江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua University 19.

Slides:



Advertisements
Similar presentations
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Advertisements

Name Server Tri Wahyuddin Tryawan Hendra Septian.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
DNS Poisoning Attacks November 2005 John (Jenya) Neystadt Security Test Lead Microsoft Israel R&D.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.
Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
Threat infrastructure: proxies, botnets, fast-flux
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
20411D Administering Windows Server® 2012 刘道军老师主讲 如有疑问请与我联系:
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Module 12: Domain Name System (DNS)
Domain Name Services Oakton Community College CIS 238.
Lecturer : Ms.Trần Thị Ngọc Hoa Chapter 2 Methods Configuring Name Resolution Methods.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.
Module 3 DNS Types.
Tony Kombol ITIS Who knows this? Who controls this? DNS!
ENOG-7 27 May 2014 Moscow Marriott Grand Hotel, Moscow, Russia IPv6 Golden Networks Jeroen Massar, Farsight Security, Inc. A watchful eye.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
CS426Fall 2010/Lecture 341 Computer Security CS 426 Lecture 34 DNS Security.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
Zhiyun Qian, Zhuoqing Morley Mao University of Michigan 33 rd Security & Privacy (May, 2012)
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
Cybersecurity Coordination and Cooperation Colloquium (f41lf3st 2015) 17 June 2015 Tallinna Tehnickaülikool, Tallinn, Estonia IPv6 Golden Networks Jeroen.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
DNS as a Gatekeeper: Creating Lightweight Capabilities for Server Defense Curtis Taylor Craig Shue
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.
Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.
11 MANAGING AND MONITORING DNS Chapter 4. Chapter 4: MANAGING AND MONITORING DNS2 DNS MANAGEMENT TOOLS  DNS console  Nslookup  DNSLint  Logging features.
INFORMATION SECURITY UNIX & DB2. Introduction THE OBJECTIVE IS TO DESIGN SECURITY MEASURES FOR A MILITARY SYSTEM SYSTEM RUNNING A DB2 SERVER ON UNIX FOCUS.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
A study of caching behavior with respect to root server TTLs Matthew Thomas, Duane Wessels October 3 rd, 2015.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
CIS 192B – Lesson 2 Domain Name System. CIS 192B – Lesson 2 Types of Services Infrastructure –DHCP, DNS, NIS, AD, TIME Intranet –SSH, NFS, SAMBA Internet.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
DNS Cache Poisoning – The Next Generation by Joe Stewart, GCIH Presented by Stephen Karg CS510, Advanced Security Portland State University Oct. 24, 2005.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 18 Windows Internet Name Service (WINS)
GHOST 2.0: What you need to know about the glibc getaddrinfo vulnerability (CVE ) Johannes B. Ullrich, Ph.D, SANS
The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5Websites Sooel Son and Vitaly Shmatikov The University of Texas at Austin 20.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
WHAT IS DNS??????????.
So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.
Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority Reporter: Jing Chiu Adviser: Yuh-Jye Lee 2016/3/191Data Mining & Machine Learning.
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
Open DNS resolvers have to be closed ● Open resolvers respond to recursive queries from any host on the Internet ● Amplification DNS attack 2.
Brett Stone-GrossBrett Stone-Gross, Christopher Kruegel, Kevin AlmerothChristopher KruegelKevin Almeroth University of California, Santa Barbara Andreas.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
DNS Security.
DNS Cache Poisoning Attack
Proactive Network Protection Through DNS
Computer Security Distributed System Security
NET 536 Network Security Lecture 8: DNS Security
Presentation transcript:

江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua University 19 th NDSS (February 2012)

Outline  Introduction  Background  The DNS Name Revocation Vulnerability  Experiments  Possible Defense Approaches  Response from Industries 2012/2/212A Seminar at Advanced Defense Lab

Introduction  While primarily used for legitimate purposes, domain names have also been heavily leveraged by malicious activities Ex: botnet  A major endeavour in stopping these malicious activities has thus been identifying and deleting malicious domain names. Ex: Waledac and Rustock 2012/2/21A Seminar at Advanced Defense Lab3

DNS Mechanism 2012/2/21A Seminar at Advanced Defense Lab4.com.phishing.com Recursive Resolver client Cache: NS of.phishing.com TTL: sec

Background  DNS response 2012/2/21A Seminar at Advanced Defense Lab5 Question Section Answer Section Authority Section Additional Section DNS Delegation ;; ANSWER SECTION ;; AUTHORITY SECTION phishing.com IN NS ns.phishing.com. ;; ADDITIONAL SECTION ns.phishing.com IN A

DNS Cache Update Policy  The bailiwick rule  The credibility rule Ex: Trust levels in BIND /2/21A Seminar at Advanced Defense Lab6

The DNS Name Revocation Vulnerability 2012/2/21A Seminar at Advanced Defense Lab7.com.phishing.com Recursive Resolver ;; AUTHORITY SECTION phishing.com. NS ns.phishing.com. TTL: 100 ;; AUTHORITY SECTION phishing.com. NS ns2.phishing.com. TTL: 200 OK!!

Ghost Domain Names 2012/2/21A Seminar at Advanced Defense Lab8.com.phishing.com Recursive Resolver ;; AUTHORITY SECTION phishing.com. NS ns.phishing.com. TTL: 100 ;; AUTHORITY SECTION phishing.com. NS ns2.phishing.com. TTL: Attacker

Experiments  Vulnerability testing of popular DNS implementations 2012/2/21A Seminar at Advanced Defense Lab9 BIND9.8.0-P4 (CVE ) DJB dnscache1.05 (CVE ) Unbound (CVE ) PowerDNSRecursor 3.3 (CVE ) MaraDNS Deadwood Deadwood Microsoft DNS Windows Server 2008 R2 Windows Server 2008 (CVE )

Experiments  Vulnerability testing of public DNS servers 2012/2/21A Seminar at Advanced Defense Lab10 Google DNS Advantage OpenDNS Norton GTEI DNS

Measurement  19,045 open DNS resolvers 2012/2/21A Seminar at Advanced Defense Lab11

Measurement 2012/2/21A Seminar at Advanced Defense Lab12 TTL: 1800, 3600, Refresh rate: TTL/2, TTL/4, TTL/8

Results 2012/2/21A Seminar at Advanced Defense Lab13 70% 10%

Geographic View 2012/2/21A Seminar at Advanced Defense Lab14

Refresh Rate 2012/2/21A Seminar at Advanced Defense Lab15

Possible Defense Approaches  Strengthening the bailiwick rule Accept authority records only from the parent ○ Ex: MaraDNS  Refining the credibility rule Accept authority records from child on the first reply  TTL constraints update the records EXCEPT TTL ○ Ex: Unbound /2/21A Seminar at Advanced Defense Lab16

Response from Industries  Some new CVE entries  ISC (vendor of BIND) published an advisory for the vulnerability about Ghost Domain [link]link  Security team of Microsoft has been aware of the problem, and a case has been created to track it 2012/2/21A Seminar at Advanced Defense Lab17

2012/2/21A Seminar at Advanced Defense Lab18