Presentation is loading. Please wait.

Presentation is loading. Please wait.

江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua University 19.

Published byJeffry Parks Modified over 9 years ago

Similar presentations

Presentation on theme: "江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua University 19."— Presentation transcript:

1 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua University 19 th NDSS (February 2012)

2 Outline  Introduction  Background  The DNS Name Revocation Vulnerability  Experiments  Possible Defense Approaches  Response from Industries 2012/2/212A Seminar at Advanced Defense Lab

3 Introduction  While primarily used for legitimate purposes, domain names have also been heavily leveraged by malicious activities Ex: botnet  A major endeavour in stopping these malicious activities has thus been identifying and deleting malicious domain names. Ex: Waledac and Rustock 2012/2/21A Seminar at Advanced Defense Lab3

4 DNS Mechanism 2012/2/21A Seminar at Advanced Defense Lab4.com.phishing.com Recursive Resolver client Cache: NS of.phishing.com TTL: 86400 sec

5 Background  DNS response 2012/2/21A Seminar at Advanced Defense Lab5 Question Section Answer Section Authority Section Additional Section DNS Delegation ;; ANSWER SECTION ;; AUTHORITY SECTION phishing.com. 86400 IN NS ns.phishing.com. ;; ADDITIONAL SECTION ns.phishing.com. 86400 IN A 10.0.0.1

6 DNS Cache Update Policy  The bailiwick rule  The credibility rule Ex: Trust levels in BIND 9.4.1 2012/2/21A Seminar at Advanced Defense Lab6

7 The DNS Name Revocation Vulnerability 2012/2/21A Seminar at Advanced Defense Lab7.com.phishing.com Recursive Resolver ;; AUTHORITY SECTION phishing.com. NS ns.phishing.com. TTL: 100 ;; AUTHORITY SECTION phishing.com. NS ns2.phishing.com. TTL: 200 OK!!

8 Ghost Domain Names 2012/2/21A Seminar at Advanced Defense Lab8.com.phishing.com Recursive Resolver ;; AUTHORITY SECTION phishing.com. NS ns.phishing.com. TTL: 100 ;; AUTHORITY SECTION phishing.com. NS ns2.phishing.com. TTL: 86400 Attacker

9 Experiments  Vulnerability testing of popular DNS implementations 2012/2/21A Seminar at Advanced Defense Lab9 BIND9.8.0-P4 (CVE-2012-1033) DJB dnscache1.05 (CVE-2012-1191) Unbound 1.4.11 1.4.7 (CVE-2012-1192) PowerDNSRecursor 3.3 (CVE-2012-1193) MaraDNS Deadwood-3.0.03 Deadwood-2.3.05 Microsoft DNS Windows Server 2008 R2 Windows Server 2008 (CVE-2012-1194)

10 Experiments  Vulnerability testing of public DNS servers 2012/2/21A Seminar at Advanced Defense Lab10 Google DNS Advantage OpenDNS Norton GTEI DNS

11 Measurement  19,045 open DNS resolvers 2012/2/21A Seminar at Advanced Defense Lab11

12 Measurement 2012/2/21A Seminar at Advanced Defense Lab12 TTL: 1800, 3600, 14400 Refresh rate: TTL/2, TTL/4, TTL/8

13 Results 2012/2/21A Seminar at Advanced Defense Lab13 70% 10%

14 Geographic View 2012/2/21A Seminar at Advanced Defense Lab14

15 Refresh Rate 2012/2/21A Seminar at Advanced Defense Lab15

16 Possible Defense Approaches  Strengthening the bailiwick rule Accept authority records only from the parent ○ Ex: MaraDNS  Refining the credibility rule Accept authority records from child on the first reply  TTL constraints update the records EXCEPT TTL ○ Ex: Unbound 1.4.11 2012/2/21A Seminar at Advanced Defense Lab16

17 Response from Industries  Some new CVE entries  ISC (vendor of BIND) published an advisory for the vulnerability about Ghost Domain [link]link  Security team of Microsoft has been aware of the problem, and a case has been created to track it 2012/2/21A Seminar at Advanced Defense Lab17

18 2012/2/21A Seminar at Advanced Defense Lab18

Download ppt "江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua University 19."

Similar presentations

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Name Server Tri Wahyuddin Tryawan Hendra Septian.

Name Server Tri Wahyuddin Tryawan Hendra Septian.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
DNS Poisoning Attacks November 2005 John (Jenya) Neystadt Security Test Lead Microsoft Israel R&D.

DNS Poisoning Attacks November 2005 John (Jenya) Neystadt Security Test Lead Microsoft Israel R&D.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.

Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
20411D Administering Windows Server® 2012 刘道军老师主讲 如有疑问请与我联系:

20411D Administering Windows Server® 2012 刘道军老师主讲 如有疑问请与我联系:
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Module 12: Domain Name System (DNS)

Module 12: Domain Name System (DNS)
Domain Name Services Oakton Community College CIS 238.

Domain Name Services Oakton Community College CIS 238.

Similar presentations

Ads by Google