1 / 15

Security issues of . kr DNS

Security issues of . kr DNS. Yu Kyung Jung KISA/KRNIC ykjung@kisa.or.kr. Contests. System for Protecting . kr DNS against DDoS Attack Background The map of system Future work DNSSEC Plan DNSSEC Plan in GO.KR DNSSEC Test & Analysis failure Preparation.

rafal
Download Presentation

Security issues of . kr DNS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security issues of .kr DNS Yu Kyung Jung KISA/KRNIC ykjung@kisa.or.kr

  2. Contests • System for Protecting .kr DNS against DDoS Attack • Background • The map of system • Future work • DNSSEC Plan • DNSSEC Plan in GO.KR • DNSSEC Test & Analysis • failure Preparation

  3. Protection System against DDoS attack

  4. IPv6, IPv4 IPv4 Status of .kr DNS B, Seoul (KT) G, Seoul (KISA) D, Seoul (KINX) G Mirror, Frankfurt (DENIC) E Mirror, Seoul (KT) G Mirror, Dulles (VeriSign) E Mirror, Beijing (CNNIC) F, Seoul (SK) D Mirror,Seoul (SK) D Mirror, Red Wood (ISC) C, Anyang (Dacom) E, Daejeon (KISTI) D Mirror, Singapore (SGNIC) E Mirror, São Paulo (Registro.br)

  5. Background • 77 crisis • At 2009.7.7 18:00 • DDoS attack to the homepage of government organization, internet portal, financial company • Possibility of .kr DNS attack • DNS can be the target of DDoS attack • To provide the stability of internet service

  6. Internet The map of system IDC 1 IDC 2 범례 router router router equipment against DDoS switch kr DNS servers VPN storage IDC 2 KISA KRNIC IDC 1 10G line 1G line ... ... ... ...

  7. Future Work • Traffic Managing : at least 10 times more • Reinforcement of stability • Future work • Keep to expand establishment of protection system • In 2010, KISA, Singapore, Germany

  8. DNSSEC Plan

  9. Plan(.kr) (1step)ccTLD kr • Government agencies domain(go.kr) singing in 2010 • “.kr” signing in 2011 or later • Side by side with new kr DNS deployment/ update (2step)SLD co ms mil ac ne gyeonobuk gyeongnam chungnam gwangju chungbuk gangwon incheon jeonbuk jeonnam daejeon busan seoul ulsan daegu jeju gyeonggi es or go pe hs re kg sc

  10. Key/Signature Policy(KASP) • Algorithm : NSEX3RSASHA1 • NSEC3, OPT-OUT • KSK(size : 2048bit, lifetime : 1year) • ZSK(size : 1024bit, lifetime : 3month) • Signature Validity : 1 month(resigning cycle) • Cycle resigning support in BIND

  11. System Load Test Result Test Environments • Test target S/W : BIND-9.6.1 • Test system environments • Operation System : GNU/Linux • Processor : x.86_64 • Hardware-Platform : x86_64 • CPU : 2.93GHz * 16 • Memory : 16GB

  12. Traffic Load Analysis • Traffic load test result • Root • Query 84byte→227byte • Response 118byte→1331byte • KR • Query 84byte →223byte • Response 118byte →1353byte • CO.KR • Query 84byte →244byte • Response 118byte →1376byte • Recursive server • Query 443byte→1525byte • Response 561byte →4797byte

  13. Expected failures & Measures • Failure of GO.KR Master : operating standby server(GO-SLV) • Failure of Dynamic Update : inspection/action monitoring • Compromise /Expired Key : checking rollover, perform an emergency rollover • Maintenance emergency contact(system personnel)

  14. Q & A Against DDoS attack : kimdw@kisa.or.kr DNSSEC : rays@kisa.or.kr

  15. Thank you!!

More Related