Ghost Domain Names: Revoked Yet Still

Resolvable

江健， Tsinghua University

梁锦津， Tsinghua University

李康， University of Georgia

李军， University of Oregon

段海新， Tsinghua University

吴建平， Tsinghua University

19th NDSS (February 2012)

A Seminar at Advanced Defense Lab 2

Outline

Introduction Background The DNS Name Revocation

Vulnerability Experiments Possible Defense Approaches Response from Industries

2012/2/21

A Seminar at Advanced Defense Lab 3

Introduction

While primarily used for legitimate purposes, domain names have also been heavily leveraged by malicious activitiesEx: botnet

A major endeavour in stopping these malicious activities has thus been identifying and deleting malicious domain names.Ex: Waledac and Rustock

2012/2/21

A Seminar at Advanced Defense Lab 4

DNS Mechanism

2012/2/21

.com

.phishing.com

Recursive Resolver

client

Cache: NS of .phishing.com

TTL: 86400 sec

A Seminar at Advanced Defense Lab 5

Background

DNS response

2012/2/21

Question Section

Answer Section

Authority Section

Additional Section

DNS Delegation

;; ANSWER SECTION

;; AUTHORITY SECTION phishing.com. 86400 IN NS ns.phishing.com.;; ADDITIONAL SECTION ns.phishing.com. 86400 IN A 10.0.0.1

A Seminar at Advanced Defense Lab 6

DNS Cache Update Policy The bailiwick rule

The credibility ruleEx: Trust levels in BIND 9.4.1

2012/2/21

A Seminar at Advanced Defense Lab 7

The DNS Name Revocation Vulnerability

2012/2/21

.com

.phishing.com

Recursive Resolver

;; AUTHORITY SECTIONphishing.com. NS ns.phishing.com.TTL: 100

;; AUTHORITY SECTIONphishing.com. NS ns2.phishing.com.TTL: 200

OK!!

A Seminar at Advanced Defense Lab 8

Ghost Domain Names

2012/2/21

.com

.phishing.com

Recursive Resolver

;; AUTHORITY SECTIONphishing.com. NS ns.phishing.com.TTL: 100

;; AUTHORITY SECTIONphishing.com. NS ns2.phishing.com.TTL: 86400

Attacker

A Seminar at Advanced Defense Lab 9

Experiments

Vulnerability testing of popular DNS implementations

2012/2/21

BIND 9.8.0-P4 (CVE-2012-1033)

DJB dnscache 1.05 (CVE-2012-1191)

Unbound1.4.11

1.4.7 (CVE-2012-1192)

PowerDNS Recursor 3.3 (CVE-2012-1193)

MaraDNSDeadwood-3.0.03

Deadwood-2.3.05

Microsoft DNSWindows Server 2008 R2

Windows Server 2008 (CVE-2012-1194)

A Seminar at Advanced Defense Lab 10

Experiments

Vulnerability testing of public DNS servers

2012/2/21

Google

DNS Advantage

OpenDNS

Norton

GTEI DNS

A Seminar at Advanced Defense Lab 11

Measurement

19,045 open DNS resolvers

2012/2/21

A Seminar at Advanced Defense Lab 12

Measurement

2012/2/21

TTL: 1800, 3600, 14400

Refresh rate: TTL/2, TTL/4, TTL/8

A Seminar at Advanced Defense Lab 13

Results

2012/2/21

70%

10%

A Seminar at Advanced Defense Lab 14

Geographic View

2012/2/21

A Seminar at Advanced Defense Lab 15

Refresh Rate

2012/2/21

A Seminar at Advanced Defense Lab 16

Possible Defense Approaches

Strengthening the bailiwick ruleAccept authority records only from the

parent○ Ex: MaraDNS

Refining the credibility ruleAccept authority records from child on the

first reply TTL constraints

update the records EXCEPT TTL○ Ex: Unbound 1.4.11

2012/2/21

A Seminar at Advanced Defense Lab 17

Response from Industries Some new CVE entries

ISC (vendor of BIND) published an advisory for the vulnerability about Ghost Domain [link]

Security team of Microsoft has been aware of the problem, and a case has been created to track it

2012/2/21

A Seminar at Advanced Defense Lab 18

Q & A

2012/2/21