1 / 24

Perils of Transitive Trust in the Domain Name System

Venugopalan Ramasubramanian Emin G ü n Sirer Cornell University. Perils of Transitive Trust in the Domain Name System. Venugopalan Ramasubramanian Emin G ü n Sirer Cornell University. How to 0wn the Internet in Your Spare Time? Part 2. Introduction. DNS is critical to the Internet

nola
Download Presentation

Perils of Transitive Trust in the Domain Name System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Venugopalan Ramasubramanian Emin Gün Sirer Cornell University Perils of Transitive Trust in the Domain Name System

  2. Venugopalan Ramasubramanian Emin Gün Sirer Cornell University How to 0wn the Internet in Your Spare Time? Part 2

  3. Introduction • DNS is critical to the Internet • DNS architecture is based on delegations • control for names is delegated to name servers designated by the name owner • delegations facilitate high scalability and decentralized administration • what about security?

  4. zoneedit.com • com • gtld-servers.net • nstld.com • net Dependencies for www.fbi.gov root www.fbi.gov gov • gov.zoneedit.com • zoneedit.com fbi.gov dns[,2].sprintip.com ns[3,4,5,6].vericenter.com sprintip.com • sprintlink.net • telemail.net vericenter.com

  5. Subtle Dependencies in DNS • www.fbi.gov • 86 servers, 17 domains • www.cs.cornell.edu • cs.rochester.edu cs.wisc.edu  itd.umich.edu • 48 nameservers, 20 domains • DNS dependencies are subtle and complex • are administrators aware of what they depend on? • increases risk of domain hijacks

  6. fbi.gov sprintip.com dns[,2].sprintip.com ns[3,4,5,6].vericenter.com ns[1,2,3]-auth.sprintlink.net reston-ns[1,3].telemail.net reston-ns[2].telemail.net Servers with Security Loopholes www.fbi.gov www.cs.cornell.edu  [slate,cayuga].cs.rochester.edu source: internet systems consortium (www.isc.org)

  7. Survey Goals • Which domain names have large dependencies and entail high risk? • Which domains are affected by servers with known security holes and can be easily taken over? • Which servers control the largest portion of the namespace and are thus likely to be attacked?

  8. Survey Methodology • 593160 domain names (Yahoo and Dmoz.org) • 166771 name servers • 535036 domains, 196 top-level-domain

  9. All Top 500 Mean 46 68 Max 604 342 Median 26 22 Most Vulnerable Names Number of Dependencies

  10. Most Vulnerable Names

  11. Vulnerability to Security Flaws • survey of BIND version numbers • 17% of servers have known loopholes [ISC] • 45% of names are not totally safe • security through obscurity! • more than 40% of servers hide version numbers • 19/46 reports for cs.cornell.edu and 18/86 for fbi.gov

  12. Vulnerability

  13. Vulnerability to Security Flaws

  14. Critical Assets

  15. Most Valuable Nameservers Top 5 Domains arizona.edu ucla.edu uoregon.edu nyu.edu berkeley.edu

  16. Conclusions • Domain names have subtle dependencies • name-based delegations • High risk of domain hijacks • well-known software loopholes • leading to more effective phishing attacks http://www.cs.cornell.edu/people/egs/beehive/codons.php

  17. DNS-SEC • Security Standard for DNS based on public-key cryptography and digitally signed certificates • Not widely used currently • security at delegation points • authenticated denials • islands of security • Does not eliminate name-based delegations

  18. DNS Bottlenecks

  19. Safe Bottlenecks

  20. Safety

  21. Dependencies

  22. Critical Assets 2

  23. fbi.gov dns[,2].sprintip.com ns[3,4,5,6].vericenter.com sprintip.com ns[1,2,3]-auth.sprintlink.net reston-ns[1,2,3].telemail.net vericenter.com ns[1-6].vericenter.com Dependencies for www.fbi.gov gov • gov.zoneedit.com • zoneedit.com www.fbi.gov fbi.edgesuite.net a33.g.akamai.net zoneedit.com • com • gtld-servers.net • nstld.com • net edgesuite.net • akam.net g.akamai.net • akamai.net • akamaitech.net

More Related