easy to spoof (specifically, UDP)
The Process
Back SMYC Forward
  • Step 1:
    • Make a query that (hopefully) server A can only answer by querying server B
  • Step 2:
    • Send spoofed responses to server A that appear to come from server B (in response to server A's query)
What is Needed in the Spoofed Response
Back SMYC Forward
  • Source IP address
    Known
    Expand
  • Destination (i.e. authoritative server) IP address
    Knowable
    Expand
  • Source port
    Unknown
    Expand
  • Destination port
    Known (i.e., port 53)
    Expand
  • Transaction ID
    Unknown
    Expand
Guessing at the Unknowns
Back SMYC Forward
  • Source port
    • 16 bits
    • May not be random
  • Transaction ID
    • 16 bits
    • Generated using a pseudo-random number generator
Worst Case
Back SMYC Forward
  • Source port
    • \(2^{16} = 65536\) possibilities, each of which are equally likely
  • Transaction ID
    • \(2^{16} = 65536\) possibilities, each of which are equally likely
  • Probability of a "Correct" Response:
    • Since the two events are independent, \(P\{\text{CorrectResponse}\} = P\{\text{CorrectPort}\} \cdot P\{\text{CorrectID}\} = \frac{1}{65536} \cdot \frac{1}{65536} = \frac{1}{4294967296}\) (i.e., about 1 in 4 billion)
The Probability of a Successful Attack
Back SMYC Forward
  • The Probability of One Attack Being Successful Depends On:
    • The amount of time between the request to the authoritative server and the response from the authoritative server (which is on the order of 0.1 sec)
    • The rate at which the attacker can transmit spoofed responses (which is probably on the order of 100000 per sec)
  • The Probability of An Attacker Being Successful Depends On:
    • The amount of time the attacker is willing to devote to the effort
Attacks based on the Birthday "Paradox"
Back SMYC Forward
  • The Idea:
    • Make more than one DNS query that will need to be re-sent to the authoritative server
  • The Rationale:
    • The probability that one of the fake responses will correctly spoof one of the requests is higher (i.e., the Birthday "Paradox")
Attacks based on the Birthday "Paradox" (cont.)
Back SMYC Forward
What is the probability that a member of a group of size \(n\) has the same birthday as you?


Assuming all birthdays are equally likely, the probability that an individual has the same birthday as you is \(\frac{1}{365}\). Hence, the probability of the complement (i.e., the individual doesn't have the same birthday as you) is \(1 - \frac{1}{365} = \frac{364}{365}\).

So, assuming independence, the probability that \(n\) people don't have the same birthday as you is \((\frac{364}{365})^n\).

Hence, the probability of the complement is \(1 - (\frac{364}{365})^n\).

So, the probability that someone has the same birthday as you for \(n=10\) is about 0.027, for \(n=30\) is about 0.079 and for \(n=50\) is about 0.128.

Attacks based on the Birthday "Paradox" (cont.)
Back SMYC Forward
What is the probability that any two people in a group of size \(n\) have the same birthday?


Let \(B_i\) denote the birthday of individual \(i\) and suppose we know the birthday of individual \(1\). Then, as we just saw, the probability that individual \(2\) has the same birthday as individual \(1\) is \(P\{B_2 = B_1\} = \frac{1}{365}\). Hence, the probability of the complement is given by \(P\{B_2 \neq B_1\} = 1 - \frac{1}{365} = \frac{364}{365}\).

The probability that 3's birthday is the same as 1's or 2's, given that 1 and 2 do not have the same birthday, is given by:

\[P\{B_3 = B_2 \text{ or } B_3 = B_1 | B_2 \neq B_1\} = \frac{1}{365} + \frac{1}{365} = \frac{2}{365}\]

Hence, the probability of the complement is given by:

\[P\{B_3 \neq B_2 \neq B_1 | B_2 \neq B_1\} = 1 - \frac{2}{365} = \frac{363}{365}\]

and:

\[P\{B_3 \neq B_2 \neq B_1\} = P\{B_3 \neq B_2 \neq B_1 | B_2 \neq B_1\} \cdot P\{B_2 \neq B_1\} = \frac{364}{365} \cdot \frac{363}{365}\]

Generalizing, the probability that \(n\) individuals have different birthdays is given by:

\[\frac{364 \cdot 363 \cdot (365-n+1)}{365^{n-1}}\]

Multiplying by \(\frac{365}{365}=1\), this probability is given by:

\[\frac{365 \cdot 364 \cdot 363 \cdot (365-n+1)}{365^{n}}\]

This can be re-written as:

\[\frac{365!}{(365-n)!} \cdot \frac{1}{365^n}\]

Thus, the probability of the complement (i.e., that any two people share a birthday) is just:

\[1 - \left(\frac{365!}{(365-n)!} \cdot \frac{1}{365^n}\right)\]

So, the probability that any two people share a birthday for \(n=10\) is about 0.117, for \(n=30\) is about 0.706 and for \(n=50\) is about 0.970.

Other Kinds of Pharming
Back SMYC Forward
  • Domain Hijacking:
    • Domain name registrations expire
    • If the legitimate owner of a domain name forgets to re-register, another party can register the name and direct traffic to its servers
  • Use of Similar Domain Names/Typosquatting:
    • Register domain names that are similar to the domain name of a "well-known" site (e.g., common misspellings, names involving nearby letters)
  • Bitsquatting:
    • Register domain names that are one bit different from the domain name of a "well-known" site
    • This is tantamount to typosquatting but is motivated by hardware/transmission errors rather than human errors (e.g., a transmission error in one bit changes microsoft.com to micro3oft.com)
There's Always More to Learn
Back -