《王琦与李翔与王楚涵_图门攻击系统地探索和利用DNS响应预处理中的逻辑漏洞和畸形数据包.pdf》由会员分享,可在线阅读,更多相关《王琦与李翔与王楚涵_图门攻击系统地探索和利用DNS响应预处理中的逻辑漏洞和畸形数据包.pdf(41页珍藏版)》请在三个皮匠报告上搜索。
1、#BHUSA BlackHatEventsTuDoor Attack:Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed PacketsSpeaker(s):Qi Wang,Tsinghua UniversityContributor(s):Xiang Li,Nankai University&Chuhan Wang,Tsinghua University#BHUSA BlackHatEventsAttack Impact2Pois
2、oning vulnerable resolvers cache within just one second.Our TuDoor attack could poisonarbitrary domains,e.g.,.com .#BHUSA BlackHatEventsDomain Name System(DNS)3DNS Overviewq Translating domain names to IP addressesq Entry point of many Internet activitiesq Domain names are widely 93.184.216.34DNSWeb
3、CDNEmailCertificateCited from BlackHatEventsDomain Name System(DNS)4Hierarchical Name Spaceq Authoritative zones:root,TLD,SLD DNS recordsq Domain delegation Domain registrationMultiple Resolver Rolesq Client,forwarder,recursive,authoritativeq CachingIterative Resolution Processq Client-server stylen
4、etcomexampleDNSclientForw-arderRecursiveresolverAuthoritative serversRootTLDSLD.DNS namespaceDelegateDelegateQuery Referral to SLD NSQuery Referral to TLD NS123456Query Authoritative answer78910QueryQueryResponse#BHUSA BlackHatEventsnetcomexampleDomain Name System(DNS)5DNS Resolution Processq Primar
5、ily over UDPq Iterative and recursiveq CachingDNSclientForw-arderRecursiveresolverAuthoritative serversRootTLDSLD.DNS namespaceDelegateDelegateQuery Referral to SLD NSQuery Referral to TLD NS123456Query Authoritative answer78910QueryQueryR A?(empty)(empty)(empty)SP=50000QDANAUARDP=53TXID= A? A 1.1.1
6、.1(empty)(empty)SP=53QDANAUARDP=50000TXID=1001QueryResponseSource portTXID6 5 5 3 66 5 5 3 632 bits space#BHUSA BlackHatEventsTakeaway6Attackers have long been trying to manipulate its response for hijacking via cache poisoning attacks.Since DNS is the cornerstone of the Internet,enabling multiple c