Network security and Protocols Assignment
26 Pages4317 Words64 Views
Added on 2021-08-10
Network security and Protocols Assignment
Added on 2021-08-10
ShareRelated Documents
Network security and
Protocols
Exploring DNS/DHCP, IPSec/TLS and UTM/SIEM
Amey U. Parulkar, UWL
MSc Cyber Security
Protocols
Exploring DNS/DHCP, IPSec/TLS and UTM/SIEM
Amey U. Parulkar, UWL
MSc Cyber Security
DHCP and DNS
DHCP and DNS: An Introduction
What is DHCP?
DHCP commonly known as the Dynamic Host Configuration Protocol is used in the networks
to essentially assign IP address and IP related information to network devices. This can vary
from network devices such as servers or personal computers to handheld devices such as
mobile phones. It can also prove useful in TCP/IP level services such as automatic software
upgrades.
DHCP vs DNS: What are they, What’s their Differences by John [2018] Image Credit: FS Community
DHCP Server – The job of an DHCP server would be to automatically assign IP addresses to client
devices. Ideally it must be a dynamic IP address being assign to clients by the servers in case of large
networks. These dynamic IP addresses have a timeline to expire and get re-assigned dynamically
again as a different unique IP address for next session.
DHCP Client – The clients are usually devices that requires connectivity to a network such as mobile,
PC, or IoT endpoint. These devices are pre-configured to handle DHCP
DHCP Relaying – relaying is useful in an environment when the DHCP servers are centralized and not
individually assigned to subnets. For this, a router is usually used as a relaying device that is used as a
bridge between server and multiple clients broadcasting messages. The router listens to these
messages and then forward them to server/client. [1,2]
What is DNS?
Domain name system (DNS) is used to translate hostname into IP addresses and vice-versa.
The concept is like a yellow page’s directory where each user’s name is assigned a unique
telephone number or address. DNS is useful for converting IP addresses (that may be
difficult to remember for human mind) to user-friendly domain names.[3] Below is the
diagrammatic representation of how DNS works:
DHCP and DNS: An Introduction
What is DHCP?
DHCP commonly known as the Dynamic Host Configuration Protocol is used in the networks
to essentially assign IP address and IP related information to network devices. This can vary
from network devices such as servers or personal computers to handheld devices such as
mobile phones. It can also prove useful in TCP/IP level services such as automatic software
upgrades.
DHCP vs DNS: What are they, What’s their Differences by John [2018] Image Credit: FS Community
DHCP Server – The job of an DHCP server would be to automatically assign IP addresses to client
devices. Ideally it must be a dynamic IP address being assign to clients by the servers in case of large
networks. These dynamic IP addresses have a timeline to expire and get re-assigned dynamically
again as a different unique IP address for next session.
DHCP Client – The clients are usually devices that requires connectivity to a network such as mobile,
PC, or IoT endpoint. These devices are pre-configured to handle DHCP
DHCP Relaying – relaying is useful in an environment when the DHCP servers are centralized and not
individually assigned to subnets. For this, a router is usually used as a relaying device that is used as a
bridge between server and multiple clients broadcasting messages. The router listens to these
messages and then forward them to server/client. [1,2]
What is DNS?
Domain name system (DNS) is used to translate hostname into IP addresses and vice-versa.
The concept is like a yellow page’s directory where each user’s name is assigned a unique
telephone number or address. DNS is useful for converting IP addresses (that may be
difficult to remember for human mind) to user-friendly domain names.[3] Below is the
diagrammatic representation of how DNS works:
The history of DNS Vulnerabilities and the cloud by Prizmant, Daniel [2020] Image Credit: FS
Community
Vulnerabilities & Consequences: DNS and DHCP
DNS Vulnerabilities
DNS is vulnerable to a multitude of attack types. Most commonly they target a specific DNS
function such as cache, recursive or authoritative). The main objective is to derail
businesses, perform data corruption, and steal data or ALL! Hackers or attackers mostly
prey on these vulnerabilities in the form of DNS attacks which is broadly categorized in 4
main types: [5]
Community
Vulnerabilities & Consequences: DNS and DHCP
DNS Vulnerabilities
DNS is vulnerable to a multitude of attack types. Most commonly they target a specific DNS
function such as cache, recursive or authoritative). The main objective is to derail
businesses, perform data corruption, and steal data or ALL! Hackers or attackers mostly
prey on these vulnerabilities in the form of DNS attacks which is broadly categorized in 4
main types: [5]
Fig:1 DNS Vulnerability Categories
The above categories can be further extrapolated into various types of attacks that makes
DNS more vulnerable as a protocol. Below section would highlight each of the above four
categories and the types of attacks that it encompasses making DNS vulnerable to each one
of them.
Volumetric Attacks
Volumetric attacks are a result of flooding DNS servers with direct requests resulting into
exhaustion of resources such as cache, recursion or authoritative functions using a spoofed
IP address. [7]
Volumetric DoS attacks:
When a DNS server is
overwhelmed by a sudden
surge of DNS requests
from either one or multiple
sources which results in a
service unavailability or
degradation
Exploits:
Exploiting flaws or bugs in
existing DNS protocol or on
an operating system
running DNS services
Stealth/Slow Drip DoS
attacks:
Using slow response to a
particular DNS query
thereby causing a
capacity exhaustion which
leads to a service
degradation eventually.
Protocol Abuse:
DNS can be exploited in a
way that was not
oroginally intended which
results in phishing and
exfiltration
The above categories can be further extrapolated into various types of attacks that makes
DNS more vulnerable as a protocol. Below section would highlight each of the above four
categories and the types of attacks that it encompasses making DNS vulnerable to each one
of them.
Volumetric Attacks
Volumetric attacks are a result of flooding DNS servers with direct requests resulting into
exhaustion of resources such as cache, recursion or authoritative functions using a spoofed
IP address. [7]
Volumetric DoS attacks:
When a DNS server is
overwhelmed by a sudden
surge of DNS requests
from either one or multiple
sources which results in a
service unavailability or
degradation
Exploits:
Exploiting flaws or bugs in
existing DNS protocol or on
an operating system
running DNS services
Stealth/Slow Drip DoS
attacks:
Using slow response to a
particular DNS query
thereby causing a
capacity exhaustion which
leads to a service
degradation eventually.
Protocol Abuse:
DNS can be exploited in a
way that was not
oroginally intended which
results in phishing and
exfiltration
Fig 2: Volumetric Attacks
Exploits
These are nothing but a vulnerability in the DNS protocol which the attackers take
advantage of to infiltrate the network. [8]
Fig 3: Exploits
Stealth/Slow Drip DoS Attacks
The main objective of these types of attacks is to slow down or tax the resources of the
recursive server in turn slowing the overall performance. These attacks also referred to as
Random subdomain attacks [9]Direct DNS DoS Attack
Direct DNS DoS Attack
One way of exploiting
DNS wouldbe to
saturate the
cache,recursive and
authoritative
functions. This can be
achieved using a
spoofed IP address.DNS Amplification (DDoS)
DNS Amplification (DDoS)
The target fo these
attacks are DNS
servers that can be
accessed without any
restrictions. They can
be used as source to
flood the target using
DNS response using a
spoofed source
address that is acting
as the target's
address, which as a
result receives it's
own response.
To cause more
ammplicafication, the
request contains
multiple zoe requests.Bogus Domain Attack
Bogus Domain Attack
A bogus domani is a
domain that does not
exist. The purpose is
to cripple the DNS
server by consuming
maximum resources
there by not allowing
genuine queries to be
processed.
This is also known as
NXDOMAIN attack.DNS Reflection Attack
DNS Reflection Attack
This attack targets
infrastrucure such as
firewalls or
authoritative servers
to exhaust the
bandwidth of the
network by using
multiple resolver
servers available on
internet.
This attack is usually
combined with
amplification attacks
to maximise the
impact.Zero-Day Vulnerability
Zero-Day Vulnerability
These attacks largely
target any recently
released software
with some security
holes for which no
patches are yet
available.DNS-based exploits
DNS-based exploits
Any shortcomings or
flaws observed in
DNS protocol or
services or an
operating system
running on DNS
services is exploited
for negative impact.Protocol Anomalies
Protocol Anomalies
Intentional malformed
DNS queries are sent
to crash the targeted
serviceDNS Rebinding
DNS Rebinding
Combination of
javascript ad IP
Subner discovery is
order to attack local
network IP devices
through browser.
This attack is usually
used for discovery of
unsafe devices
(mainly IoT) on the
network and for data
exfiltration.
Exploits
These are nothing but a vulnerability in the DNS protocol which the attackers take
advantage of to infiltrate the network. [8]
Fig 3: Exploits
Stealth/Slow Drip DoS Attacks
The main objective of these types of attacks is to slow down or tax the resources of the
recursive server in turn slowing the overall performance. These attacks also referred to as
Random subdomain attacks [9]Direct DNS DoS Attack
Direct DNS DoS Attack
One way of exploiting
DNS wouldbe to
saturate the
cache,recursive and
authoritative
functions. This can be
achieved using a
spoofed IP address.DNS Amplification (DDoS)
DNS Amplification (DDoS)
The target fo these
attacks are DNS
servers that can be
accessed without any
restrictions. They can
be used as source to
flood the target using
DNS response using a
spoofed source
address that is acting
as the target's
address, which as a
result receives it's
own response.
To cause more
ammplicafication, the
request contains
multiple zoe requests.Bogus Domain Attack
Bogus Domain Attack
A bogus domani is a
domain that does not
exist. The purpose is
to cripple the DNS
server by consuming
maximum resources
there by not allowing
genuine queries to be
processed.
This is also known as
NXDOMAIN attack.DNS Reflection Attack
DNS Reflection Attack
This attack targets
infrastrucure such as
firewalls or
authoritative servers
to exhaust the
bandwidth of the
network by using
multiple resolver
servers available on
internet.
This attack is usually
combined with
amplification attacks
to maximise the
impact.Zero-Day Vulnerability
Zero-Day Vulnerability
These attacks largely
target any recently
released software
with some security
holes for which no
patches are yet
available.DNS-based exploits
DNS-based exploits
Any shortcomings or
flaws observed in
DNS protocol or
services or an
operating system
running on DNS
services is exploited
for negative impact.Protocol Anomalies
Protocol Anomalies
Intentional malformed
DNS queries are sent
to crash the targeted
serviceDNS Rebinding
DNS Rebinding
Combination of
javascript ad IP
Subner discovery is
order to attack local
network IP devices
through browser.
This attack is usually
used for discovery of
unsafe devices
(mainly IoT) on the
network and for data
exfiltration.
Fig 4: Stealth/Slow Drip Attacks
Protocol Abuse
The usage of any malware, phishing/pharming, or spam tools to abuse the DNA protocol is
essentially referred as protocol abuse. [10]
Fig 5: Protocol Abuse
DHCP Vulnerabilities
DHCP transactions do not have a built-in authentication mechanism which make them
vulnerable by default. Attackers can exploit this weakness at the protocol layer or bySloth Domain Attack
Sloth Domain Attack
As the name suggests,
the queries are routed to
attackers authoritative
domain which responds
very slowly just before
timeout so as to cause a
congestion at victim's
recursive serverPhamtom Domain Attack
Phamtom Domain Attack
This attack would send
subdomains from DNS
resolvers for which
domain server is not
available, this results in
cache saturation at
server capacity level.Pseudo-Random
Subdomain Attack
(PRSD)
Pseudo-Random
Subdomain Attack
(PRSD)
Random query name as
a subdomain of victims
domain is the modus
operandi fo this attack.
This results in saturation
of authoritative server
capacity.
This attack uses either
open relay DNS or DNS
recursive farm at ISP in
order to also exhaust
resources of servers
waiting for answers from
the authoritative server.DNS Tunneling
DNS Tunneling
The DNS
protocol is used
to encapsulate
other protocols
or data in order
to remotely
control malware
or/and the
exfiltration of
data.DNS Cache
Poisoning
DNS Cache
Poisoning
Attacks
introducing data
into a DNS
resolver’s cache,
causing the
name server to
return an
incorrect IP
address for
further requests,
diverting traffic
to the attacker’s
computer.DNS Hijacking -
Pharming
DNS Hijacking -
Pharming
Hosted on local
computer,
malware alters
TCP/IP
configurations to
point to a
malicious DNS
server, causing
traffic to be
redirected to a
phishing
website.DNS Hijacking -
Phishing
DNS Hijacking -
Phishing
DNS records are
modified at the
registrar level
(after the
compromission
of
administrator’s
credentials) and
users are
redirected to
malicious
website since
using valid
domains.Subdomain
Hijacking
Subdomain
Hijacking
Attack aiming to
reuse an
existing DNS
entry (generally
a CNAME)
associated to a
public cloud
resource that
has been
suppressed.Domain
Squatting
Domain
Squatting
Attack using
registered
domain names
with a typo in
order to get
capture or
redirect
legitimate traffic
to another web
site.
Protocol Abuse
The usage of any malware, phishing/pharming, or spam tools to abuse the DNA protocol is
essentially referred as protocol abuse. [10]
Fig 5: Protocol Abuse
DHCP Vulnerabilities
DHCP transactions do not have a built-in authentication mechanism which make them
vulnerable by default. Attackers can exploit this weakness at the protocol layer or bySloth Domain Attack
Sloth Domain Attack
As the name suggests,
the queries are routed to
attackers authoritative
domain which responds
very slowly just before
timeout so as to cause a
congestion at victim's
recursive serverPhamtom Domain Attack
Phamtom Domain Attack
This attack would send
subdomains from DNS
resolvers for which
domain server is not
available, this results in
cache saturation at
server capacity level.Pseudo-Random
Subdomain Attack
(PRSD)
Pseudo-Random
Subdomain Attack
(PRSD)
Random query name as
a subdomain of victims
domain is the modus
operandi fo this attack.
This results in saturation
of authoritative server
capacity.
This attack uses either
open relay DNS or DNS
recursive farm at ISP in
order to also exhaust
resources of servers
waiting for answers from
the authoritative server.DNS Tunneling
DNS Tunneling
The DNS
protocol is used
to encapsulate
other protocols
or data in order
to remotely
control malware
or/and the
exfiltration of
data.DNS Cache
Poisoning
DNS Cache
Poisoning
Attacks
introducing data
into a DNS
resolver’s cache,
causing the
name server to
return an
incorrect IP
address for
further requests,
diverting traffic
to the attacker’s
computer.DNS Hijacking -
Pharming
DNS Hijacking -
Pharming
Hosted on local
computer,
malware alters
TCP/IP
configurations to
point to a
malicious DNS
server, causing
traffic to be
redirected to a
phishing
website.DNS Hijacking -
Phishing
DNS Hijacking -
Phishing
DNS records are
modified at the
registrar level
(after the
compromission
of
administrator’s
credentials) and
users are
redirected to
malicious
website since
using valid
domains.Subdomain
Hijacking
Subdomain
Hijacking
Attack aiming to
reuse an
existing DNS
entry (generally
a CNAME)
associated to a
public cloud
resource that
has been
suppressed.Domain
Squatting
Domain
Squatting
Attack using
registered
domain names
with a typo in
order to get
capture or
redirect
legitimate traffic
to another web
site.
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
Networking Technologies Assignmentlg...
|9
|2023
|44
Classification of Network Protocolslg...
|6
|2727
|25
The Importance of Dynamic Host Configuration Protocol in Supporting Business Functioninglg...
|5
|678
|338
Network Design and Troubleshootinglg...
|19
|3677
|24