Description
In this assignment you will develop 1) an on-path DNS packet injector, and
2) a passive DNS poisoning attack detector.
Part 1:
The DNS packet injector you are going to develop, named ‘dnsinject’, will
capture the traffic from a network interface in promiscuous mode, and attempt
to inject forged responses to selected DNS A requests with the goal to poison
the resolver’s cache.
Your program should conform to the following specification:
dnsinject [-i interface] [-h hostnames] expression
-i Listen on network device (e.g., eth0). If not specified,
dnsinject should select a default interface to listen on. The same
interface should be used for packet injection.
-h Read a list of IP address and hostname pairs specifying the hostnames to
be hijacked. If ‘-h’ is not specified, dnsinject should forge replies for
all observed requests with the local machine’s IP address as an answer.
is a BPF filter that specifies a subset of the traffic to be
monitored. This option is useful for targeting a single or a set of particular
victims.
The file should contain one IP and hostname pair per line,
separated by whitespace, in the following format:
10.6.6.6 foo.example.com
10.6.6.6 bar.example.com
192.168.66.6 www.cs.stonybrook.edu
Pay attention to the time needed for generating the spoofed response! Your
code should be fast enough so that the injected reply reaches the victim
sooner than the server’s actual response. The spoofed packet and content
should also be valid according to the initial DNS request, and the forged
response should be accepted and processed normally by the victim.
Part 2:
The DNS poisoning attack detector you are going to develop, named ‘dnsdetect’,
will capture the traffic from a network interface in promiscuous mode and
detect DNS poisoning attack attempts, such as those generated by dnsinject.
Detection will be based on identifying duplicate responses towards the same
destination that contain different answers for the same A request, i.e., the
observation of the attacker’s spoofed response followed by the server’s actual
response. You should make every effort to avoid false positives, e.g., due to
legitimate consecutive responses with different IP addresses for the same
hostname due to round robin DNS load balancing.
Your program should conform to the following specification:
dnsdetect [-i interface] [-r tracefile] expression
-i Listen on network device (e.g., eth0). If not specified,
the program should select a default interface to listen on.
-r Read packets from (tcpdump format). Useful for detecting
DNS poisoning attacks in existing network traces.
is a BPF filter that specifies a subset of the traffic to be
monitored.
Once an attack is detected, dnsdetect should print to stdout a detailed alert
containing a printout of both the spoofed and legitimate responses. You can
format the output in any way you like. Output must contain the detected DNS
transaction ID, attacked domain name, and the original and malicious IP
addresses – for example:
20160406-15:08:49.205618 DNS poisoning attempt
TXID 0x5cce Request www.example.com
Answer1 [List of IP addresses]
Answer2 [List of IP addresses]
For both dnsinject and dnsdetect, feel free to use parts or build upon the
code of your ‘mydump’ tool from Homework 2. You are free to pick any
programming language you like for both tools, as long as it is easy to install
and configure on a modern Linux system (e.g., C, C++, python, ruby).
What to submit:
A tarball with:
– all required source code files, an appropriate Makefile (if needed), and
instructions for installing any library dependencies/packages (if needed)
– a pcap trace containing one or more successful poisoning attacks generated
using your dnsinject tool
– a short report (.txt file is fine) with a brief description of your programs,
the strategy you followed for DNS poisoning detection, and the output of your
dnsdetect tool when fed with the above attack trace
Hints:
1) You may find some of the following libraries/tools useful: libnet, scapy,
dpkt, libdnet.
2) Mind your spoofed packet’s header fields and checksums!
3) Think about what fields should remain the same or may differ between the
spoofed and actual response packets.
4) An easy way to test your tools is to have a victim guest VM, and run
dnsinject and dnsdetect on the host (or another VM that can observe the
victim’s traffic).