Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Dqb@first ac 2013_lt

37 visualizaciones

Publicado el

Annual FIRST Conference 2013 LT presentation

Publicado en: Ingeniería
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Dqb@first ac 2013_lt

  1. 1. DQB – DNS Query Blocker Kunio Miyamoto Twitter: @wakatono Facebook: www.facebook.com/wakatono 1Copyright by Kunio Miyamoto
  2. 2. DQB – DNS Query Blocker (in fact, fakes DNS response rather than blocking DNS query) Kunio Miyamoto Twitter: @wakatono Facebook: www.facebook.com/wakatono 2Copyright by Kunio Miyamoto
  3. 3. Introduce myself☺ It’s a Joke ☺ Copyright by Kunio Miyamoto 3 A member and session chair of Kyoto 2012 FIRST TC Committee
  4. 4. Phishing makes malicious sites like a real service sites. Copyright by Kunio Miyamoto 4 Reference: http://www.atmarkit.co.jp/fsecurity/special/65phishing/phishing01.html
  5. 5. MITB viruses inject malicious forms to real contents Copyright by Kunio Miyamoto 5 Reference: http://www.smbc.co.jp/security/popup.html
  6. 6. Common Spec:malicious hosts exist • Attacker prepares the host to receive data of victims’ like banking information. • Most of malicious host has own FQDN • IP addresses is changed due to their lifecycle – Stopping access to malicious hosts that have fixed IP addresses is easy due to many technology to take down. Copyright by Kunio Miyamoto 6
  7. 7. Modern Attacks triggered by Web Access Copyright by Kunio Miyamoto 7 Which is better, left “Google” or right “Google” ? Both sites are better(correct) web site ☺
  8. 8. How to avoid accessing to malicious host? • HTTP/HTTPS Proxy Server access block by using Blacklist – Load of Proxy Rises Up! • Takedown by ISP and Various Service Provider – Sometimes Long Term discussion is needed • Temporarily: – Stop by using DNS fake response • I assume this to use edge network(fake response from nearest DNS Cache Server) Copyright by Kunio Miyamoto 8
  9. 9. How to make DNS fake response? Copyright by Kunio Miyamoto 9 1. Capture DNS request 2. Decide whether the response of captured request must be faked or not. 3. Get Request ID, Source IP/PORT, Destination IP/PORT, and request content. 4. Make Fake Response Packet from information of 2 5. Send fake response to clinet as soon as possible!
  10. 10. Concept Diagram Copyright by Kunio Miyamoto 10
  11. 11. Proof of Concept: Copyright by Kunio Miyamoto 11 About 1ms 1ms from request packet is captured to response packet (faked) is captured
  12. 12. Normal Request/Response Copyright by Kunio Miyamoto 12 about 10ms from request packet is captured to response packet (faked) is captured I defeated the real DNS response speed ☺ DNS Response Chicken Race!
  13. 13. Name Resolution Step interfared by DQB: • 1. DNS Request is sent by client • 2. Fake DNS Response is sent by DQB • 3. Real DNS Response is sent by DNS Cache Copyright by Kunio Miyamoto 13 One Request for Two Response!
  14. 14. Now in progress of this research • I’m developing and evaluating the concept of DNS Query Blocker – To use linear search for finding DNS query to fake response spends 1ms for searching 10000 hosts to be blocked • Ideas for more(for example): Counter to fake response related to the request of domain name generated by DGA(Domain Generation Algorithm) Copyright by Kunio Miyamoto 14 What we call “Future Work” ☺
  15. 15. LIMITATION! • Of course, this mechanism is not suitable for faking DNS response signed by DNSSEC mechanism. Copyright by Kunio Miyamoto 15
  16. 16. Copyright by Kunio Miyamoto Thank you! @wakatono If possible, any questions are welcome via email or Twitter. Of course, in banquet or any networking time ☺ Special thanks to: My friends (they are illustrator in Japan) 16

×