Prohibiting Redirection & Synthesized DNS Responses in Top Level Domains Mar 2010 Kuala Lumpur APTLD Meeting.

Slides:

Advertisements

Similar presentations

Sep 2008ALAC Webinar 1 DNS Response Modification David Piscitello Senior Security Technologist ICANN.

Advertisements

PowerPoint presentation of first 25 pages of instructional manual Edith Fabiyi Essentials of Internet Access.

Reinventing using REST. Anything addressable by a URI is called a resource GET, PUT, POST, DELETE WebDAV (MOVE, LOCK)

® Microsoft Office 2010 Browser and Basics.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

The Internet Useful Definitions and Concepts About the Internet.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

Layer 7- Application Layer

Chapter Extension 7 How the Internet Works © 2008 Prentice Hall, Experiencing MIS, David Kroenke.

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

Series DATA MANAGEMENT. 1 Why ? Alarm/Status Notification –Remote unattended sites »Pumping stations –Pharmaceutical/Plant maintenance.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

1 Enabling Secure Internet Access with ISA Server.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

Managing Client Access

Final Exam Part 1. Internet Regulation Internet regulation according to internet society states that it is about restricting or controlling certain pieces.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Mr C Johnston ICT Teacher

IT 210 The Internet & World Wide Web introduction.

Information-Centric Networks03a-1 Week 3 / Paper 1 What DNS is not –Paul Vixie –CACM, December 2009, vol. 52, no. 12 Main point –“DNS is many things to.

SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.

Syllabus outcomes Describes and applies problem-solving processes when creating solutions Designs, produces and evaluates appropriate solutions.

CSI315 Web Development Technologies Continued. Communication Layer information needs to get from one place to another –Computer- Computer –Software- Software.

Lecture#2 on Internet and World Wide Web. Internet Applications Electronic Mail ( ) Electronic Mail ( ) Domain mail server collects incoming mail.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie

CH2 System models.

HOW WEB SERVER WORKS? By- PUSHPENDU MONDAL RAJAT CHAUHAN RAHUL YADAV RANJIT MEENA RAHUL TYAGI.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

Chapter 1: The Internet and the WWW CIS 275—Web Application Development for Business I.

CIS 1310 – HTML & CSS 1 Introduction to the Internet.

Chapter 4 Networking and the Internet. © 2005 Pearson Addison-Wesley. All rights reserved 4-2 Chapter 4: Networking and the Internet 4.1 Network Fundamentals.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Students on the School Computer Network Enfield High School.

Policies by FQDN WatchGuard Training.

Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.

NETWORK HARDWARE AND SOFTWARE MR ROSS UNIT 3 IT APPLICATIONS.

McLean HIGHER COMPUTER NETWORKING Lesson 8 E-Commerce Explanation of ISP Description of E-commerce Description of E-sales.

ECEN “Internet Protocols and Modeling”, Spring 2012 Course Materials: Papers, Reference Texts: Bertsekas/Gallager, Stuber, Stallings, etc Class.

Application Security: (April 10, 2013) © Abdou Illia – Spring 2013.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP (Transmission Control Protocol / Internet Protocol)

Mr C Johnston ICT Teacher

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Security fundamentals Topic 9 Securing internet messaging.

Internet Applications (Cont’d) Basic Internet Applications – World Wide Web (WWW) Browser Architecture Static Documents Dynamic Documents Active Documents.

WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory

Application of the Internet 1998/12/09 KEIO University, JAPAN Mikiyo

The Internet What is the Internet? The Internet is a lot of computers over the whole world connected together so that they can share information. It.

The Internet Technological Background. Topic Objectives At the end of this topic, you should be able to do the following: Able to define the Internet.

COMPUTER NETWORKS Hwajung Lee. Image Source:

Uniform Resource Locator URL protocol URL host Path to file Every single website on the Internet has its own unique.

Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.

DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c

BUILD SECURE PRODUCTS AND SERVICES

Web Development Web Servers.

Vocabulary Prototype: A preliminary sketch of an idea or model for something new. It’s the original drawing from which something real might be built or.

Host of Troubles : Multiple Host Ambiguities in HTTP Implementations

Processes The most important processes used in Web-based systems and their internal organization.

Vocabulary Prototype: A preliminary sketch of an idea or model for something new. It’s the original drawing from which something real might be built or.

Web Privacy Chapter 6 – pp 125 – /12/9 Y K Choi.

Connecting the unconnected

Presentation transcript:

Prohibiting Redirection & Synthesized DNS Responses in Top Level Domains Mar 2010 Kuala Lumpur APTLD Meeting

Redirection of DNS TLDs Issue –Wildcarding of DNS records at TLDs –Provides “valid” address and routing even when domain names do not exist Consequences –Breaks core DNS systems & legacy applications –Erodes trust relationships –Creates new opportunities for malicious attacks, without ability of affected parties to mitigate problem Reference Document: SAC041SAC041 2

SSAC Advice: Clear & Significant danger to security & stability of the DNS 3

ICANN Board Resolution (June ‘09): Take all available steps with appropriate entities to prohibit such use Prohibit redirection/synthesis for all TLDs (gTLD & ccTLD, including IDN TLDs) Revise new gTLD Guidebook Consult with ccTLD community/GAC for new ccTLDs Revise existing gTLD agreements Add appropriate guidelines to existing ccTLD arrangements 4 Reference Document: SAC041SAC041

Architectural Violation Redirection at the TLD level violates fundamental Internet engineering principles –DNS Protocol is neutral about what protocols to answer –Redirection assumes HTTP protocol (web browsing) All future protocols dependent on DNS affected by redirection –Unacceptable invasion of protocol boundaries For example, HTTP could use DNS even though HTTP is a recent invention, due to clear layering 5

Most basic Internet tools break Systems that test for “existence” of a host fail Spam filters stop working (all forged addresses now appear to be real) URL link checkers will fail (all links appear to be valid) Systems that believe a host name is valid break Mail to a mis-typed address will not bounce anymore And, the mail is delivered to a different address, without any notification or choice by the sender –Search engines won’t be able to function as normal And other software, applications, and equipment that depends upon the DNS “working” will break 6

Every Internet Application Is Affected Requires Testing of Impact & Side-Effects on: –Every mail server, mail agent –Every instant message program and agent –Every VOIP server, proxy and user agent –Every parental control system –Every anti-virus system –Every license management system –Every software update system i.e., Every Application On The Internet 7

Data Privacy Laws May Be Violated Misspelling of domain would cause redirection to a different zone instead of a failed connection In cross-border situtations, this can cause violation of privacy Wildcard operator may now become liable for privacy breaches under law 8

Negative impact on e-commerce HTTPS requests get spurious results Server is provided critical information about security capabilities of client browser, cryptography, data compression etc. – now sent to an unknown source Browser may call site invalid because IP address/domain name of SSL certificate does not match request 9

Negative impact on SMTP ( ) Negative impact on the clarity and promptness of error reports returned to sending users –No one will know what happened to the message, and it may take some time before anyone notices that it has disappeared, if anyone notices at all –The recipient party suddenly has access to a mail message that was in no way intended for them, which is quite harmful from an integrity perspective Wastes resources at mail operators (handling millions of mails per day) –System resources are wasted on the sending mail server to keep track of the message and its status, to issue repeated DNS queries, to make repeated attempts to deliver it, etc. Impacts the ability of mail servers to reject mail from illegitimate mail addresses (Helps Spammers) –Spam usually sent from non-existent mail domains; adding wildcards stops checks of non-existent domains – i.e., helps spammers 10

Negative Impact on DNS Resolver Search Lists DNS Resolver Search List allows users to specify partial domain names, where resolver auto-completes domain name Adopted widely in commercial software—search lists are implemented in all Microsoft and UNIX systems User with a computer in the zone would have in their resolver’s search list Allows users to type in to reach

Impact on IDN TLDs IDN TLD are deployed in, but are represented on the DNS in ASCII Wildcards for IDN TLD can cause unexpected behavior: –Localization of content breaks User may request a web page in and gets a different page in, with no control 12

Redirection in.KR Name Total.kr Responses : 1.52 billion – Normal.kr Queries : 1.45 billion (96.73%) –.kr DNS Redirection : 2.5 million (0.17%) Total.kr Redirection : 2.5 million Hangul.kr Domain Name : 1.7 million (67%) 13 Solves IE6 Problem: - IE6 or earlier ver. users can use Hangul.kr domain name without plug- ins - Garbage traffic by using wild character(*) in.kr Zone, causes system overload

QUESTIONS? Reference document s (need to complete) oct09-en.pdf 14