CSE508: Network Security, Fall 2017 Homework 4: DNS Packet Injection ------------------------------------------------------------------------------- Submission deadline: 12/8/2017 11:59pm EDT Submission through https://blackboard.stonybrook.edu In this assignment you will develop 1) an on-path DNS packet injector, and 2) a passive DNS poisoning attack detector. Part 1: The DNS packet injector you are going to develop, named 'dnsinject', will capture the traffic from a network interface in promiscuous mode, and attempt to inject forged responses to selected DNS A requests with the goal to poison the resolver's cache. Your program should conform to the following specification: dnsinject [-i interface] [-h hostnames] expression -i Listen on network device (e.g., eth0). If not specified, dnsinject should select a default interface to listen on. The same interface should be used for packet injection. -h Read a list of IP address and hostname pairs specifying the hostnames to be hijacked. If '-h' is not specified, dnsinject should forge replies for all observed requests with the local machine's IP address as an answer. is a BPF filter that specifies a subset of the traffic to be monitored. This option is useful for targeting a single or a set of particular victims. The file should contain one IP and hostname pair per line, separated by whitespace, in the following format: 10.6.6.6 foo.example.com 10.6.6.6 bar.example.com 192.168.66.6 www.cs.stonybrook.edu Pay attention to the time needed for generating the spoofed response! Your code should be fast enough so that the injected reply reaches the victim sooner than the server's actual response. The spoofed packet and content should also be valid according to the initial DNS request, and the forged response should be accepted and processed normally by the victim. Part 2: The DNS poisoning attack detector you are going to develop, named 'dnsdetect', will capture the traffic from a network interface in promiscuous mode and detect DNS poisoning attack attempts, such as those generated by dnsinject. Detection will be based on identifying duplicate responses towards the same destination that contain different answers for the same A request, i.e., the observation of the attacker's spoofed response followed by the server's actual response. You should make every effort to avoid false positives, e.g., due to legitimate consecutive responses with different IP addresses for the same hostname due to round robin DNS load balancing. Your program should conform to the following specification: dnsdetect [-i interface] [-r tracefile] expression -i Listen on network device (e.g., eth0). If not specified, the program should select a default interface to listen on. -r Read packets from (tcpdump format). Useful for detecting DNS poisoning attacks in existing network traces. is a BPF filter that specifies a subset of the traffic to be monitored. Once an attack is detected, dnsdetect should print to stdout a detailed alert containing a printout of both the spoofed and legitimate responses. You can format the output in any way you like. Output must contain the detected DNS transaction ID, attacked domain name, and the original and malicious IP addresses - for example: 20160406-15:08:49.205618 DNS poisoning attempt TXID 0x5cce Request www.example.com Answer1 [List of IP addresses] Answer2 [List of IP addresses] For both dnsinject and dnsdetect, feel free to use parts or build upon the code of your 'mydump' tool from Homework 2. You are free to pick any programming language you like for both tools, as long as it is easy to install and configure on a modern Linux system (e.g., C, C++, python, ruby). What to submit: A tarball with: - all required source code files, an appropriate Makefile (if needed), and instructions for installing any library dependencies/packages (if needed) - a pcap trace containing one or more successful poisoning attacks generated using your dnsinject tool - a short report (.txt file is fine) with a brief description of your programs, the strategy you followed for DNS poisoning detection, and the output of your dnsdetect tool when fed with the above attack trace Hints: 1) You may find some of the following libraries/tools useful: libnet, scapy, dpkt, libdnet. 2) Mind your spoofed packet's header fields and checksums! 3) Think about what fields should remain the same or may differ between the spoofed and actual response packets. 4) An easy way to test your tools is to have a victim guest VM, and run dnsinject and dnsdetect on the host (or another VM that can observe the victim's traffic).