Security, For DNS and by DNS ZHOU Yonglin Beijing, Dec 6 th, 2009.

Slides:

Advertisements

Similar presentations

.CN DNS Operation Status Cuiling Zhang CNNIC

Advertisements

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.

Review iClickers. Ch 1: The Importance of DNS Security.

A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics

SCADA Security, DNS Phishing

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

By Hiranmayi Pai Neeraj Jain

HUIT dns/dhcp redesign and roadmap Improved dns, right size IB, modern design, linux fallback.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

Protecting the irreplaceable | f-secure.com Internet threat monitoring and reporting service Idar Kvernevik Senior Researcher, Network Security Security.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.

WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.

Introduction to Security Computer Networks Computer Networks Term B10.

Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

ENOG-7 27 May 2014 Moscow Marriott Grand Hotel, Moscow, Russia IPv6 Golden Networks Jeroen Massar, Farsight Security, Inc. A watchful eye.

Harness Your Internet Activity. Zeroing in On Zero Days DNS OARC Spring 2014 Ralf Weber

Botnets An Introduction Into the World of Botnets Tyler Hudak

1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.

Attacks on Computer Systems

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Information-Centric Networks03a-1 Week 3 / Paper 1 What DNS is not –Paul Vixie –CACM, December 2009, vol. 52, no. 12 Main point –“DNS is many things to.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

BotNet Detection Techniques By Shreyas Sali

Measuring and Monitoring Registry Performance.nz.

Cybersecurity Coordination and Cooperation Colloquium (f41lf3st 2015) 17 June 2015 Tallinna Tehnickaülikool, Tallinn, Estonia IPv6 Golden Networks Jeroen.

Global NetWatch Copyright © 2003 Global NetWatch, Inc. Factors Affecting Web Performance Getting Maximum Performance Out Of Your Web Server.

Jeong, Hyun-Cheol. 2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

APRICOT 2015 Security Day Cooperation between Security Teams and Network Operators: Actionable Intelligence on ShellShock Arnold S. Yoon Information Security.

Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

Smart Protection Network Kelvin Liu AVP, Core Tech Development.

CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.

Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.

EVALUATE YOUR SITE’S PERFORMANCE. Web site statistics Affiliate Sales Figures.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

How we work as a national CERT in China ZHOU Yonglin CNCERT/CC, China 2 Addressing security challenges on a global scaleGeneva, 6-7 December 2010.

DNS Measurement at a Root Server Nevil Brownlee, kc Claffy and Evi Nemeth Presented by Zhengxiang Pan Mar. 27 th, 2003.

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:

Harness Your Internet Activity. Random Subdomain Attacks Plaguing the Internet.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

CNNIC Chinese Domain Name Registration System Zhang Wenhui CNNIC China Internet Network Information Center.

Introduction Web analysis includes the study of users’ behavior on the web Traffic analysis – Usage analysis Behavior at particular website or across.

Matt Jennings.  What is DDoS?  Recent DDoS attacks  History of DDoS  Prevention Techniques.

Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of.

Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –

DNS Operation And Security Protection

Unit 5: Providing Network Services

Internet Worm propagation

ISMS Information Security Management System

Presentation transcript:

Security, For DNS and by DNS ZHOU Yonglin Beijing, Dec 6 th, 2009

DNS and Security FOR DNSBY DNS SECURITY

SECURITY, FOR DNS DNS attack Handling Vulnerability Handling DNS Monitoring

5.19 “Storm Gate”: Attack Flow Against DNSPOD 2009/05/18 21:00

5.19 “Storm Gate”: General View of Recursive DNS Query Flow of China networks 05/18-05/19

Emergency Response 2009/5/19 –Monitor the abnormal flow against the DNS Servers –Analyze the abnormal flow against the DNS Servers 2009/5/22 –Trace the attack origins against DNSPOD 2009/5/25 –Provide evidence for case cracking, prosecution

Other Attack Cases Against DNS 2009/6/9 9:30 –DDos attack against 4 DNS servers of XinWangHuLian, Beijing( –0.5 million domain names got resolution failures 2009/7/3 3:00 –DDos attack against DongNanRongTong, Xiamen –Attack Volume 300M, service outage lasting 7 hours or so 2009/6/10- /6/12 –DDos attack against XiWang Dynamic DNS Service System –Service outage influences millions of enterprises and customers

DNS Spoof Vul. Published by Dan Kaminsky

Metasploit 3.2

Emergency Response 2008/7/28 –Publishing the Vulnerability Report on CNCERT web site –Convening telecommunication operators, DNS Registry/Registrar for information sharing 2008/7/29 –Monitoring Domain Name Hijack –Monitoring attack flow against DNS service

Bind Dos Vul.(CVE ) Report ： 2009/07/28 –Debian Bug report logs - # bind9 dies with assertion failure (db.c:579)# Detail: ： –db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed exiting (due to assertion failure). Affected Systems: – ISC BIND 9.x(0<=x<=6)

Emergency Response 2009/7/29 –Verify and analyze vulnerability –Publish BIND 9 critical vulnerability report –Convene telecommunication operators for information sharing 2009/7/30 –Publish BIND 9 Vulnerability danger level and scope –Convene registry and registrar for information sharing and response proposal 2009/7/31 –Track the vulnerability patch progress

Bind Dos Vul. Patch Application Monitoring 07/31-09/17

DNS Status and Domain Name Hijack Monitoring

SECURITY, BY DNS Conficker Worm Monitoring Passive Domain Monitoring Malicious Server Handling

Conficker Sinkhole Based on DNS Support.B(40+)+.C(400+)

Passive DNS Monitoring by Telecommunication Operator Analysis on Abnormal Domain Name Behavior based Botnet Controller Analysis DNS Server Status Analysis Request number for specific domain names Request Client number for specific domain names IP Reverse Resolution Botnet Controller Domain Name Derived from IP Tracking of Malicious Domain Name

Behavior Based Controller Abnormal Domain Name Analysis darkroot.3322.org zjddos.3322.org haoj org ashly.9966.org magic org

DNS Server Status Analysis

Statistics of TLD Request - TOP10 TLDRequest TimesPercentage com % cn % net % org % in-addr.arpa % info % tv % biz % cc % ws % T20-55

Statistics of Second Level Domain Name Request - TOP10 SLDRequest timesPercentage qq.com % com.cn % sandai.net % baidu.com % tencent.com % 360safe.com % xunlei.com % sohu.com % 3322.org % taobao.com % T20-55

IP Reverse Resolution Select distinct domain_name, time form pasv_dns_table where ip= ‘ ’ – T06-25 www3.caishow.com – T – T06-25 s18.wo99.com – T – T06-25 wwwxjrsf.cn – T06-25 q8me.igap.bihu.com – T06-25 wap11.qqmail.com – T06-25 b0bfac4.iprophesy.com.cn – T06-25 event50.wanmei.com – T06-25 pfad.netmovie.com.cn – T – T05-50 gxway168cn.net – T05-50 e891.p.akamaiedge.net – T – T05-50 a1293.g.akamai.net – T05-50 a151.ce.w.tl88.net

Tracking Malicous Domain Name Record Select distinct time, domain_name, ip form pasv_dns_table where domain_name= ‘114pc org’ – T pc org – T pc org – T pc org – T pc org – T pc org – T pc org

Malicious Server Handling by Hitting Domains In the past 12 months, about 567 domains that used by malicious servers have been stopped. –WHO CNCERT 、 CNNIC 、 Chinese Registrars –WHAT Trojan or Botnet Control Serves Maware sample download source Phishing page host site, etc –WHEN General Duty Special Events Assuarance –Beijing Olympics –National Day Celeberation –National Games, … etc

Malicious Domain Name BlackList domain-black-list.txt rbl.efnet.org rbl.efnetrbl.org s.rizon.net shrikehosting.Com uploader.me.uk waxs.kaist.ac.kr

SECURITY, FOR DNS AND BY DNS DNS attack Handling Vulnerability Handling DNS Monitoring Conficker Worm Monitoring Passive Domain Monitoring Malicious Server Handling SECURITY