Hold-On Flashcards

1
Q

an attacker who can observe and inject traffic

inserts fake replies to queries

A

DNS poisoning based on packet injection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Attackers against DNS fall into three categories:

A

off-path,
on-path, and
in-path.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

lacks the ability to observe DNS queries and responses. Such an attacker will generally employ some means to trigger specific DNS lookups, but must guess the transaction ID and any other entropy (such as the source port and 0x20 encoding) in the request to forge a reply that the resolver will accept.

A

An off-path adversary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

generally generate numerous packets in hopes of matching the request. Additionally, because resolvers do not issue new queries for a name that is already cached, off-path adversaries have difficulty targeting stub resolvers, since stubs, unlike recursive resolvers, do not generally accept and promote glue entries

A

Off-path adversaries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

has the ability to passively observe

the actual lookups requested by a resolver

A

An on-path adversary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

can directly forge DNS replies that match the full set of criteria used by the resolver to validate answers (other than use of DNSSEC). As long as a forged reply arrives at the resolver before the legitimate one, the resolver will accept the injected answer and become poisoned.

A

An on-path adversary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Absent a denial-of-service attack on legitimate servers, both off-path and on-path adversaries lack the ability to suppress legitimate responses. Thus, both of these adversaries necessarily create an observable artifact: the victim, if it waits sufficiently long, will receive both the attacker’s packet and the legitimate reply.

A

True facts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Only this is capable of blocking and modifying packets, can prevent the legitimate reply from reaching the victim.

A

an in-path adversary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Although in-path approaches have more power, on-path approaches have several advantages, making their use appealing for attackers

A

Censorship tools commonly use on-path rather
than in-path techniques to ease deployment and to make the system failure and load tolerant, as the censorship system can then operate on a traffic mirror rather than the live traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

works without modifying drivers, but suppressing legitimate replies requires hardware-specific access to the low-level air interface to detect and squelch a broadcast in flight

A

on-path WiFi packet injection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

adds cryptographic authentication to prevent the

acceptance of invalid DNS replies

A

DNSSEC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

does not suffice as a replacement for a mechanism such as Hold-On: resolvers need to maintain an open port for a period of time in order to attempt to validate all responses received for a query, not just the first.

A

DNSSEC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Hold-On can provide a robust defense against on-path injection only when combined with

A

DNSSEC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

operates as a stub resolver to a known-uncensored remote recursive resolver, which enables accurate initial measurement of RTT and TTL to enable subsequent detection of unexpected replies

A

The current Hold-On implementation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Without DNSSEC, “Hold On” relies on attack packets exhibiting significant differences in “These 2 things” in order to distinguish them from legitimate replies.

A

IP TTL or RTT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

If the attacker carefully crafts the attack packets’ TTLs, and only injects them just before the likely arrival of the legitimate reply (see Figure 7), our Hold-On technique without DNSSEC will fail to distinguish between the legitimate reply and the attack packet.7

A

True.

However, the resolver can still detect that an attack
has likely occurred (due to the differing responses). If the resolver cannot correctly determine the legitimate response, it should conservatively not return any answer—though doing so still enables attackers to impose denial-of-service

17
Q

does not suffice to protect against on-path adversaries
operating in environments that users only occasionally visit, such as public WiFi hotspots; we lack knowledge of “non-sensitive” domains to look up in order to obtain estimates of RTT and TTL in the presence of non-injection

A

Hold On

18
Q

a recursive resolver should also continue to listen

for replies even after it processes and forwards an answer

A

in order to detect attacks

If the resolver detects an attack,
it could revert to a more paranoid mode (performing active measurements of RTTs and TTLs for all new resolvers to detect subsequent attacks)

19
Q

is effective at distinguishing legitimate replies from those injected by a widely deployed network censorship system.

A

a DNS forwarder that implements Hold-On

20
Q

Packet injection by on-path adversaries poses a particular

threat against DNS

A

One particular use of such injection comes from those building DNS-based censorship tools. Even DNSSEC-validating implementations may be vulnerable, as
injected packets can cause denial-of-service if the resolver fails to wait for the legitimate reply before returning “Bogus”.

stub resolvers can use its presence to detect when packet injection occurs.

21
Q

In addition, unless censors take additional steps, imperfections
in their packet injection tools can allow resolvers to not
only detect injection attacks, but also to potentially distinguish
between legitimate replies and injected answers based on
artifacts in the

A

IP header’s TTL field and in the round-trip time

when receiving replies

22
Q

If a reply arrives too early, with an unexpected IP TTL,
or fails to validate (if DNSSEC validation occurs), the stub
waits for the potential arrival of a subsequent legitimate reply
before proceeding.

A

a Hold-On period

23
Q

For censors who take steps to match the TTL and RTT of their injections with those expected for legitimate replies, “THIS” still allows detection that injection
has occurred; and, for DNSSEC-enabled resolution, prevents the censor from imposing denial-of-service on obtaining the correct reply.

A

Hold-On