Perils of Transitive Trust in the Domain Name System Chen Xi Chen Xi.

Slides:



Advertisements
Similar presentations
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Advertisements

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Network Innovation using OpenFlow: A Survey
Perils of Transitive Trust in the Domain Name System Emin Gün Sirer joint work with Venugopalan Ramasubramanian Cornell University.
Perils of Transitive Trust in the Domain Name System Venugopalan Ramasubramanian Emin Gün Sirer Cornell University.
A Peer-to-Peer DNS Ilya Sukhar Venugopalan Ramasubramanian Emin Gün Sirer Cornell University.
Information-Centric Networks03c-1 Week 3 / Paper 3 The design and implementation of a next generation name service for the Internet –Venugopalan Ramasubramanian.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.
An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Mitigating DNS DoS Attack Presented by Fei Hu.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Security Models for Trusting Network Appliances From : IEEE ( 2002 ) Author : Colin English, Paddy Nixon Sotirios Terzis, Andrew McGettrick Helen Lowe.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
BZUPAGES.COM An Introduction to. BZUPAGES.COM Introduction Large corporations today face the following problems Finding a certain file. Seeing everything.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.
IIT Indore © Neminath Hubballi
The Design and Implementation of a Next Generation Name Service for the Internet Leo Bhebhe
Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
Pharming Group 10: Phuc H. Dao Anita Lugonja. Motivation To give students an opportunity to learn about DNS poisoning To give students an opportunity.
Status report on Lame Delegations (work in progress) George Michaelson DB SIG APNIC17/APRICOT 2004 Feb KL, Malaysia.
1 CERN’s Computer Security Challenges Denise Heagerty CERN Computer Security Officer Openlab Security Workshop, 27 Apr 2004.
Information-Centric Networks06b-1 Week 6 / Paper 2 A layered naming architecture for the Internet –Hari Balakrishnan, Karthik Lakshminarayanan, Sylvia.
© McLean HIGHER COMPUTER NETWORKING Lesson 4: Domain Name Service Description of domain names and name resolution Domain name servers and domain.
How to use DNS during the evolution of ICN? Zhiwei Yan.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Hands-On Microsoft Windows Server 2008 Chapter 4-Part 1 Introduction to Active Directory and Account Manager.
Mitigating DNS DoS Attacks Hitesh Ballani, Paul Francis 1.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
DNS Domain Name Systems Theory 1. HOW DNS WORKS Theory 2.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
Information-Centric Networks Section # 3.3: DNS Issues Instructor: George Xylomenos Department: Informatics.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
Information-Centric Networks Section # 6.2: Evolved Naming & Resolution Instructor: George Xylomenos Department: Informatics.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
“A presence based multimedia call screening service” Egil C. Østhus, now with TANDBERG Lill Kristiansen, Dept of Telematics, NTNU.
Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
The Design and Implementation of a Next Generation Name Service for the Internet V. Ramasubramanian, E. Gun Sirer Cornell Univ. SIGCOMM 2004 Ciprian Tutu.
TRUST Self-Organizing Systems Emin G ü n Sirer, Cornell University.
Department of Computer Science Introduction to Information Security Chapter 7 Activity Security Assessment Semester 1.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Presented by Edith Ngai MPhil Term 3 Presentation
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security Advanced Network Security Peter Reiher August, 2014
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
NET 536 Network Security Lecture 8: DNS Security
NET 536 Network Security Lecture 6: DNS Security
Mitigating DNS DoS Attacks
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Dong Xuan*, Sriram Chellappan*, Xun Wang* and Shengquan Wang+
Majority is not Enough: Bitcoin Mining is Vulnerable
Presentation transcript:

Perils of Transitive Trust in the Domain Name System Chen Xi Chen Xi

Venugopalan Ramasubramanian &Emin Gun Sirer Dept. of Computer Science Cornell University

DNS namespace is hierarchically partitioned into non overlapping regions called domains.

Every name resolving process will follow a certain routine starting from the top of the DNS hierarchy then following the chain of delegation. Nameserver delegation based architecture complex inter-dependencies between names and nameservers

Delegation graph: the dependencies among nameservers that directly or indirectly affect a domain name. it consists of the transitive closure of all name servers involved in the resolution of a given name. TCB (trusted computing base ): the nameservers in the delegation graph of a domain name value of a nameserver: is proportional to the number of domain names which depend on that nameserver. (high-leverage nameservers)

Risks of Transitive Trust Unexpected nodes to exert great control over remote domains Client can be attacked if any of these namesevers is compromised.

3 problems proposed by author DNS is highly insecure due to the obscure dependencies between names and nameservers difficult to make a balance between the availability and security existing high-leverage nameservers have little awareness of the security risks.

Surveys amon TLD from 3 aspects the most vulnerable names Impact of Known Exploits Most Valuable Nameservers

Results 15% of the 500 most popular websites depend on more than 200 nameservers. 45% names under perils (poisoning ) 2.5 compromised servers can attack the complete domain on average (a DoS on the non-vulnerable nameserver, coupled with the compromise of the other vulnerable bottleneck nameservers) high-leverage nameservers have little motivation to take on NNS task.

Stopgap measure DNS was not originally designed with security in mind. achieve name security on the Internet Network administrators should be aware of the vulnerabilities in DNS more diligent about where they place their trust

One existing solution DNSSEC modifies DNS to add support for cryptographically signed responses. But DNSSEC continues to rely on the same physical delegation chains as DNS during lookups. attackers can exploit vulnerabilities outlined in this paper to launch DoS attacks on Web services and disrupt name resolutionDNSSEC

My idea on the problem When rely on other domain servers to resolve a name, we can introduce the Jun hai Luo ’ s trust recommendation between domains. Servers with high trust recommendation in remote domains can be used to resolve the name.

Architecture (cited) ij2j2 jKjK j1j1 … K R i R jk,m R j R i,m m