Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.

Slides:

Advertisements

Similar presentations

RadSec – A better RADIUS protocol

Advertisements

Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.

On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

IDMP-based Fast Handoffs and Paging in IP-based Cellular Networks IEEE 3G Wireless Conference, 2001 李威廷 11/22/2001 Telcordia.

IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Mobile IP Security Dominic Maguire Research Essay Presentation Communications Infrastructure Module MSc Communications Software, WIT

Enhanced Secure DNS: A Defense Against DDOS Attacks by David B. Wilkinson University of Colorado at Colorado Springs November 26, 2003.

WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.

RASD Rapid Adaptive Secure DNS Matthew Weaver Jeremy Witmer Dr. Chow, Advising CS 622 – Fall 2007.

Dynamic Process Allocation in Apache Server Yu Cai.

Design and Implementation of Alternative Route Against DDOS Jing Yang and Su Li.

On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 10/2003 University of Colorado at Colorado Springs.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

ChowSCID1 Secure Collective Internet Defense (SCID) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.

ChowSCOLD1 Secure Collective Defense Network (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.

RASD Rapid Adaptive Secure DNS Matthew Weaver Jeremy Witmer Dr. Chow, Advising CS 622 – Fall 2007.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.

Secure Collective Internet Defense (SCID) Yu Cai 05/30/2003

Using Multiple Gateways to Foil DDOS Attack by David Wilkinson.

ChowSCOLD1 Secure Collective Internet Defense (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.

DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.

Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.

1 DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad-hoc Network Jaehoon Jeong, ETRI ICACT.

1 Cybersecurity Symposium 9/19/2003 chow C. Edward Chow Yu Cai Dave Wilkinson Department of Computer Science University of Colorado at Colorado Springs.

Stealth Probing: Efficient Data- Plane Security for IP Routing Ioannis Avramopoulos Princeton University Joint work with Jennifer Rexford.

Internet Protocol Security (IPSec)

1 DACAManet Proposer’s Workshop UCCS-Raytheon Terry Boult C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs Leland.

Windows Server 2008 Chapter 8 Last Update

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Host Identity Protocol

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Services Working at a Small-to-Medium Business or ISP – Chapter 7.

Secure Socket Layer (SSL)

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Module 5: Planning a DNS Strategy. Overview Planning DNS Servers Planning a Namespace Planning Zones Planning Zone Replication and Delegation Integrating.

RFC 3361: DHCP Option for SIP Servers Speaker: Chung yu Wu Teacher: Quincy Wu.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

DNS SRV and NAPTR Use for SPEERMINT - Tom Creighton, Gaurav Khandpur Comcast SPEERMINT Intermin Meeting Philadelphia Sept

Content-oriented Networking Platform: A Focus on DDoS Countermeasure ( In incremental deployment perspective) Authors: Junho Suh, Hoon-gyu Choi, Wonjun.

Module 10: How Middleboxes Impact Performance

Homework 02 NAT 、 DHCP 、 Firewall 、 Proxy. Computer Center, CS, NCTU 2 Basic Knowledge  DHCP Dynamically assigning IPs to clients  NAT Translating addresses.

Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

CIS679: Anycast r Review of Last lecture r Network-layer Anycast m Single-path routing for anycast messages r Application-layer anycast.

Draft-carpenter-v6ops-label-balance-02 Brian Carpenter Sheng Jiang (Speaker) Willy Tarreau March 2012 IPv6 Flow Label for Server Load Balancing - update.

Securing Access to Data Using IPsec Josh Jones Cosc352.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Modified Onion Routing GYANRANJAN HAZARIKA AND KARAN MIRANI.

GUIDED BY: N.SRIDHAR Assoc Professor Dept of IT GMRIT Rajam PROJECT MEMBERS: E.PRASAD BABU(06341A1214) G.SRIRAMULU(07341A1275) S.SRAVANI(07341A1272) P.KARTIKEYAN(06341A1233)

NAT、DHCP、Firewall、FTP、Proxy

C. Edward Chow Department of Computer Science

Practical Censorship Evasion Leveraging Content Delivery Networks

Working at a Small-to-Medium Business or ISP – Chapter 7

Working at a Small-to-Medium Business or ISP – Chapter 7

Working at a Small-to-Medium Business or ISP – Chapter 7

Unit 8 Network Security.

Presentation transcript:

Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE Information Assurance Workshop 2004

Introduction to DNS DNS: Domain Name System DNS translates between domain names and IP addresses. Berkeley Internet Name Domain package (BIND). DNS was designed two decades ago. DNS is undergoing changes with various enhancements.  DNSSEC (DNS Security Extensions)  Dynamic DNS update and secure DNS update RFC  DNS for loading balancing and traffic distribution  Storing IPSec keying material in DNS  And many more

Introduction to SCOLD SCOLD: Secure COLlective Defense system, designed to defend against DDoS attack. The key idea of SCOLD: follow intrusion tolerance and network reconfiguration paradigm by providing alternate routes via a set of proxy servers and alternate gateways when the normal route is unavailable or unstable due to network failure, congestion, or DDoS attack. In SCOLD, the DNS is utilized to store the indirect routing information, like the proxy server IP addresses

Introduction to SCOLD Motivation of SCOLD:  Multiple gateways or multi-homing scheme are popular.  When the main gateway is under attack, the traffic should be redirected through the alternate gateways.  We may not want to reveal the alternate gateway IP addresses to public domain, because otherwise they may become new targets of attacks.  We design to use proxy servers to protect the alternate gateways and reroute the traffic. A key technique in SCOLD is the enhanced secure dynamic DNS update with indirect route. We refer to it as the IR DNS update.

SCOLD Overview: Target site under DDoS attack

SCOLD Overview: The control flow

SCOLD Overview: Indirect Route

The enhanced DNS update with indirect route: IR DNS Redefine the DNS record format for storing the additional information. A sample of the new DNS record in the DNS zone file: The first line is a normal DNS entry, containing host name and its IP address. The next 3 lines contain the IP addresses of proxy servers, as the newly defined “ALT” type (type 99). target.targetnet.com. 10 IN A target.targetnet.com. 10 IN ALT IN ALT IN ALT

Why DNS update with Indirect Route? In the scenario of DDoS attack, the main gateway of the target server domain may become unavailable or unstable. Therefore, the normal DNS update might experience significant delay or even completely fail. By setting up indirect route and perform the DNS update via the indirect route, we can overcome the problem. IR DNS can also be used to protect the Root DNS servers.

IR DNS update

Protect the root DNS server

Implementation We implement the IR DNS update on BIND v and Redhat Linux v. 8 / 9. The indirect route is implemented by using IP tunnel protocol The BIND 9 DNS server was enhanced. The DNS dynamic update utility (nsupdate) was enhanced as a new program named “nsreroute” The domain name resolve library (v.2.3.2) was enhanced An agent program runs on each participating node (DNS servers, proxy servers, gateways) listening for the control message.

Implementation All the control messages are encrypted using Secure Sockets Layer (SSL) and all participating nodes must be mutually authenticated. Nsreroute and input_file format: nsreroute input_file reroute client.clientnet1.com. victimDNSserver1.victimnet.com. victimDNSserver2.victimnet.com.... reroute client.clientnet2.com. victimDNSserver1.victimnet.com. victimDNSserver2.victimnet.com....

Experimental Results

1.Overhead of resolve library and DNS server is limited 2.Overhead of IP tunnel is acceptable 3.There is a limit on how many client DNS servers one IR DNS update can handle concurrently. 4.Overhead of Indirect Route is acceptable compared with the impact of DDoS attacks % overhead vs. possibly infinity

Conclusion We present the design and implementation of the IR DNS update. It is an essential part of the SCOLD system, but can also serve as a useful extension to the existing DNS update utility. BIND 9 DNS package is modified to support IR DNS update. IP tunnel was utilized to implement indirect routing. New ALT 99 type data is defined and a new DNS update utility named nsreroute is developed. The preliminary results show that SCOLD can improve the network security, availability and performance.

References [1] P. Mockapetris, “Domain Names--Implementation and Specification”, RFC 3658, Nov. 1987RFC 3658 [2] P. Mockapetris, “Domain Names--Concepts and Facilities”, RFC 1034, Nov. 1987RFC [3] Internet Systems Consortium, “ISC BIND”, [4] The SANS Institute, “How To Eliminate The Ten Most Critical Internet Security Threats” [5] Internetnews.com, “Massive DDoS Attack Hit DNS Root Servers”, [6] Edward Chow, Yu Cai, “Secure Collective Defense system (SCOLD)”, SCOLD_globecom2004.doc, submitted to Globecom 2004 [7] DNSSEC, [8] Dynamic DNS update, RFC 2136, [9] Secure DNS update, RFC 3007, [10] Y. Shim, et al., “Extension and Design of Secure Dynamic Updates in Domain Name Systems”, 5th Asia-Pacific Conference on Communications, 1998