Perils of Transitive Trust in the Domain Name System Venugopalan Ramasubramanian Emin Gün Sirer Cornell University.

Slides:

Advertisements

Similar presentations

TUF: Securing Software Update Systems on GENI Justin Cappos Department of Computer Science and Engineering University of Washington.

Advertisements

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Perils of Transitive Trust in the Domain Name System Emin Gün Sirer joint work with Venugopalan Ramasubramanian Cornell University.

A Peer-to-Peer DNS Ilya Sukhar Venugopalan Ramasubramanian Emin Gün Sirer Cornell University.

Information-Centric Networks03c-1 Week 3 / Paper 3 The design and implementation of a next generation name service for the Internet –Venugopalan Ramasubramanian.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.

An Authorization System for Grid Applications Thesis Presentation 5 th Dec 2006 Author: Wang Xiao Supervisor: Professor Heikki Hämmäinen Instructor: MSc.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.

The Domain Name System and Internet Still Survive Presented by: Ao-Jan Su.

INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 17 Prof. Crista Lopes.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Session 6 Windows Platform Dina Alkhoudari. Learning Objectives What is Active Directory Logical components of active directory Physical components of.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

CSUF Chapter 6 1. Computer Networks: Domain Name System 2.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.

Perils of Transitive Trust in the Domain Name System Chen Xi Chen Xi.

ClearTunnel Close the SSL Hole! Copyright ©2008 Collective Software, LLC.

Joint Techs, Albuquerque Feb © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Information-Centric Networks Section # 3.3: DNS Issues Instructor: George Xylomenos Department: Informatics.

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

ITU ccTLD Workshop March 3, 2003 A Survey of ccTLD DNS Vulnerabilities.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

The Design and Implementation of a Next Generation Name Service for the Internet V. Ramasubramanian, E. Gun Sirer Cornell Univ. SIGCOMM 2004 Ciprian Tutu.

TRUST Self-Organizing Systems Emin G ü n Sirer, Cornell University.

TUF: Secure Software Updates Justin Cappos NYU Poly Computer Science and Engineering.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c

Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Status “Today”

Security Issues with Domain Name Systems

DNS Security Advanced Network Security Peter Reiher August, 2014

DNS Security Issues SeongHo Cho DPNM Lab., POSTECH

Secure Software Confidentiality Integrity Data Security Authentication

Principles of Computer Security

DNS Session 5 Additional Topics

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

The Issue We all depend on the Internet

Engineering a Content Delivery Network

DNSSEC Tutorial: Status “Today”

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Engineering a Content Delivery Network

Presentation transcript:

Perils of Transitive Trust in the Domain Name System Venugopalan Ramasubramanian Emin Gün Sirer Cornell University

How to 0wn the Internet in Your Spare Time? Part 2 Venugopalan Ramasubramanian Emin Gün Sirer Cornell University

Introduction DNS is critical to the Internet DNS architecture is based on delegations – control for names is delegated to name servers designated by the name owner delegations facilitate high scalability and decentralized administration – what about security?

 sprintlink.net  tel .net sprintip.com Dependencies for vericenter.com  gov.zoneedit.com  zoneedit.com dns[,2].sprintip.com ns[3,4,5,6].vericenter.com fbi.gov gov  com  gtld-servers.net  nstld.com  net zoneedit.com root

Subtle Dependencies in DNS  86 servers, 17 domains  cs.rochester.edu  cs.wisc.edu  itd.umich.edu  48 nameservers, 20 domains DNS dependencies are subtle and complex are administrators aware of what they depend on? increases risk of domain hijacks

Servers with Security Loopholes  [slate,cayuga].cs.rochester.edu source: internet systems consortium ( dns[,2].sprintip.com ns[3,4,5,6].vericenter.com fbi.gov ns[1,2,3]-auth.sprintlink.net reston-ns[1,3].tel .net reston-ns[2].tel .net sprintip.com

Survey Goals 1. Which domain names have large dependencies and entail high risk? 2. Which domains are affected by servers with known security holes and can be easily taken over? 3. Which servers control the largest portion of the namespace and are thus likely to be attacked?

Survey Methodology domain names (Yahoo and Dmoz.org) name servers domains, 196 top-level-domain

Most Vulnerable Names Number of Dependencies 2226Median Max 6846Mean Top 500All

Most Vulnerable Names

Vulnerability to Security Flaws survey of BIND version numbers 17% of servers have known loopholes [ISC] 45% of names are not totally safe security through obscurity! – more than 40% of servers hide version numbers – 19/46 reports for cs.cornell.edu and 18/86 for fbi.gov

Vulnerability

Vulnerability to Security Flaws

Critical Assets

Most Valuable Nameservers arizona.edu ucla.edu uoregon.edu nyu.edu berkeley.edu Top 5 Domains

Conclusions Domain names have subtle dependencies – name-based delegations High risk of domain hijacks – well-known software loopholes – leading to more effective phishing attacks

DNS-SEC Security Standard for DNS based on public-key cryptography and digitally signed certificates Not widely used currently – security at delegation points – authenticated denials – islands of security Does not eliminate name-based delegations

DNS Bottlenecks

Safe Bottlenecks

Safety

Dependencies

Critical Assets 2

Dependencies for fbi.edgesuite.net a33.g.akamai.net ns[1-6].vericenter.com vericenter.com gov  gov.zoneedit.com  zoneedit.com zoneedit.com  com  gtld-servers.net  nstld.com  net edgesuite.net  akam.net g.akamai.net  akamai.net  akamaitech.net dns[,2].sprintip.com ns[3,4,5,6].vericenter.com fbi.gov ns[1,2,3]-auth.sprintlink.net reston-ns[1,2,3].tel .net sprintip.com