1 / 18

Ghost Domain Names: Revoked Yet Still Resolvable

19 th NDSS (February 2012). 江健 , Tsinghua University 梁锦津, Tsinghua University 李 康 , University of Georgia 李 军 , University of Oregon 段海新, Tsinghua University 吴建平, Tsinghua University. Ghost Domain Names: Revoked Yet Still Resolvable. Outline. Introduction Background

kevlyn
Download Presentation

Ghost Domain Names: Revoked Yet Still Resolvable

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 19th NDSS (February 2012) 江健,Tsinghua University 梁锦津,Tsinghua University 李康,University of Georgia 李军,University of Oregon 段海新,Tsinghua University 吴建平, Tsinghua University Ghost Domain Names: Revoked Yet Still Resolvable

  2. Outline • Introduction • Background • The DNS Name Revocation Vulnerability • Experiments • Possible Defense Approaches • Response from Industries A Seminar at Advanced Defense Lab

  3. Introduction • While primarily used for legitimate purposes, domain names have also been heavily leveraged by malicious activities • Ex: botnet • A major endeavour in stopping these malicious activities has thus been identifying and deleting malicious domain names. • Ex: Waledacand Rustock A Seminar at Advanced Defense Lab

  4. DNS Mechanism .com Recursive Resolver Cache: NS of .phishing.com TTL: 86400 sec .phishing.com client A Seminar at Advanced Defense Lab

  5. Background ;; ANSWERSECTION ;; AUTHORITY SECTION phishing.com. 86400 IN NS ns.phishing.com. ;; ADDITIONAL SECTION ns.phishing.com. 86400 IN A 10.0.0.1 • DNS response DNS Delegation A Seminar at Advanced Defense Lab

  6. DNS Cache Update Policy • The bailiwick rule • The credibility rule • Ex: Trust levels in BIND 9.4.1 A Seminar at Advanced Defense Lab

  7. The DNS Name Revocation Vulnerability ;; AUTHORITY SECTION phishing.com. NS ns.phishing.com. TTL: 100 .com Recursive Resolver .phishing.com ;; AUTHORITY SECTION phishing.com. NS ns2.phishing.com. TTL: 200 OK!! A Seminar at Advanced Defense Lab

  8. Ghost Domain Names ;; AUTHORITY SECTION phishing.com. NS ns.phishing.com. TTL: 100 .com Recursive Resolver .phishing.com ;; AUTHORITY SECTION phishing.com. NS ns2.phishing.com. TTL: 86400 Attacker A Seminar at Advanced Defense Lab

  9. Experiments • Vulnerability testing of popular DNS implementations A Seminar at Advanced Defense Lab

  10. Experiments • Vulnerability testing of public DNS servers A Seminar at Advanced Defense Lab

  11. Measurement • 19,045 open DNS resolvers A Seminar at Advanced Defense Lab

  12. Measurement TTL: 1800, 3600, 14400 Refresh rate: TTL/2, TTL/4, TTL/8 A Seminar at Advanced Defense Lab

  13. Results 70% 10% A Seminar at Advanced Defense Lab

  14. Geographic View A Seminar at Advanced Defense Lab

  15. Refresh Rate A Seminar at Advanced Defense Lab

  16. Possible Defense Approaches • Strengthening the bailiwick rule • Accept authority records only from the parent • Ex: MaraDNS • Refining the credibility rule • Accept authority records from child on the first reply • TTL constraints • update the records EXCEPT TTL • Ex: Unbound 1.4.11 A Seminar at Advanced Defense Lab

  17. Response from Industries • Some new CVE entries • ISC (vendor of BIND) published an advisory for the vulnerability about Ghost Domain [link] • Security team of Microsoft has been aware of the problem, and a case has been created to track it A Seminar at Advanced Defense Lab

  18. Q & A A Seminar at Advanced Defense Lab

More Related