CSE508- Network Security,  Homework 3: DNS Poisoning Solved

 


 

 

In this assignment you will develop 1) an on-path DNS poisoning attack tool,

and 2) a passive DNS poisoning attack detector. Both tools should be developed

in Go using the GoPacket library, and should support just plain (UDP) DNS

traffic over port 53.

 

 

Part 1 

 

The DNS packet injector you are going to develop, named 'dnspoison', captures

the traffic from a network interface in promiscuous mode, and injects forged

responses to selected DNS A requests with the goal of poisoning the cache of

the victim's resolver.

 

Your program should conform to the following specification:

 

go run dnspoison.go [-i interface] [-f hostnames] [expression]

 

-i  Listen on network device <interface (e.g., eth0). If not specified,

    dnspoison should select a default interface to listen on. The same

    interface should be used for packet injection.

 

-f  Read a list of IP address and hostname pairs specifying the hostnames to

    be hijacked. If '-f' is not specified, dnspoison should forge replies to

    all observed requests with the chosen interface's IP address as an answer.

 

The optional <expression argument is a BPF filter that specifies a subset of

the traffic to be monitored. This option is useful for targeting a single

victim or a group of victims.

 

The <hostnames file should contain one IP and hostname pair per line,

separated by whitespace, in the following format:

10.6.6.6      foo.example.com

10.6.6.6      bar.example.com

192.168.66.6  www.cs.stonybrook.edu

 

Pay attention to the time needed for generating the spoofed response. Your

code should be fast enough so that the injected reply reaches the victim

before the server's real response. The spoofed packet and content should be

valid according to the initial DNS request, and the forged response should be

accepted and processed normally by the victim. Failure to win the race will

not affect your grade, but you should at least try (see hints below).

 

 

Part 2

 

The DNS poisoning attack detector you are going to develop, named 'dnsdetect',

captures the traffic from a network interface in promiscuous mode and detects

DNS poisoning attack attempts, such as those generated by your own dnspoison,

or dnsspoof (https://www.monkey.org/~dugsong/dsniff/). Detection is based on

identifying duplicate responses within a short time interval towards the same

destination, which contain different answers for the same A request (i.e., the

observation of the attacker's spoofed response and the server's actual

response). The order of arrival should not matter: you should raise an alert

irrespectively of whether the attacker's spoofed response arrived before or

after the real response. You should make every effort to avoid false

positives, e.g., due to legitimate consecutive responses with different IP

addresses for the same hostname due to DNS-based load balancing.

 

Your program should conform to the following specification:

 

go run dnsdetect.go [-i interface] [-r tracefile] expression

 

-i  Listen on network device <interface (e.g., eth0). If not specified,

    the program should select a default interface to listen on.

 

-r  Read packets from <tracefile (tcpdump format). Useful for detecting

    DNS poisoning attacks in existing network traces.

 

<expression is a BPF filter that specifies a subset of the traffic to be

monitored.

 

Once an attack is detected, dnsdetect should print to stdout a detailed alert

containing a printout of both the spoofed and legitimate responses. You can

format the output in any way you like. The output must contain the DNS

transaction ID, the attacked domain name, and the original and malicious IP

addresses - for example:

 

20210309-15:08:49.205618  DNS poisoning attempt 

TXID 0x5cce Request www.example.com

Answer1 [List of IP addresses]

Answer2 [List of IP addresses]

 

For both dnspoison and dnsdetect, feel free to use parts or build upon the

code of your 'mydump' tool from Homework 2.

 

 


Hints

 

- Mind your spoofed packet's header fields and checksums!

 

- Think about what fields should remain the same or may differ between the

  spoofed and actual response packets.

 

- An easy way to test your implementation is using two hosts: the attacker can

  be either your real machine or a VM, and the victim can be a different VM.

  In both cases, the attacker will be in a position to sniff the victim's

  traffic and inject packets towards the victim, i.e., perform a

  man-on-the-side attack. Alternatively, you can also use ARP spoofing to

  perform a man-in-the-middle attack.

 

- Don't forget to disable DoH/DoT, if it is enabled in the victim's browser.

 

- If your host OS is configured to use a fast DNS server (e.g., Google's

  8.8.8.8), these tend to have a very low RTT of just 3-4ms, so reliably

  winning the race will require carefully tuned code. Try ping'ing the DNS

  server to observe its RTT. To win the race more easily and reliably, you can

  pick a server that is "far away", e.g., 30-40ms away. Here is a list of free

  public DNS servers: https://twitgoo.com/best-free-dns-servers/ - many of

  them have very low latency from SBU, but there are some in the 30-40ms range

  (e.g., Alternate DNS, OpenNIC, SmartViper) so your attack should be reliable

  using those. Yandex or puntCAT should be even easier, as they are in the

  100ms range.

 

- If you still cannot win the race in your setup, for testing purposes you can

  "slow down" or drop the incoming legitimate responses (e.g., using

  NetfilterQueue or any other method you prefer). Failure to win the race will

  not affect your grade, but the spoofed response should be correct and

  accepted by the victim (if it would arrive first).

 

- Some useful examples related to sending raw packets with GoPacket:

  https://github.com/google/gopacket/blob/master/examples/pcaplay/main.go

  https://github.com/google/gopacket/blob/master/examples/arpscan/arpscan.go