Giters

HectorTa1989 / DNS-cache-poisoning-attack-investigation

An isolated environment for DNS cache poisoning attack investigation and demonstration.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

dnsdns-serverdns-poisoningdns-spoofingdns-cache-poisoningpoisoning-attack

DNS Cache Poisoning Attack Demo

===============================

This project is to investigate and reproduce the DNS Cache Poisoning Attack within an isolated network environment using docker. The demo shows an adversary to spoof the DNS answer of google.com and direct to the adversary's malicious IP address.

Quickstart

Prerequisities

You will need Docker and Docker Compose installed for this project.

Build

docker-compose build
docker-compose up

Upon running, the DNS resolver and upstream DNS server will start listening on port 53.

Attack

1. Into the container attacker

docker exec -it attacker bash

2. Launch the attack script

python attack.py google.com 10.0.0.4

3. Impact

As the output of the container dns shows, a fake DNS record has been successfully written into cache. It can be verified by using dig in the victim's container.

First get into victim's container:

docker exec -it victim bash

In the container:

dig google.com

It shows that in the answer section, the record is pointing to the adversary's IP address (10.0.0.4).

Debriefing

Project Architecture

Four containers are used in this project:
DNS (10.0.0.2): A vulnerable DNS resolver
Victim (10.0.0.3): A victim host for proving the attack
Attacker (10.0.0.4): The adversary who will launch the attack
Upstream DNS (10.0.0.5): Plays the role of an upstream DNS server

DNS Cache Server (10.0.0.2)

This is a simple DNS resolver developed to fully examine the attack process. It first looks at the cache stored and returns the cache if there is. Otherwise, it will forward the request to the upstream DNS server, waiting for responses.

As the objective of this project is only to investigate the attack itself, the Query ID (QID) for requesting is always set to range from 10000 to 10050, and the source port is fixed to 22222 to avoid launching a birthday attack, which is not the goal of this project.

Once received the response, it will validate if two QIDs match and then send the answer to the client.

Upstream DNS (10.0.0.5)

A local authoritative DNS is set up to take the place of upstream DNS servers to always respond DNS requests with IP 1.2.3.4

Attacker (10.0.0.4)

The adversary first sends a DNS query to the DNS cache server (10.0.0.2), so the server will send a DNS request to the upstream server and begin accepting responses. Then it sends DNS answers trying all possible QID from the destination impersonating the upstream server (10.0.0.5) to the cache server (10.0.0.2).

An attack script (/attacker/attack.py) is thereby created.

Usage:

python attack.py [target domain] [spoofed IP]

License

This was initially developed for CS 4404 Network Security B20 as a part of Mission 2 for Team 13 and is licensed under the MIT License. However, you may NOT directly use this repository if you are taking the same course as a student as per Academic Integrity Policy.

About

An isolated environment for DNS cache poisoning attack investigation and demonstration.

dnsdns-serverdns-poisoningdns-spoofingdns-cache-poisoningpoisoning-attack

License:MIT License

Languages

Language:Python 83.2%Language:Dockerfile 16.8%