Presentation is loading. Please wait.

Presentation is loading. Please wait.

Perils of Transitive Trust in the Domain Name System Venugopalan Ramasubramanian Emin Gün Sirer Cornell University.

Published byLinda Brown Modified over 9 years ago

Similar presentations

Presentation on theme: "Perils of Transitive Trust in the Domain Name System Venugopalan Ramasubramanian Emin Gün Sirer Cornell University."— Presentation transcript:

1 Perils of Transitive Trust in the Domain Name System Venugopalan Ramasubramanian Emin Gün Sirer Cornell University

2 How to 0wn the Internet in Your Spare Time? Part 2 Venugopalan Ramasubramanian Emin Gün Sirer Cornell University

3 Introduction DNS is critical to the Internet DNS architecture is based on delegations – control for names is delegated to name servers designated by the name owner delegations facilitate high scalability and decentralized administration – what about security?

4  sprintlink.net  telemail.net sprintip.com Dependencies for www.fbi.gov vericenter.com  gov.zoneedit.com  zoneedit.com dns[,2].sprintip.com ns[3,4,5,6].vericenter.com fbi.gov gov  com  gtld-servers.net  nstld.com  net zoneedit.com root www.fbi.gov

5 Subtle Dependencies in DNS www.fbi.gov  86 servers, 17 domains www.cs.cornell.edu  cs.rochester.edu  cs.wisc.edu  itd.umich.edu  48 nameservers, 20 domains DNS dependencies are subtle and complex are administrators aware of what they depend on? increases risk of domain hijacks

6 Servers with Security Loopholes www.cs.cornell.edu  [slate,cayuga].cs.rochester.edu source: internet systems consortium (www.isc.org) dns[,2].sprintip.com ns[3,4,5,6].vericenter.com fbi.gov ns[1,2,3]-auth.sprintlink.net reston-ns[1,3].telemail.net reston-ns[2].telemail.net sprintip.com www.fbi.gov

7 Survey Goals 1. Which domain names have large dependencies and entail high risk? 2. Which domains are affected by servers with known security holes and can be easily taken over? 3. Which servers control the largest portion of the namespace and are thus likely to be attacked?

8 Survey Methodology 593160 domain names (Yahoo and Dmoz.org) 166771 name servers 535036 domains, 196 top-level-domain

9 Most Vulnerable Names Number of Dependencies 2226Median 342604Max 6846Mean Top 500All

10 Most Vulnerable Names

11 Vulnerability to Security Flaws survey of BIND version numbers 17% of servers have known loopholes [ISC] 45% of names are not totally safe security through obscurity! – more than 40% of servers hide version numbers – 19/46 reports for cs.cornell.edu and 18/86 for fbi.gov

12 Vulnerability

13 Vulnerability to Security Flaws

14 Critical Assets

15 Most Valuable Nameservers arizona.edu ucla.edu uoregon.edu nyu.edu berkeley.edu Top 5 Domains

16 Conclusions Domain names have subtle dependencies – name-based delegations High risk of domain hijacks – well-known software loopholes – leading to more effective phishing attacks http://www.cs.cornell.edu/people/egs/beehive/codons.php

17

18 DNS-SEC Security Standard for DNS based on public-key cryptography and digitally signed certificates Not widely used currently – security at delegation points – authenticated denials – islands of security Does not eliminate name-based delegations

19 DNS Bottlenecks

20 Safe Bottlenecks

21 Safety

22 Dependencies

23 Critical Assets 2

24 Dependencies for www.fbi.gov www.fbi.gov fbi.edgesuite.net a33.g.akamai.net ns[1-6].vericenter.com vericenter.com gov  gov.zoneedit.com  zoneedit.com zoneedit.com  com  gtld-servers.net  nstld.com  net edgesuite.net  akam.net g.akamai.net  akamai.net  akamaitech.net dns[,2].sprintip.com ns[3,4,5,6].vericenter.com fbi.gov ns[1,2,3]-auth.sprintlink.net reston-ns[1,2,3].telemail.net sprintip.com

Download ppt "Perils of Transitive Trust in the Domain Name System Venugopalan Ramasubramanian Emin Gün Sirer Cornell University."

Similar presentations

TUF: Securing Software Update Systems on GENI Justin Cappos Department of Computer Science and Engineering University of Washington.

TUF: Securing Software Update Systems on GENI Justin Cappos Department of Computer Science and Engineering University of Washington.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Perils of Transitive Trust in the Domain Name System Emin Gün Sirer joint work with Venugopalan Ramasubramanian Cornell University.

Perils of Transitive Trust in the Domain Name System Emin Gün Sirer joint work with Venugopalan Ramasubramanian Cornell University.
A Peer-to-Peer DNS Ilya Sukhar Venugopalan Ramasubramanian Emin Gün Sirer Cornell University.

A Peer-to-Peer DNS Ilya Sukhar Venugopalan Ramasubramanian Emin Gün Sirer Cornell University.
Information-Centric Networks03c-1 Week 3 / Paper 3 The design and implementation of a next generation name service for the Internet –Venugopalan Ramasubramanian.

Information-Centric Networks03c-1 Week 3 / Paper 3 The design and implementation of a next generation name service for the Internet –Venugopalan Ramasubramanian.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.
An Authorization System for Grid Applications Thesis Presentation 5 th Dec 2006 Author: Wang Xiao Supervisor: Professor Heikki Hämmäinen Instructor: MSc.

An Authorization System for Grid Applications Thesis Presentation 5 th Dec 2006 Author: Wang Xiao Supervisor: Professor Heikki Hämmäinen Instructor: MSc.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.

WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.
The Domain Name System and Internet Still Survive Presented by: Ao-Jan Su.

The Domain Name System and Internet Still Survive Presented by: Ao-Jan Su.
INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 17 Prof. Crista Lopes.

INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 17 Prof. Crista Lopes.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Similar presentations

Ads by Google