Presentation is loading. Please wait.

Presentation is loading. Please wait.

Perils of Transitive Trust in the Domain Name System Chen Xi Chen Xi.

Published byGavin Gaines Modified over 8 years ago

Similar presentations

Presentation on theme: "Perils of Transitive Trust in the Domain Name System Chen Xi Chen Xi."— Presentation transcript:

1 Perils of Transitive Trust in the Domain Name System Chen Xi Chen Xi

2 Venugopalan Ramasubramanian &Emin Gun Sirer Dept. of Computer Science Cornell University

3 DNS namespace is hierarchically partitioned into non overlapping regions called domains.

4 Every name resolving process will follow a certain routine starting from the top of the DNS hierarchy then following the chain of delegation. Nameserver delegation based architecture complex inter-dependencies between names and nameservers

5 Delegation graph: the dependencies among nameservers that directly or indirectly affect a domain name. it consists of the transitive closure of all name servers involved in the resolution of a given name. TCB (trusted computing base ): the nameservers in the delegation graph of a domain name value of a nameserver: is proportional to the number of domain names which depend on that nameserver. (high-leverage nameservers)

6 Risks of Transitive Trust Unexpected nodes to exert great control over remote domains Client can be attacked if any of these namesevers is compromised.

7 3 problems proposed by author DNS is highly insecure due to the obscure dependencies between names and nameservers difficult to make a balance between the availability and security existing high-leverage nameservers have little awareness of the security risks.

8 Surveys amon TLD from 3 aspects the most vulnerable names Impact of Known Exploits Most Valuable Nameservers

9 Results 15% of the 500 most popular websites depend on more than 200 nameservers. 45% names under perils (poisoning ) 2.5 compromised servers can attack the complete domain on average (a DoS on the non-vulnerable nameserver, coupled with the compromise of the other vulnerable bottleneck nameservers) high-leverage nameservers have little motivation to take on NNS task.

10 Stopgap measure DNS was not originally designed with security in mind. achieve name security on the Internet Network administrators should be aware of the vulnerabilities in DNS more diligent about where they place their trust

11 One existing solution DNSSEC modifies DNS to add support for cryptographically signed responses. But DNSSEC continues to rely on the same physical delegation chains as DNS during lookups. attackers can exploit vulnerabilities outlined in this paper to launch DoS attacks on Web services and disrupt name resolutionDNSSEC

12 My idea on the problem When rely on other domain servers to resolve a name, we can introduce the Jun hai Luo ’ s trust recommendation between domains. Servers with high trust recommendation in remote domains can be used to resolve the name.

13 Architecture (cited) 2016-5-3113 ij2j2 jKjK j1j1 … K R i R jk,m R j R i,m m

Download ppt "Perils of Transitive Trust in the Domain Name System Chen Xi Chen Xi."

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Network Innovation using OpenFlow: A Survey

Network Innovation using OpenFlow: A Survey
Perils of Transitive Trust in the Domain Name System Emin Gün Sirer joint work with Venugopalan Ramasubramanian Cornell University.

Perils of Transitive Trust in the Domain Name System Emin Gün Sirer joint work with Venugopalan Ramasubramanian Cornell University.
Perils of Transitive Trust in the Domain Name System Venugopalan Ramasubramanian Emin Gün Sirer Cornell University.

Perils of Transitive Trust in the Domain Name System Venugopalan Ramasubramanian Emin Gün Sirer Cornell University.
A Peer-to-Peer DNS Ilya Sukhar Venugopalan Ramasubramanian Emin Gün Sirer Cornell University.

A Peer-to-Peer DNS Ilya Sukhar Venugopalan Ramasubramanian Emin Gün Sirer Cornell University.
Information-Centric Networks03c-1 Week 3 / Paper 3 The design and implementation of a next generation name service for the Internet –Venugopalan Ramasubramanian.

Information-Centric Networks03c-1 Week 3 / Paper 3 The design and implementation of a next generation name service for the Internet –Venugopalan Ramasubramanian.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.

Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.
An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.

An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Mitigating DNS DoS Attack Presented by Fei Hu.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Mitigating DNS DoS Attack Presented by Fei Hu.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Security Models for Trusting Network Appliances From : IEEE ( 2002 ) Author : Colin English, Paddy Nixon Sotirios Terzis, Andrew McGettrick Helen Lowe.

Security Models for Trusting Network Appliances From : IEEE ( 2002 ) Author : Colin English, Paddy Nixon Sotirios Terzis, Andrew McGettrick Helen Lowe.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

Similar presentations

Ads by Google