Upload File

Ⅰ. security risks with dns

12

Upload: others

Post on 17-Mar-2022

11 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Ⅰ. Security Risks with DNS
Page 2: Ⅰ. Security Risks with DNS
Page 3: Ⅰ. Security Risks with DNS

Ⅰ. Security Risks with DNS

DDoSAttacks

Data Corruption

Threats causing unauthorized change of information in the DNSAuthority ImpersonationAuthoritative Server Corruption Cache Corruption Protocol Corruption

Threats preventing Internet users from using the DNS Resource Starvation Resource Disruption

.kr DNS Nameservers

InformationExposure

Threats from DNS

Threats causing disclosure of information about Internet users by examination of their DNS trafficDomain Front Running Cache Snooping Zone WalkingDNS Query TrackingNXDomain Redirection

Threats utilizing DNS as a useful tool for attacking 3rd targets DNS Amplification Attacks Fast Flux DNS DNS as a Covert Channel

3

Page 4: Ⅰ. Security Risks with DNS

Ⅱ. The Biggest Threat - DDoS

Main Targets of DDoS Attack : DNS, Government

2012 2017

• 2012 2017 : DNS(70%82%), Web(HTTP, 86%80%)

2012 2017

• 2012 2017 : Government(15%37%)

※ Worldwide Infrastructure Security Report / 2012 Volume VIII / ARBOR, 2012, 13th Worldwide Infrastructure Security Report / ARBOR, 2018

※ Worldwide Infrastructure Security Report / 2012 Volume VIII / ARBOR, 2012, 13th Worldwide Infrastructure Security Report / ARBOR, 2018

4

Page 5: Ⅰ. Security Risks with DNS

Ⅱ. The Biggest Threat - DDoS (cont.) Massive Amount of Traffic Attack through IoT devices

Time Traffic Target

‘15.12 602Gbps BBC (UK)

‘16.09 665Gbps Krebs On Security (US)

‘16.09 ~ 1Tbps OVH (France)

‘16.10 ~ 1.2Tbps Dyn (US)

‘18.2 ~ 1.35Tbps Github (US)

’18.3 ~ 1.7TbpsOne of Arbor’s

0

300

600

900

1200

1500

1800

2010 2011 2012 2013 2014 2015 2016 2018.2 2018.3

DDoS Attack Size Year Over Year

Bandw

idth

(Gbps)

(Year)

Ref : blog.haltdos.com/2017/02/22/busuinesses-india-can-learn-recent-ddos-attacks/

< DDoS Attacks through Malware-infected CPE IoT devices >

Internet

Attacker

Target

(1) Command

(2) SYN flood, UDP flood, DNS query flood, TCP RST AttackMalware-Infected

CPE IoT Devices(Customer Station Equipment)

5

’18.3 ~ 1.7TbpsOne of Arbor’s Customers (US)

(Year)

Page 6: Ⅰ. Security Risks with DNS

Ⅱ. The Biggest Threat - DDoS (cont.)

China easily retained pole position by number of attacks: its share remained almost unchanged, up from 59.18% to 59.42%. The US share (17.83%), the second largest, increased by a more noticeable 1.83%. South Korea again took bronze, but its share fell by more than 2%, from 10.21% to 8%.Britain (1.30%) moved from fourth to fifth. Tenth place in Q1 2018 went to Russia, whose share decreased from 1.25% to 0.76%. The Netherlands and Vietnam dropped out of the top ten, but Hong

Q1 2018 DDoS attack trends

0.76%. The Netherlands and Vietnam dropped out of the top ten, but Hong Kong (with a solid 3.67% against 0.67% in Q4 2017) and Japan (1.16%) reappeared.

6

Distribution of DDoS attacks by country, Q4 2017 vs. Q1 2018Ref : DDoS attacks in Q1 2018 By SECURELIST

The top ten countries by number of C&C servers last quarter underwent a major reshuffle: Canada, Turkey, Lithuania, and Denmark dropped out, while Italy, Hong Kong, Germany, and Britain climbed upwards. The top three remained practically unchanged: South Korea (30.92%), the US (29.32%), China (8.03%). Only Russia (2.01%), having shared bronze with China in late 2017, slid down to ninth place. Distribution of botnet C&C servers by country in Q1 2018

Ref : DDoS attacks in Q1 2018 By SECURELIST

Page 7: Ⅰ. Security Risks with DNS

Ⅲ. Current .kr DNS Status

Index Stat (’18. 4.)

Domain.kr 1,046,953

.한국(IDN) 30,179

IPIPv4 112,389,888

IPv6 (/32) 5,253

ASN ASN 1,024

IndexQuery & Response

Average Max

krDNS.kr, .한국

DNS- -

7

Page 8: Ⅰ. Security Risks with DNS

Ⅳ. .kr DNS Security Initiative

B.DNS.KR C.DNS.KR D.DNS.KR E.DNS.KR F.DNS.KR G.DNS.KR

USA(ISC)

Brazil

China

Germany

USA(Verisign)

Korea

Abroad

Cloud Service

Anycast Only

.kr DNS Cloud Service

B.DNS.KR C.DNS.KR D.DNS.KR E.DNS.KR F.DNS.KR G.DNS.KR

USAChina

Germany

USA

Korea

Abroad

Global InternetCloud

Cloud Service

Security Protection& SLA

Brazil

Global InternetData Center

Anycast + Cloud

D.DNS.KR Anycast Sites

E.DNS.KR Anycast Sites

F.DNS.KR Cloud Sites

G.DNS.KR Anycast Sites

Solo Site

8

Page 9: Ⅰ. Security Risks with DNS

Ⅳ. .kr DNS Security Initiative (cont.)

Internet

InternetUsersCache DNS

Internet

Internet UsersCache DNS

Zombie PC Attacker

Normal DDoS Attack

.kr DNS Clean Zone Service

Clean Zone

DDoS Protection(IDS, IPS, …)

.kr DNS

ISPClean Zone

DDoS Protection(IDS, IPS, …)

.kr DNS

ISP

9

Page 10: Ⅰ. Security Risks with DNS

Ⅳ. .kr DNS Security Initiative (cont.)

.kr Registry

Authoritative DNS .kr

Data driven .kr DNS Security Project Concept

ISP Resolvers

DNS Query &Responses

Malicious Activity :- Spam-runs- Botnets like cutwall- DNS-Amplification attacks

10

Page 11: Ⅰ. Security Risks with DNS

Ⅳ. .kr DNS Security Initiative (cont.)

Data driven .kr DNS Project Architecture(concept)

11

Page 12: Ⅰ. Security Risks with DNS

SOLIDserver DDI for DNS, DHCP and IPAM · IPAM, DNS or DHCP. SOLIDserver ™ guarantees DNS-DHCP server configuration and consistency of IPAM data in order to remove the risks of

De Stiho GroepAngelique Luijten Ⅰ Danny de Cort Ⅰ Edwin Timmermans Ⅰ Emko de Graaf Ⅰ Ivo van Berkel Ⅰ John Verstegen Ⅰ Leonard van de Nieuwegiessen ... van Heteren Ⅰ

Module 4: DNS As a Solution for Name Resolution. Overview Introducing DNS Designing a Functional DNS Solution Securing DNS Enhancing a DNS Design for

DNS for Dummies Ebook Amazon | DNS

Monitor Windows DNS Server using DNS Analytics … · Monitor Windows DNS Server using DNS Analytics (Preview) ... analyzes and correlates Windows DNS analytic and audit logs and

DNS DNS SPS ThreatAvertdnsops.jp/event/20180627/DNSセキュリティはDNSで... · 2018-09-11 · DNS DNS " " SPS ThreatAvert DNS " DDoS ( $30 5+ 2018*6-27, ! " % '.46)/2 ©Akamai

Таблица 1. В Домашнем регионеfederal/news/novost_ne_besplatnie... · dns://acs.feib.ru/ dns://acs.kjbank.com/ dns://acs.ktc.co.th

dns-Drechselkurse - Drechselstube Neckarsteinach · dns-Einsteigerkurs dns-Fortgeschrittenenkurs dns-Themenkurse dns-Profikurse dns-Betriebseventkurs Anmeldung / Anfahrt / Übenrachtung

Overview - TWNIC · Overview • DNS Protocol Overview • DNS Security • DNS Transactions – TSIG and Lab • DNS Security Extensions (DNSSec) – DNSSEC Lab . 21/06/16 2 DNS

DNS-2640 User Manual QS0001 - DataON Storagedoc.dataonstorage.com/product/DNS/2640/DNS-2640_User_Manual.pdf · DNS-2640 User Manual 2 Package content The DNS-2640 box contains the

DNS Risks, DNSSEC

dns ile alakalı diyer kelimeler · dns failover 1300 0,36 17,75 euro dns 720 0,05 6,03 dns management 1300 0,5 7,92 dns registration 720 0,89 27,22 dns blacklist 1600 0,11 2,69 dns

Constellation: automated discovery of service and host ......DHCP MOM DNS DNS KERBEROS LDAP HTTP SMB LDAP MOM DNS DNS DNS DNS Figure 1: Small fragment of a constellation depicting

Domain Name System. CONTENTS Definitions. DNS Naming Structure. DNS Components. How DNS Servers work. DNS Organizations. Summary

Réalisée par : ??? L’attaque DNS Spoofing. Spoofing de l’identificateur DNS. Présentation L’attaque DNS Spoofing L’empoisonnement du cache DNS. Outils

DNS Security Pacific IT Pros Nov. 5, 2013. Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage

Authoritative DNS-over-TLS Operational Considerations · motivation for authoritative name server operators to weigh the risks and benefits of DNS encryption, hence the importance

2010 ICF Canoe Slalom World Championships SLOKA 2010...2010/09/12  · 25 FORIZS Reka HUN DNS DNS 27 POLEZHAEVA Svetlana KAZ DNS DNS 28 NIKOLAEVA Irina UZB DNS DNS Chief Judge _____

USENIX | The Advanced Computing Systems Association · DNS, LDAP, Port Mapper, RPC DNS, LDAP DNS Mail exchange, DNS DNS, AD, Kerberos ... Knowing in advance Improves response time

Configuring DNS · Example: Configuring DNS Spoofing Inthefollowingexample,thedeviceisconfiguredtospoofrepliestoanyDNSqueries: ip dns server ip dns spoofing no ip domain lookup

DNS. Sommario Introduzione al DNS Introduzione al DNS La terminologia del DNS La terminologia del DNS Nomi DNS in un dominio Windows 2003 Nomi DNS in

DNSSEC Basics, Risks and Benefits - APNICarchive.apnic.net/.../19/docs/sigs/dns/dns-pres-kolkman-dnssec.pdf · Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC Basics,

06制限酵素Nr u Ⅰ Nsi Ⅰ Nsp Ⅴ Pst Ⅰ Pvu Ⅱ Rsa Ⅰ Sac Ⅰ Sac Ⅱ Sal Ⅰ Sau 3A Ⅰ Sau 96 Ⅰ Sca Ⅰ Scr F Ⅰ Sfi Ⅰ Sma Ⅰ Spe Ⅰ Sph Ⅰ Ssp Ⅰ Stu Ⅰ Sty

DNS: EdgeCast Route - Basic DNS Service Overview

Instituto Electoral del Estado - Puebla...OLXIS zaLlN-38 zanvzN09 -IVdlOlNnllN BLN2CllSaèld OHISIOAH aa Odil L 'dns L 'd08d 9 dns 9 .d08d 9 'dns 9 'd08d dns 'd08d .dns .d08d "dns

Webinar DNS 1550 DNS 1100

DNS Setup DNS CONFIGURATION. DNS Configuration DNS Setup named daemon is used A DNS Server may be caching/master/slave server The named.ca file has information

DNS New World Order: QuadX! DoH! DoT! Da Fuq? · Domain Name System (DNS) in general & new encrypted DNS methods like DNS over HTTPS (DoH), DNS over TLS (DoT). ... DNS comes great

今さら聞けないIP アドレスとドメイン名 ~見抜く …サーバ net DNS サーバ com DNSサーバ DNS DNS DNS DNS example DNS サーバ exampleの DNSサーバが

DNS Cache y DNS Zonas_Dquintero

RIPE76 DNS Privacy measurements · DNS WG @ RIPE76 DNS Privacy Measurements Latest Measurements on DNS Privacy Sinodun ... Unbound . DNS WG @ RIPE76 DNS Privacy Measurements Test

Domain Name System (DNS). Outline Functions of DNS Design goals of DNS History of DNS Elements of DNS –Name space and resource records –Name servers –Name

Networking:! UDP&!DNS! · Root DNS Servers com DNS servers org DNS servers edu DNS servers poly.edu DNS servers umass.edu DNS servers yahoo.com DNS servers amazon.com

DNS Session 2: DNS cache operation and DNS debugging

GRIS - DNS - Apresentação sobre segurança DNS