Cases of IP Address Spoofing and Web Spoofing —

Total Page:16

File Type:pdf, Size:1020Kb

Cases of IP Address Spoofing and Web Spoofing — 3-3 StudiesonCountermeasuresforThwarting SpoofingAttacks—CasesofIPAddress SpoofingandWebSpoofing— MIYAMOTO Daisuke, HAZEYAMA Hiroaki, and KADOBAYASHI Youki This article intends to give case studies for of thwarting spoofing attack. Spoofing is widely used when attackers attempt to increase the success rate of their cybercrimes. In the context of Denial of Service (DoS) attacks, IP address spoofing is employed to camouflage the attackers’ location. In the context of social engineering, Web spoofing is used to persuade victims into giv- ing away personal information. A Web spoofing attacker creates a convincing but false copy of the legitimate enterprises’ web sites. The forged websites are also known as phishing sites. Our research group developed the algorithms, systems, and practices, all of which analyze cybercrimes that employ spoofing techniques. In order to thwart DoS attacks, we show the deployment scenario for IP traceback systems. IP traceback aims to locate attack source, regardless of the spoofed source IP addresses. Unfortunately, IP traceback requires that its sys- tems are widely deployed across the Internet. We argue the practical deployment scenario within Internets of China, Japan, and South Korea. We also develop a detection method for phishing sites. Currently, one of the most important research agenda to counter phishing is improving the accuracy for detecting phishing sites. Our approach, named HumanBoost, aims at improving the detection accuracy by utilizing Web users’ past trust decisions. Based on our subject experiments, we analyze the average detection accuracy of both HumanBoost and CANTINA. Keywords IP spoofing, Web spoofing, Internet emulation, IP traceback, Machine learning 1 Introduction measures. IP traceback aims to locate attack sources, regardless of the spoofed source IP DoS attacks exhaust the resources of addresses. Several IP traceback methods have remote hosts or networks that are otherwise been proposed [1]‒[3]; especially Source Path accessible to legitimate users. Especially, a Isolation Engine (SPIE)[3] is a feasible solu- flooding attack is the typical example of DoS tion for tracing individual attack packets. How- attacks. In the case of the flooding attack, the ever, SPIE requires that its systems are widely attackers often used the source IP address deployed across the Internet for enhancing spoofing technique. IP address spoofing can traceability. Traceability would decrease to a be defined as the intentional misrepresenta- minimum if there were only a few routers that tion of the source IP address in an IP packet in support SPIE. order to conceal the sender of the packet or to Web spoofing, also known as phishing, is impersonate another computing system. There- a form of identity theft in which the targets are fore, it is difficult to identify the actual source users rather than computer systems. A phish- of the attack packets using traditional counter- ing attacker attracts victims to a spoofed web- MIYAMOTO Daisuke et al. 99 site, a so-called phishing site, and attempts to ASes in a random manner. Castelucio et al. persuade them to provide their personal infor- mentioned that IP-TBS should be deployed mation. To deal with phishing attacks, a heu- along with intent[5]. In their proposed “strate- ristics-based detection method has begun to gic placement”, IP-TBSs should be deployed garner attention. A heuristic is an algorithm to in order of BGP neighbors. Hazeyama et al. identify phishing sites based on users’ experi- proposed to emulate the Internet topology[6] ence, and checks whether a site appears to be that resembles the current Internet topology a phishing site. Based on the detection result observed by CAIDA[7]. Hazeyama et al. also from each heuristic, the heuristic-based solu- introduced four types of deployment scenario tion calculates the likelihood of a site being a and estimated the traceability in the case of phishing site and compares the likelihood with Japanese Internet topology[8]. the defined discrimination threshold. However, Herein, we evaluated the traceability in current heuristic solutions are far from suitable China, Japan, and South Korea Internet using use due to the inaccuracy of detection. AS-level deployment. In our simulation, we In this paper, we describe our two con- created three types of emulated network topol- tributions for thwarting IP address spoofing ogies that resemble China, Japan, and South and Web spoofing, respectively. Chapter 2 Korea, respectively. We also prepare four types describes the deployment scenario for IP trace- of deployment scenario, namely, deployment in back systems. Chapter 3 figures out a detec- core ASes, leaf ASes, middle-class ASes, and tion method of phishing sites which aims at deployment in a random manner. improving the detection accuracy. Chapter 4 concludes our findings. 2.2 Simulationoftracebackdeployment Deployment of the IP-TBS should be con- 2 DeploymentscenarioforIP sidered along with the type of network topol- tracebacksystems ogy. Let us assume that a network has a star topology and that the IP-TBS is deployed in 2.1 Background the central node. In this case, all ASes and AS Several IP traceback methods have been links can be traced. proposed [1]‒[3]. Especially, Source Path Isola- In this section, we measure the trace- tion Engine (SPIE)[3] is a feasible solution for ability with deployment simulation. First, we tracing individual attack packets, however it explain the two classes of traceability used in requires large-scale deployment. our simulation. We then introduce three types Several researchers[4]‒[6] have proposed of outfitted Internet topologies, i.e., emulated autonomous system (AS)-level deployment to inter-AS topologies in China, Japan, and South facilitate global deployment of IP traceback Korea. We also introduce four types of deploy- systems (IP-TBSs). In this case, it is necessary ment scenarios. to deploy an IP-TBS into each AS instead of 2.2.1 Metrics implementing the SPIE in each router. Since We selected traceability as a performance the IP-TBS monitors the traffic between the metric. There are two principal classes of AS border routers and exchanges information traceability: packet traceability and path for tracing packets, the traceback client can traceability. Traceability in the first class is identify the source AS of the packets. that the system can specify the AS number However, the traceability can be easily where the issued IP packet is generated. The affected by the types of network topology and/ second class, path traceability, is that the sys- or the deployment scenario. Gong et al. simu- tem can designate the datalink of the AS bor- lated traceability by using three types of net- der. work topologies[4], but their deployment sce- To calculate the traceability, we refer to nario was the random placement; they selected the deployment case of previous study[8]. In 100 Journal of the National Institute of Information and Communications Technology Vol. 58 Nos. 3/4 2011 [8], the traceability had been defined in Equa- region. tion (1), where NS denotes the number of strict In our simulation, we employ the snapshot ASes, NL denotes the number of loose ASes, of CAIDA AS Relationship Database (ASRD) and N denotes the amount number of ASes in published on November 22, 2008. The data- the network topology. set can be summarized as shown in Table 1. Because there are loose ASes located outside (N + N ) S L (1) of each region, the number of deployment tar- Tpacket = N get AS and traceback target AS are different. A strict AS is an AS where an IP-TBS is Note that CAIDA extensively surveys AS rela- deployed. A loose AS is an AS where the IP- tionships, however, some types of BGP peering TBS is not deployed but the neighboring AS is styles such as private peering hinder the cre- a strict AS. Because of border tracking in typi- ation of a perfect ASRD. cal IP-TBS[9], Hazeyama et al. recognized that 2.2.3 Simulationscenarios a loose AS can be traced within the traceback We consider four types of deployment sce- architecture. narios as follows. Furthermore, the path traceability is shown in Equation (2) where LS denotes the num- S1: Deployment in order of core ASes ber of strict AS links, LL denotes the number In the ideal scenario, IP-TBSs are deployed of loose AS links, and L denotes the amount into the core ASes. Since the core ASes are number of AS links in the network topology. interconnected to many BGP neighbors, the traceback system can handle many ASes and (LS + LL ) Tlink = (2) AS links. Hence, traceability is expected to be L high even if the number of deployed traceback In a strict AS link, both peered ASes system is low. deploy the IP-TBS. In a loose AS link, on Although various criteria need to be satis- the other hand, an AS that deploy an IP-TBS fied for identifying the network core, we used is interconnected to another AS that does not the number of BGP peers as a metric. In this deploy an IP-TBS. scenario, the traceback system is deployed to 2.2.2 Networktopology ASes in the decreasing order of the number of We employ the emulated network topolo- established BGP peers. gies for several regions. Basically, every trace- back method can be used to construct attack S2: Deployment in order of leaf ASes paths. Hence, with the use of such traceback In this scenario, IP-TBSs are deployed to methods, communication privacy may be ASes in the increasing order of the number of affected. Because of diverse legal interpreta- established BGP peers. Since the IP-TBSs will tions of privacy, deployment across country trace fewer ASes and AS links in this case, border may not be easy. As the first step in traceability will be low. However, attacker deployment simulation, we selected the emu- lated topologies of China, Japan, and South Korea.
Recommended publications
  • How to Analyze the Cyber Threat from Drones
    C O R P O R A T I O N KATHARINA LEY BEST, JON SCHMID, SHANE TIERNEY, JALAL AWAN, NAHOM M. BEYENE, MAYNARD A. HOLLIDAY, RAZA KHAN, KAREN LEE How to Analyze the Cyber Threat from Drones Background, Analysis Frameworks, and Analysis Tools For more information on this publication, visit www.rand.org/t/RR2972 Library of Congress Cataloging-in-Publication Data is available for this publication. ISBN: 978-1-9774-0287-5 Published by the RAND Corporation, Santa Monica, Calif. © Copyright 2020 RAND Corporation R® is a registered trademark. Cover design by Rick Penn-Kraus Cover images: drone, Kadmy - stock.adobe.com; data, Getty Images. Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions. The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org Preface This report explores the security implications of the rapid growth in unmanned aerial systems (UAS), focusing specifically on current and future vulnerabilities.
    [Show full text]
  • Final Report
    Augment Spoofer Project to Improve Remediation Efforts (ASPIRE) Final Report Dr. Kimberly Claffy and Dr. Matthew Luckie September 21, 2020 Table of Contents A Executive Summary 2 B Problem: Long-standing vulnerability that threatens U.S. critical infrastructure 3 C Technical Approach 3 D Development Deliverables 6 D.1 Extend visibility capabilities to infrastructure behindNATs............. 6 D.2 SupportforAS-levelopt-innotificationsystem . ............ 7 D.3 Automated monthly reports to regional operator mailing lists............ 7 D.4 Maintainspooferoperations . ...... 8 E Analysis of Remediation Efforts 10 E.1 Impactofprivatenotificationsonremediation . ............ 10 E.2 Impact of public (“name-and-shame”) notifications . ............. 10 F Technology Transition and Commercialization 12 F.1 Commercializationopportunities . ......... 12 F.2 Expansiontoothermeasurementplatforms . ......... 12 G Overcoming misaligned incentives to deploy SAV 12 G.1 Impactofexogenousinterventions . ........ 13 G.2 Liability,insurance,andindustrystandards . ............. 13 G.3 Regulatingtransparency . ..... 14 G.4 Regulatinggovernmentprocurement . ........ 14 G.5 Stickydefaults: vendorSAVresponsibility . ............ 15 H Deliverables 17 A Executive Summary 1. Performer: University of California, San Diego (UCSD) & University of Waikato, NZ 2. Award: DHS S&T contract 140D7018C0010. 3. Period of Performance: 1 Sept 2018 - 19 Sept 2020. Despite source IP address spoofing being a known vulnerability – arguably the greatest archi- tectural vulnerability in the TCP/IP protocol suite as designed – for close to 30 years, and despite many efforts to shed light on the problem, spoofing remains a viable attack method for redirection, amplification, and anonymity. While some application-layer patches can mitigate these attacks, attackers continuously search for new vectors. To defeat DDoS attacks requires operators to en- sure their networks filter packets with spoofed source IP addresses, a best current practice (BCP) known as source address validation (SAV).
    [Show full text]
  • An Email Application with Active Spoof Monitoring and Control
    2016 International Conference on Computer Communication and Informatics (ICCCI -2016), Jan. 07 – 09, 2016, Coimbatore, INDIA An Email Application with Active Spoof Monitoring and Control T.P. Fowdur, Member IEEE and L.Veerasoo [email protected] [email protected] Department of Electrical and Electronic Engineering University of Mauritius Mauritius Abstract- Spoofing is a serious security issue for email overview of some recent anti-spoofing mechanisms is now applications. Although several anti-email spoofing techniques presented have been developed, most of them do not provide users with sufficient control and information on spoof attacks. In this paper In [11], the authors proposed an anti-spoofing scheme for IP a web-based client oriented anti-spoofing email application is packets which provides an extended inter-domain packet filter proposed which actively detects, monitors and controls email architecture along with an algorithm for filter placement. A spoofing attacks. When the application detects a spoofed security key is first placed in the identification field of the IP message, it triggers an alert message and sends the spoofed header and a border router checks the key on the source message into a spoof filter. Moreover, the user who has received packet. If this key corresponds to the key of the target packet, the spoofed message is given the option of notifying the real sender of the spoofing attack. In this way an active spoof control the packet is considered valid, else it is flagged as a spoofed is achieved. The application is hosted using the HTTPS protocol packet. A Packet Resonance Strategy (PRS) which detects and uses notification messages that are sent in parallel with email different types of spoofing attacks that use up the resources of messages via a channel that has been secured by the Secure the server or commit data theft at a datacenter was proposed in Socket Layer (SSL) protocol.
    [Show full text]
  • Firewalls and Vpns
    Firewalls and VPNs Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-17/ Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 23-1 Overview 1. What is a Firewall? 2. Types of Firewalls 3. Proxy Servers 4. Firewall Location and Configuration 5. Virtual Private Networks These slides are based on Lawrie Brown’s slides supplied with William Stalling’s th book “Cryptography and Network Security: Principles and Practice,” 7 Ed, 2017. Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 23-2 What is a Firewall? Interconnects networks with differing trust Only authorized traffic is allowed Auditing and controlling access Can implement alarms for abnormal behavior Provides network address translation (NAT) and usage monitoring Implements VPNs Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 23-3 Firewall Limitations Cannot protect from attacks bypassing it E.g., sneaker net, utility modems, trusted organisations, trusted services (e.g., SSL/SSH) Cannot protect against internal threats E.g., disgruntled or colluding employees Cannot protect against access via Wireless LAN If improperly secured against external use, e.g., personal hot spots Cannot protect against malware imported via laptops, PDAs, and storage infected outside Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 23-4 Firewalls – Packet Filters Examine each IP packet (no context) and permit or deny according to rules Washington University in St.
    [Show full text]
  • GNSS Spoofing
    COMPANY CONFIDENTIAL NLR-CR-2019-001-PT-1-RevEd-1 | June 2019 GNSS spoofing Revised Edition CUSTOMER: Agentschap Telecom NLR – Netherlands Aerospace Centre Netherlands Aerospace Centre NLR is a leading international research centre for aerospace. Bolstered by its multidisciplinary expertise and unrivalled research facilities, NLR provides innovative and integral solutions for the complex challenges in the aerospace sector. NLR's activities span the full spectrum of Research Development Test & Evaluation (RDT & E). Given NLR's specialist knowledge and facilities, companies turn to NLR for validation, verification, qualification, simulation and evaluation. NLR thereby bridges the gap between research and practical applications, while working for both government and industry at home and abroad. NLR stands for practical and innovative solutions, technical expertise and a long-term design vision. This allows NLR's cutting edge technology to find its way into successful aerospace programs of OEMs, including Airbus, Embraer and Pilatus. NLR contributes to (military) programs, such as ESA's IXV re-entry vehicle, the F-35, the Apache helicopter, and European programs, including SESAR and Clean Sky 2. Founded in 1919, and employing some 600 people, NLR achieved a turnover of 76 million euros in 2017, of which 81% derived from contract research, and the remaining from government funds. For more information visit: www.nlr.nl COMPANY CONFIDENTIAL NLR-CR-2019-001-PT-1-RevEd-1 | June 2019 GNSS spoofing Revised Edition CUSTOMER: Agentschap Telecom AUTHOR(S): J.J.P. van Es NLR J.D. van Bruggen-van Putten NLR H.D. Zelle NLR NLR - Netherlands Aerospace Centre June 2019 | NLR-CR-2019-001-PT-1-RevEd-1 COMPANY CONFIDENTIAL No part of this report may be reproduced and/or disclosed, in any form or by any means without the prior written permission of the owner.
    [Show full text]
  • Anti Spoofing
    Anti-Spoofing What is Spoofing? In simple terms, A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. Types Of Spoofing Attacks IP Address ARP DNS Spoofing Spoofing Spoofing IP Address Spoofing Attacks • IP address spoofing is one of the most frequently used spoofing attack methods. • An attacker sends IP packets from a false (or “spoofed”) source address in order to disguise itself. ARP Spoofing Attacks • ARP is short for Address Resolution Protocol, a protocol that is used to resolve IP addresses to MAC (Media Access Control) addresses for transmitting data. • In this attack, a malicious party sends spoofed ARP messages across a local area network in order to link the attacker’s MAC address with the IP address of a legitimate member of the network. • ARP spoofing only works on local area networks that use the Address Resolution Protocol. DNS Server Spoofing Attacks • The Domain Name System (DNS) is a system that associates domain names with IP addresses. • In a DNS server spoofing attack, a malicious party modifies the DNS server in order to reroute a specific domain name to a different IP address. • In such cases, the new IP address will be for a server that is actually controlled by the attacker and contains files infected with malware. • DNS server spoofing attacks are often used to spread computer worms and viruses. Anti-Spoofing Antispoofing is a technique for identifying and dropping packets that have a false source address.
    [Show full text]
  • Clickjacking: Attacks and Defenses
    Clickjacking: Attacks and Defenses Lin-Shung Huang Alex Moshchuk Helen J. Wang Carnegie Mellon University Microsoft Research Microsoft Research [email protected] [email protected] [email protected] Stuart Schechter Collin Jackson Microsoft Research Carnegie Mellon University [email protected] [email protected] Abstract such as a “claim your free iPad” button. Hence, when Clickjacking attacks are an emerging threat on the web. the user “claims” a free iPad, a story appears in the user’s In this paper, we design new clickjacking attack variants Facebook friends’ news feed stating that she “likes” the using existing techniques and demonstrate that existing attacker web site. For ease of exposition, our description clickjacking defenses are insufficient. Our attacks show will be in the context of web browsers. Nevertheless, the that clickjacking can cause severe damages, including concepts and techniques described are generally applica- compromising a user’s private webcam, email or other ble to all client operating systems where display is shared private data, and web surfing anonymity. by mutually distrusting principals. We observe the root cause of clickjacking is that an Several clickjacking defenses have been proposed and attacker application presents a sensitive UI element of a deployed for web browsers, but all have shortcomings. target application out of context to a user (such as hiding Today’s most widely deployed defenses rely on frame- the sensitive UI by making it transparent), and hence the busting [21, 37], which disallows a sensitive page from user is tricked to act out of context. To address this root being framed (i.e., embedded within another web page).
    [Show full text]
  • Towards Remediating Ddos Attacks
    Towards Remediating DDoS Attacks Arturs Lavrenovs NATO CCDCOE, Tallinn, Estonia [email protected] DOI: 10.34190/IWS.21.046 Abstract: The Internet infrastructure has been struggling with distributed denial­of­service (DDoS) attacks for more than two decades. This paper reviews aspects of current remediation strategies for reflected amplified DDoS attacks and identifies elements that are insufficiently researched which might be hindering remediation efforts. It identifies additional actors who should be playing a role in these efforts and reviews their incentives and motivation. The issue has long been whether it is possible to remediate abused protocols faster than the protocols get deprecated while devices using them remain functional until the end of their life. It now appears that it is. The Memcache protocol attack capacity was only 319 Mbps in May 2020 but it was 1.7 Tbps only two years previously. Thus it can be considered fully remediated. The paper examines why this was a successful remediation effort and whether it could be applied to other commonly abused protocols by using the reflector capacity measurement methodology. In contrast, the long­term abused DNS protocol has not seen a significant drop in capacity, which is lingering around 27.5 Tbps. Keywords: DDoS attacks, DDoS attack capacity, DDoS attack remediation, reflectors, amplifiers 1. Introduction The first DDoS network attack was two decades ago and was soon followed by reflected amplified DDoS attacks that have been plaguing the Internet ever since. Although the number of reflectors observed by scanning projects has been steadily decreasing, the attack capacity is ever­growing and is setting new records.
    [Show full text]
  • Proposed Methods of IP Spoofing Detection & Prevention
    International Journal of Science and Research (IJSR), India Online ISSN: 2319-7064 Proposed Methods of IP Spoofing Detection & Prevention Sharmin Rashid1, Subhra Prosun Paul2 1, 2World University of Bangladesh, Dhanmondi, Dhaka, Bangladesh Abstract: In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system. On January 22, 1995, in an article entitled, ―New form of attack on computers linked to Internet is uncovered, John Markoff of the New York Times reported on the TCP/IP protocol suite's security weakness known as IP spoofing. The IP spoofing security weakness was published by S. M. Bellovin (1989). However, not much attention has been paid to the security weaknesses of the TCP/IP protocol by the general public. This is changing as more people and companies are connecting to the Internet to conduct business. This paper is on ― “Proposed methods of IP Spoofing Detection & Prevention”. This paper contains an overview of IP address and IP Spoofing and its background. It also shortly discusses various types of IP Spoofing, how they attack on communication system. This paper also describes some methods to detection and prevention methods of IP spoofing and also describes impacts on communication system by IP Spoofing. We think that our proposed methods will be very helpful to detect and stop IP spoofing and give a secured communication system. Keywords: IP address, IP Spoofing, TCP/IP, Compression, Cryptography 1.
    [Show full text]
  • On the Security of Single Sign-On
    On the Security of Single Sign-On Vladislav Mladenov (Place of birth: Pleven/Bulgaria) [email protected] 30th June 2017 Ruhr-University Bochum Horst G¨ortz Institute for IT-Security Chair for Network and Data Security Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakult¨atf¨urElektrotechnik und Informationstechnik an der Ruhr-Universit¨atBochum First Supervisor: Prof. Dr. rer. nat. J¨org Schwenk Second Supervisor: Prof. Dr.-Ing. Felix Freiling www.nds.rub.de Abstract Single Sign-On (SSO) is a concept of delegated authentication, where an End- User authenticates only once at a central entity called Identity Provider (IdP) and afterwards logs in at multiple Service Providers (SPs) without reauthenti- cation. For this purpose, the IdP issues an authentication token, which is sent to the SP and must be verified. There exist different SSO protocols, which are implemented as open source libraries or integrated in commercial products. Google, Facebook, Microsoft and PayPal belong to the most popular SSO IdPs. This thesis provides a comprehensive security evaluation of the most popular and widely deployed SSO protocols: OpenID Connect, OpenID, and SAML. A starting point for this research is the development of a new concept called malicious IdP, where a maliciously acting IdP is used to attack SSO. Generic attack classes are developed and categorized according to the requirements, goals, and impact. These attack classes are adapted to different SSO proto- cols, which lead to the discovery of security critical vulnerabilities in Software- as-a-Service Cloud Providers, eCommerce products, web-based news portals, Content-Management systems, and open source implementations.
    [Show full text]
  • DNS and the DNS Cache Poisoning Attack
    Lecture 17: DNS and the DNS Cache Poisoning Attack Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) June 25, 2021 3:21pm ©2021 Avinash Kak, Purdue University Goals: The Domain Name System BIND Configuring BIND Running BIND on your Ubuntu laptop Light-Weight Nameservers (and how to install them) DNS Cache Poisoning Attack Writing Perl and Python code for cache poisoning attacks Dan Kaminsky’s More Virulent DNS Cache Poisoning Attack CONTENTS Section Title Page 17.1 Internet, Harry Potter, and the Magic of DNS 3 17.2 DNS 5 17.3 An Example That Illustrates Extensive DNS 13 Lookups in Even the Simplest Client-Server Interactions 17.4 The Domain Name System and The dig Utility 28 17.5 host, nslookup, and whois Utilities for Name 42 Lookup 17.6 Creating a New Zone and Zone Transfers 45 17.7 DNS Cache 48 17.7.1 The TTL Time Interval 51 17.8 BIND 56 17.8.1 Configuring BIND 58 17.8.2 An Example of the named.conf Configuration File 64 17.8.3 Running BIND on Your Ubuntu Laptop 68 17.9 What Does it Mean to Run a Process in a 70 chroot Jail? 17.10 Phishing versus Pharming 73 17.11 DNS Cache Poisoning 74 17.12 Writing Perl and Python Code for Mounting a 81 DNS Cache Poisoning Attack 17.13 Dan Kaminsky’s More Virulent Exploit for 92 DNS Cache Poisoning 17.14 Homework Problems 99 Computer and Network Security by Avi Kak Lecture 17 Back to TOC 17.1 INTERNET, HARRY POTTER, AND THE MAGIC OF DNS If you have read Harry Potter, you are certainly familiar with the use of owl mail by the wizards and the witches.
    [Show full text]
  • 2013  2013 5Th International Conference on Cyber Conflict
    2013 2013 5th International Conference on Cyber Conflict PROCEEDINGS K. Podins, J. Stinissen, M. Maybaum (Eds.) 4-7 JUNE 2013, TALLINN, ESTONIA 2013 5TH INTERNATIONAL CONFERENCE ON CYBER CONFLICT (CYCON 2013) Copyright © 2013 by NATO CCD COE Publications. All rights reserved. IEEE Catalog Number: CFP1326N-PRT ISBN 13 (print): 978-9949-9211-4-0 ISBN 13 (pdf): 978-9949-9211-5-7 ISBN 13 (epub): 978-9949-9211-6-4 Copyright and Reprint Permissions No part of this publication may be reprinted, reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the NATO Cooperative Cyber Defence Centre of Excellence ([email protected]). This restriction does not apply to making digital or hard copies of this publication for internal use within NATO, and for personal or educational use when for non-profit or non- commercial purposes, providing that copies bear this notice and a full citation on the first page as follows: [Article author(s)], [full article title] 2013 5th International Conference on Cyber Conflict K. Podins, J. Stinissen, M. Maybaum (Eds.) 2013 © NATO CCD COE Publications Printed copies of this publication are available from: NATO CCD COE Publications Filtri tee 12, 10132 Tallinn, Estonia Phone: +372 717 6800 Fax: +372 717 6308 E-mail: [email protected] Web: www.ccdcoe.org Layout: Marko Söönurm Legal Notice: This publication contains opinions of the respective authors only. They do not necessarily reflect the policy or the opinion of NATO CCD COE, NATO, or any agency or any government.
    [Show full text]