Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 November 2001 Marina del Rey GAC meeting Vulnerabilities in the Internet Jaap Akkerhuis.

Published byEdwina Irma Quinn Modified over 9 years ago

Similar presentations

Presentation on theme: "11 November 2001 Marina del Rey GAC meeting Vulnerabilities in the Internet Jaap Akkerhuis."— Presentation transcript:

1 11 November 2001 Marina del Rey GAC meeting Vulnerabilities in the Internet Jaap Akkerhuis

2 11 November 2001 Marina del Rey GAC meeting Disclaimer •Simplistic generalizations – Not a network architecture course – Not a DNS course •Touching only some points – broad overview, not limited to the events of the 11 th •More analysis needed – especially on details •Terminology Internet related

3 11 November 2001 Marina del Rey GAC meeting Overview •Two Perceptions of the event •Effects of the Network Damage •ISP experiences •TLD DNS vulnerabilities •Closing Remarks

4 11 November 2001 Marina del Rey GAC meeting Personal experience •Sister in Manhattan (Houston) •Was impossible to reach by phone •E-mail took less then 7 minutes –2 min. to provider, 5 to me •clock skew? – everything is ok •Big Failure: Phone System

5 11 November 2001 Marina del Rey GAC meeting Honeyman's Experience •University of Michigan –Networking, cryptography, smart cards •Got called •No www.cnn.com or similar •No Television, used Radio •Big Failure: Internet

6 11 November 2001 Marina del Rey GAC meeting What was going on? •The network was out? –Cnn.com is an end point •Much more traffic then usual •http is transaction oriented –E-Mail is lightweight •easy to route •Phone was out? –not really (8 hours) •Perception

7 11 November 2001 Marina del Rey GAC meeting Measurements •Matrix.net (MIDS) monitors continuously – Last 14 years •View of the world from Austin Texas – 60,000 sites every 15 minutes – beacon list contains over 10,000 entries – ICMP ECHO (PING) and HTTP – probes from 100 points around the world •Data supplied Peter Salus

8 11 November 2001 Marina del Rey GAC meeting Legenda 1: World ISP 1000 2:WEB 3: DNS TLD Servers 4: Internet

9 11 November 2001 Marina del Rey GAC meeting The Attack

10 11 November 2001 Marina del Rey GAC meeting Effects •WTC was major communication hub •Telehouse (NY IX) close to WTC •Lots of lines went out •Rerouting takes some time

11 11 November 2001 Marina del Rey GAC meeting Hurricane Floyd 1: WEB 2:Internet

12 11 November 2001 Marina del Rey GAC meeting Events surrounding 11 Sept.

13 11 November 2001 Marina del Rey GAC meeting Events following 11 th •Anticipating Power Failure of Telehouse – ISPs set up extra peering at exchanges – Big operators helped out competitors – Extra multi homing by various ISPs

14 11 November 2001 Marina del Rey GAC meeting Comparable Outage: AMS-IX •Amsterdan Internet Exchange (July 2001) – one of the major European IXs •Problems –two out of three locations •Hardware problems –triggered by specific multi vendor combinations •Took a week to solve

15 11 November 2001 Marina del Rey GAC meeting Phenomena in Europe •Medium sized Dutch ISP •Big International ISP

16 11 November 2001 Marina del Rey GAC meeting Experiences ISP  W •Description of operation –Medium sized Dutch ISP –10 year in business –Transit with Telehouse (Broadway 25) –Major peering as well –Hosting farm at Telehouse –Minor peering at AMS-IX

17 11 November 2001 Marina del Rey GAC meeting Experiences ISP  W •Extra measures –more peering & alternative transit •Result –transit OK –hosting farm 1 week out

18 11 November 2001 Marina del Rey GAC meeting Experiences ISP  W •Lessons learned –Network designed with redundancy –Need to think about more then the network security •Transatlantic cable cut (3 weeks ago) was worse –18 hours down

19 11 November 2001 Marina del Rey GAC meeting Reflections by BIG ISP on 11 th •Lots of extra transit –Need to be flexible –Strong arm the CFO •Lots of multi homing set up –Grow of routing tables (20%) •Not always effective –Routing policies of other ISPs –Router memory exhaustion

20 11 November 2001 Marina del Rey GAC meeting Reflections by BIG ISP •Costs of redundancy policies –Threefold redundancy in transatlantic cables •in the end, it's all economics •Transit at internet exchanges –Single point of failure •Routing aggregations policies (Ripe NCC) –Trims size of routing tables –Uses more IP address space

21 11 November 2001 Marina del Rey GAC meeting TLD DNS Vulnerabilities •DNS: Hierarchical distributed structure and name resolving •Specific examples are neutral –using.nl,.de,.uk,.be, se. to protect the innocent •Results: useless statistics, needs further study

22 11 November 2001 Marina del Rey GAC meeting Root zone file analysis •Resource Records: 1859 –1 SOA record –1 TXT record •255 TLDs –1216 Name server (delegation) records •example: NL. 172800 IN NS SUNIC.SUNET.SE. – 5 records per tld –641 Glue records •SUNIC.SUNET.SE. 172800 IN A 192.36.125.2 – less then 3 per tld

23 11 November 2001 Marina del Rey GAC meeting Root zone analysis (cont.) •No. of root servers: 13 •TLDs sharing in root name servers –ARPA. 172800 IN NS A.ROOT-SERVERS.NET.. 13 ARPA. 9 EDU. 9 GOV. 9 MIL. 5 SE. 1

24 11 November 2001 Marina del Rey GAC meeting TLDs with specific nameservers #TLD in #name servers 1 10 3 13 14 8 22 7 30 4 44 3 45 5 45 2 48 6 NL. 172800 IN NS SUNIC.SUNET.SE.

25 11 November 2001 Marina del Rey GAC meeting # of Name servers for TLDs #NS serving #TLD 1 69 1 62 1 44 1 40 1 27 1 24 1 23 1 17 2 9 3 6 4 8 4 7 5 5 13 4 28 3 56 2 495 1

26 11 November 2001 Marina del Rey GAC meeting Closing Remarks supported by de. and nl. •The packet switched internet network works –Control structure distributed by nature –Don't fix problems by adding central control – Strengthen the distributed control •More risk analysis needed –Network level –DNS implementation

Download ppt "11 November 2001 Marina del Rey GAC meeting Vulnerabilities in the Internet Jaap Akkerhuis."

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
Self-Managing Anycast Routing for DNS

Self-Managing Anycast Routing for DNS
6.033: Intro to Computer Networks Layering & Routing Dina Katabi & Sam Madden Some slides are contributed by N. McKewon, J. Rexford, I. Stoica.

6.033: Intro to Computer Networks Layering & Routing Dina Katabi & Sam Madden Some slides are contributed by N. McKewon, J. Rexford, I. Stoica.
Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.

Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.
Yerevan, July 11, 20121 Armenian edition of Jovan Kurbalija’s book “Internet Governance” I.Mkrtumyan, ISOC AM H.Baghyan, MediaEducation Center.

Yerevan, July 11, Armenian edition of Jovan Kurbalija’s book “Internet Governance” I.Mkrtumyan, ISOC AM H.Baghyan, MediaEducation Center.
Module 5 - Switches CCNA 3 version 3.0 Cabrillo College.

Module 5 - Switches CCNA 3 version 3.0 Cabrillo College.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.

The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
CSE331: Introduction to Networks and Security Lecture 9 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 9 Fall 2002.
Ch.6 - Switches CCNA 3 version 3.0.

Ch.6 - Switches CCNA 3 version 3.0.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
The Domain Name System Unix System Administration Download PowerPoint Presentation.

The Domain Name System Unix System Administration Download PowerPoint Presentation.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
1/25/2000 Active Names: Flexible Location and Transport of Wide-Area Resources Luis Rivera.

1/25/2000 Active Names: Flexible Location and Transport of Wide-Area Resources Luis Rivera.

Similar presentations

Ads by Google