江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua University 19 th NDSS (February 2012)
Outline Introduction Background The DNS Name Revocation Vulnerability Experiments Possible Defense Approaches Response from Industries 2012/2/212A Seminar at Advanced Defense Lab
Introduction While primarily used for legitimate purposes, domain names have also been heavily leveraged by malicious activities Ex: botnet A major endeavour in stopping these malicious activities has thus been identifying and deleting malicious domain names. Ex: Waledac and Rustock 2012/2/21A Seminar at Advanced Defense Lab3
DNS Mechanism 2012/2/21A Seminar at Advanced Defense Lab4.com.phishing.com Recursive Resolver client Cache: NS of.phishing.com TTL: sec
Background DNS response 2012/2/21A Seminar at Advanced Defense Lab5 Question Section Answer Section Authority Section Additional Section DNS Delegation ;; ANSWER SECTION ;; AUTHORITY SECTION phishing.com IN NS ns.phishing.com. ;; ADDITIONAL SECTION ns.phishing.com IN A
DNS Cache Update Policy The bailiwick rule The credibility rule Ex: Trust levels in BIND /2/21A Seminar at Advanced Defense Lab6
The DNS Name Revocation Vulnerability 2012/2/21A Seminar at Advanced Defense Lab7.com.phishing.com Recursive Resolver ;; AUTHORITY SECTION phishing.com. NS ns.phishing.com. TTL: 100 ;; AUTHORITY SECTION phishing.com. NS ns2.phishing.com. TTL: 200 OK!!
Ghost Domain Names 2012/2/21A Seminar at Advanced Defense Lab8.com.phishing.com Recursive Resolver ;; AUTHORITY SECTION phishing.com. NS ns.phishing.com. TTL: 100 ;; AUTHORITY SECTION phishing.com. NS ns2.phishing.com. TTL: Attacker
Experiments Vulnerability testing of popular DNS implementations 2012/2/21A Seminar at Advanced Defense Lab9 BIND9.8.0-P4 (CVE ) DJB dnscache1.05 (CVE ) Unbound (CVE ) PowerDNSRecursor 3.3 (CVE ) MaraDNS Deadwood Deadwood Microsoft DNS Windows Server 2008 R2 Windows Server 2008 (CVE )
Experiments Vulnerability testing of public DNS servers 2012/2/21A Seminar at Advanced Defense Lab10 Google DNS Advantage OpenDNS Norton GTEI DNS
Measurement 19,045 open DNS resolvers 2012/2/21A Seminar at Advanced Defense Lab11
Measurement 2012/2/21A Seminar at Advanced Defense Lab12 TTL: 1800, 3600, Refresh rate: TTL/2, TTL/4, TTL/8
Results 2012/2/21A Seminar at Advanced Defense Lab13 70% 10%
Geographic View 2012/2/21A Seminar at Advanced Defense Lab14
Refresh Rate 2012/2/21A Seminar at Advanced Defense Lab15
Possible Defense Approaches Strengthening the bailiwick rule Accept authority records only from the parent ○ Ex: MaraDNS Refining the credibility rule Accept authority records from child on the first reply TTL constraints update the records EXCEPT TTL ○ Ex: Unbound /2/21A Seminar at Advanced Defense Lab16
Response from Industries Some new CVE entries ISC (vendor of BIND) published an advisory for the vulnerability about Ghost Domain [link]link Security team of Microsoft has been aware of the problem, and a case has been created to track it 2012/2/21A Seminar at Advanced Defense Lab17
2012/2/21A Seminar at Advanced Defense Lab18