江健, tsinghua university 梁锦津, tsinghua university 李康, university of georgia...
TRANSCRIPT
![Page 1: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/1.jpg)
Ghost Domain Names: Revoked Yet Still
Resolvable
江健, Tsinghua University
梁锦津, Tsinghua University
李康, University of Georgia
李军, University of Oregon
段海新, Tsinghua University
吴建平, Tsinghua University
19th NDSS (February 2012)
![Page 2: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/2.jpg)
A Seminar at Advanced Defense Lab 2
Outline
Introduction Background The DNS Name Revocation
Vulnerability Experiments Possible Defense Approaches Response from Industries
2012/2/21
![Page 3: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/3.jpg)
A Seminar at Advanced Defense Lab 3
Introduction
While primarily used for legitimate purposes, domain names have also been heavily leveraged by malicious activitiesEx: botnet
A major endeavour in stopping these malicious activities has thus been identifying and deleting malicious domain names.Ex: Waledac and Rustock
2012/2/21
![Page 4: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/4.jpg)
A Seminar at Advanced Defense Lab 4
DNS Mechanism
2012/2/21
.com
.phishing.com
Recursive Resolver
client
Cache: NS of .phishing.com
TTL: 86400 sec
![Page 5: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/5.jpg)
A Seminar at Advanced Defense Lab 5
Background
DNS response
2012/2/21
Question Section
Answer Section
Authority Section
Additional Section
DNS Delegation
;; ANSWER SECTION
;; AUTHORITY SECTION phishing.com. 86400 IN NS ns.phishing.com.;; ADDITIONAL SECTION ns.phishing.com. 86400 IN A 10.0.0.1
![Page 6: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/6.jpg)
A Seminar at Advanced Defense Lab 6
DNS Cache Update Policy The bailiwick rule
The credibility ruleEx: Trust levels in BIND 9.4.1
2012/2/21
![Page 7: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/7.jpg)
A Seminar at Advanced Defense Lab 7
The DNS Name Revocation Vulnerability
2012/2/21
.com
.phishing.com
Recursive Resolver
;; AUTHORITY SECTIONphishing.com. NS ns.phishing.com.TTL: 100
;; AUTHORITY SECTIONphishing.com. NS ns2.phishing.com.TTL: 200
OK!!
![Page 8: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/8.jpg)
A Seminar at Advanced Defense Lab 8
Ghost Domain Names
2012/2/21
.com
.phishing.com
Recursive Resolver
;; AUTHORITY SECTIONphishing.com. NS ns.phishing.com.TTL: 100
;; AUTHORITY SECTIONphishing.com. NS ns2.phishing.com.TTL: 86400
Attacker
![Page 9: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/9.jpg)
A Seminar at Advanced Defense Lab 9
Experiments
Vulnerability testing of popular DNS implementations
2012/2/21
BIND 9.8.0-P4 (CVE-2012-1033)
DJB dnscache 1.05 (CVE-2012-1191)
Unbound1.4.11
1.4.7 (CVE-2012-1192)
PowerDNS Recursor 3.3 (CVE-2012-1193)
MaraDNSDeadwood-3.0.03
Deadwood-2.3.05
Microsoft DNSWindows Server 2008 R2
Windows Server 2008 (CVE-2012-1194)
![Page 10: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/10.jpg)
A Seminar at Advanced Defense Lab 10
Experiments
Vulnerability testing of public DNS servers
2012/2/21
DNS Advantage
OpenDNS
Norton
GTEI DNS
![Page 11: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/11.jpg)
A Seminar at Advanced Defense Lab 11
Measurement
19,045 open DNS resolvers
2012/2/21
![Page 12: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/12.jpg)
A Seminar at Advanced Defense Lab 12
Measurement
2012/2/21
TTL: 1800, 3600, 14400
Refresh rate: TTL/2, TTL/4, TTL/8
![Page 13: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/13.jpg)
A Seminar at Advanced Defense Lab 13
Results
2012/2/21
70%
10%
![Page 14: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/14.jpg)
A Seminar at Advanced Defense Lab 14
Geographic View
2012/2/21
![Page 15: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/15.jpg)
A Seminar at Advanced Defense Lab 15
Refresh Rate
2012/2/21
![Page 16: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/16.jpg)
A Seminar at Advanced Defense Lab 16
Possible Defense Approaches
Strengthening the bailiwick ruleAccept authority records only from the
parent○ Ex: MaraDNS
Refining the credibility ruleAccept authority records from child on the
first reply TTL constraints
update the records EXCEPT TTL○ Ex: Unbound 1.4.11
2012/2/21
![Page 17: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/17.jpg)
A Seminar at Advanced Defense Lab 17
Response from Industries Some new CVE entries
ISC (vendor of BIND) published an advisory for the vulnerability about Ghost Domain [link]
Security team of Microsoft has been aware of the problem, and a case has been created to track it
2012/2/21
![Page 18: 江健, Tsinghua University 梁锦津, Tsinghua University 李康, University of Georgia 李军, University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua](https://reader036.vdocuments.mx/reader036/viewer/2022071711/56649e2c5503460f94b1c198/html5/thumbnails/18.jpg)
A Seminar at Advanced Defense Lab 18
Q & A
2012/2/21