NSEC3 Hash Breaking. GPU-based. Matthäus Wander, Lorenz Schwittmann, Christopher Boelmann, Torben Weis IEEE NCA

Size: px
Start display at page:

Download "NSEC3 Hash Breaking. GPU-based. Matthäus Wander, Lorenz Schwittmann, Christopher Boelmann, Torben Weis IEEE NCA 2014.

Transcription

1 GPU-based NSEC3 Hash Breaking Matthäus Wander, Lorenz Schwittmann, Christopher Boelmann, Torben Weis IEEE NCA 2014 Cambridge, August 22, 2014

2 NSEC3 FUNDAMENTALS Matthäus Wander 2

3 Secure Denial of Existence with DNSSEC Query: www? ftp mail ns1 www Matthäus Wander 3

4 Secure Denial of Existence with DNSSEC Query: www? www A ftp mail ns1 Response www Signed resource record Authenticity verified with PKI built into DNSSEC Matthäus Wander 4

5 Secure Denial of Existence with DNSSEC Query: test? ftp mail ns1 Not found www Query name: n Matthäus Wander 5

6 Secure Denial of Existence with DNSSEC Query: test? ftp mail ns1 Not found www Query name: n NSEC Matthäus Wander 6

7 Secure Denial of Existence with DNSSEC Query: test? ns1 NSEC www ftp mail ns1 Query name: Response: n Not found (r 1,r2 ) with r1 n r2 www NSEC Matthäus Wander 7

8 Zone Enumeration Copy DNSSEC zone by crawling NSEC records Nominet (.uk) position: Zone file enumeration is a show-stopper for us that will prevent us from fully implementing DNSSEC. DENIC (.de) position: In conflict with Germany s Federal Data Protection Act Matthäus Wander 8

9 Secure Denial of Existence with DNSSEC Query: test? ftp mail ns1 Not found www NSEC Matthäus Wander 9

10 Secure Denial of Existence with DNSSEC Query: test? ftp mail ns1 3a45 78a1 8e5d Not found Hash query name: h(n) www NSEC b105 NSEC3 Matthäus Wander 10

11 Secure Denial of Existence with DNSSEC Query: test? 78a1 NSEC3 8e5d Not found ftp mail ns1 www 3a45 78a1 8e5d b105 Hash query name: Response: h(n) NSEC NSEC3 (h(r1 ), h(r2 )) with h(r1 ) h(n) h(r2 ) Matthäus Wander 11

12 Reasons for and against NSEC3 Privacy Opt-out feature CPU load Message size How well does NSEC3 prevent zone enumeration? Matthäus Wander 12

13 NSEC3 Definition domain name salt h(n, s, 0 ) SHA1( n s ) h(n, s, i) SHA1( h(n,s,i 1) s ), for i 0 additional iterations Repeated SHA1 computation Salt is identical for all names in a DNSSEC zone Matthäus Wander 13

14 May 2014 Top-Level Domain Survey TLD i Salt at. 5 b4c3ee8e123154f8 ch. 2 e7bd8151 cn. 10 aef123ab com. 0 de. 15 ba5eba11 eu. 1 5ca1ab1e fr. 1 41b69d30 TLD i Salt info. 1 d399eaab jp. 8 f5435b71d7 net. 0 nl. 5 c9545f07a61d0d33 org. 1 d399eaab ru. 3 00ff uk use NSEC3, 53 use NSEC, 185 not signed 60% of TLDs with NSEC3 use i=1 42% of TLDs with NSEC3 change the salt Matthäus Wander 14

15 ATTACKING NSEC3 1. Collect hashes 2. Reverse hashes Matthäus Wander 15

16 Why AMD Graphic Cards? Matthäus Wander 16

17 ATTACKING NSEC3 1. Collect hashes 2. Reverse hashes Matthäus Wander 17

18 Hash Crawling Retrieve NSEC3 hashes from name server Send queries for random non-existing names M8eZcl8.com? 78a1 NSEC3 8e5d Not found Check hash before sending query NSEC3 gap NSEC3 gap NSEC3 gap Matthäus Wander 18

19 Crawling 345,000 Hashes from.com 1e+12 1e+10 1e+08 1e Hashing attempts Gaps in use 00:00 02:00 04:00 06:00 08:00 10:00 12:00 Time in hours Matthäus Wander 19

20 ATTACKING NSEC3 1. Collect hashes 2. Reverse hashes Matthäus Wander 20

21 GPU-based NSEC3 Hash Breaking Iterate through cleartext candidate names Compute NSEC3 hash, compare with known hashes Global memory access on GPU is expensive Bloom filter for 300% speedup Start Python Generate next name Create bloom filter Start OpenCL kernel Retrieve names Compute hash value Hit? Yes Write name No Done Yes End? No Matthäus Wander 21

22 Brute-Force Attack 1 to 8 characters 9 characters Matthäus Wander 22

23 Dictionary Attack Effectiveness depends on dictionary quality Good public lists (Alexa, Quantcast) List of all IPv4 reverse mappings (not exhaustive!) 7.1 mio candidate names Generate more candidates by inserting strings Insert most common 200,000 n-grams (with 1 n 15) foo.com. e efoo.com. feoo.com. foeo.com. fooe.com. Matthäus Wander 23

24 Dictionary Attack Matthäus Wander 24

25 Effectiveness of Insertion Wordlist Matthäus Wander 25

26 Markov Attack Some strings are more probable than others th more common in English than tx Model language with 1 st order Markov chains Markov attack requires training Use hits from brute-force and dictionary attacks Markov model derived from names found Enumerate most probable names Omit others (with given time frame) Matthäus Wander 26

27 Markov Attack Matthäus Wander 27

28 Discussion Reversed 65%.com domains after 5 days Server operator pays for NSEC3 with CPU load Adjust iterations to increase CPU workload Attacker Server operator Matthäus Wander 28

29 Discussion Reversed 65%.com domains after 5 days Server operator pays for NSEC3 with CPU load Adjust iterations to increase CPU workload Attacker Server operator Matthäus Wander 29

30 Discussion Reversed 65%.com domains after 5 days Server operator pays for NSEC3 with CPU load Adjust iterations to increase CPU workload Attacker Server operator Matthäus Wander 30

31 Efficiency of CPU vs. GPU Matthäus Wander 31

32 Conclusions NSEC3 returns negative DNSSEC responses without disclosing existing domain names GPUs very efficient for breaking NSEC3 hashes Reversed 65%.com domains after 5 days Assess whether weak privacy justifies the costs Future work: GPU-based NSEC3 accelerators for DNSSEC servers Matthäus Wander 32

DNSSEC. Matthäus Wander. Erlangen, April 20, 2015. and the Hassle of Negative Responses.

DNSSEC. Matthäus Wander. Erlangen, April 20, 2015. and the Hassle of Negative Responses. <matthaeus.wander@uni-due.de> DNSSEC and the Hassle of Negative Responses Matthäus Wander Erlangen, April 20, 2015 Security Goal of DNSSEC Query: www? ftp mail ns1 www Matthäus Wander 2 Security Goal of

More information

The Impact of DNSSEC. Matthäus Wander. on the Internet Landscape. Duisburg, June 19, 2015

The Impact of DNSSEC. Matthäus Wander. on the Internet Landscape. <matthaeus.wander@uni-due.de> Duisburg, June 19, 2015 The Impact of DNSSEC on the Internet Landscape Matthäus Wander Duisburg, June 19, 2015 Outline Domain Name System Security problems Attacks in practice DNS Security Extensions

More information

Verteilte Systeme - Overview

Verteilte Systeme - Overview - Overview Prof. Dr.-Ing. Torben Weis Building BC, 4 th Floor, Room 407 http://www.vs.uni-due.de Scientific Staff Christopher Boelmann Sebastian Schuster Matthäus Wander Working Areas Networked systems

More information

Part 5 DNS Security. SAST01 An Introduction to Information Security 2015-09-21. Martin Hell Department of Electrical and Information Technology

Part 5 DNS Security. SAST01 An Introduction to Information Security 2015-09-21. Martin Hell Department of Electrical and Information Technology SAST01 An Introduction to Information Security Part 5 DNS Security Martin Hell Department of Electrical and Information Technology How DNS works Amplification attacks Cache poisoning attacks DNSSEC 1 2

More information

Internet Measurement Research

Internet Measurement Research Internet Measurement Research Matthäus Wander Kassel, October 1, 2013 Overview How to get measurement data? Research projects Case studies of past projects Ideas and inspiration

More information

Large-scale DNS and DNSSEC data sets for network security research

Large-scale DNS and DNSSEC data sets for network security research Large-scale DNS and DNSSEC data sets for network security research Roland van Rijswijk-Deij 1,2, Anna Sperotto 1, and Aiko Pras 1 1 Design and Analysis of Communication Systems (DACS), University of Twente,

More information

Internet-Praktikum I Lab 3: DNS

Internet-Praktikum I Lab 3: DNS Kommunikationsnetze Internet-Praktikum I Lab 3: DNS Mark Schmidt, Andreas Stockmayer Sommersemester 2015 kn.inf.uni-tuebingen.de Motivation for the DNS Problem IP addresses hard to remember for humans

More information

Security of IPv6 and DNSSEC for penetration testers

Security of IPv6 and DNSSEC for penetration testers Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions

More information

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

THE MASTER LIST OF DNS TERMINOLOGY. First Edition THE MASTER LIST OF DNS TERMINOLOGY First Edition DNS can be hard to understand and if you re unfamiliar with the terminology, learning more about DNS can seem as daunting as learning a new language. To

More information

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0 THE MASTER LIST OF DNS TERMINOLOGY v 2.0 DNS can be hard to understand and if you re unfamiliar with the terminology, learning more about DNS can seem as daunting as learning a new language. To help people

More information

DNSSEC Applying cryptography to the Domain Name System

DNSSEC Applying cryptography to the Domain Name System DNSSEC Applying cryptography to the Domain Name System Gijs van den Broek Graduate Intern at SURFnet Overview First half: Introduction to DNS Attacks on DNS Second half: DNSSEC Questions: please ask! DNSSEC

More information

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008 DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008 Kim Davies Internet Assigned Numbers Authority Internet Corporation for Assigned Names & Numbers Agenda How do you

More information

Hushmail Express Password Encryption in Hushmail. Brian Smith Hush Communications

Hushmail Express Password Encryption in Hushmail. Brian Smith Hush Communications Hushmail Express Password Encryption in Hushmail Brian Smith Hush Communications Introduction...2 Goals...2 Summary...2 Detailed Description...4 Message Composition...4 Message Delivery...4 Message Retrieval...5

More information

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng. CS 355 Computer Networking Wei Lu, Ph.D., P.Eng. Chapter 2: Application Layer Overview: Principles of network applications? Introduction to Wireshark Web and HTTP FTP Electronic Mail: SMTP, POP3, IMAP

More information

DNS & IPv6. Agenda 4/14/2009. MENOG4, 8-9 April 2009. Raed Al-Fayez SaudiNIC CITC rfayez@citc.gov.sa, www.nic.net.sa. DNS & IPv6.

DNS & IPv6. Agenda 4/14/2009. MENOG4, 8-9 April 2009. Raed Al-Fayez SaudiNIC CITC rfayez@citc.gov.sa, www.nic.net.sa. DNS & IPv6. DNS & IPv6 MENOG4, 8-9 April 2009 Raed Al-Fayez SaudiNIC CITC rfayez@citc.gov.sa, www.nic.net.sa Agenda DNS & IPv6 Introduction What s next? SaudiNIC & IPv6 About SaudiNIC How a cctld Registry supports

More information

Domain Name System (DNS)

Domain Name System (DNS) Domain Name System (DNS) Instructor: Anirban Mahanti Office: ICT 745 Email: mahanti@cpsc.ucalgary.ca Class Location: ICT 121 Lectures: MWF 12:00 12:50 Notes derived from Computer Networking: A Top Down

More information

DNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS

DNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS AFNIC s Issue Papers DNSSEC Domain Name System Security Extensions 1 - Organisation and operation of the DNS 2 - Cache poisoning attacks 3 - What DNSSEC can do 4 - What DNSSEC cannot do 5 - Using keys

More information

Domain Name System Richard T. B. Ma

Domain Name System Richard T. B. Ma Domain Name System Richard T. B. Ma School of Computing National University of Singapore CS 3103: Compute Networks and Protocols Names Vs. Addresses Names are easier for human to remember www.comp.nus.edu.sg

More information

Introduction Header Body content Todo List. Email Analysis. Joe Huang Anti-Spam Team Cellopoint. February 21, 2014. Joe Huang Email Analysis 1 / 62

Introduction Header Body content Todo List. Email Analysis. Joe Huang Anti-Spam Team Cellopoint. February 21, 2014. Joe Huang Email Analysis 1 / 62 Email Analysis Joe Huang Anti-Spam Team Cellopoint February 21, 2014 Joe Huang Email Analysis 1 / 62 Joe Huang Email Analysis 2 / 62 For spam filtering, we would like to study the content of an email to

More information

Computer Networks: Domain Name System

Computer Networks: Domain Name System Computer Networks: Domain Name System Domain Name System The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses DNS www.example.com 208.77.188.166 http://www.example.com

More information

http://www.dominioweb.org Per informazioni: domini@dominioweb.org

http://www.dominioweb.org Per informazioni: domini@dominioweb.org Domini http://www.dominioweb.org Per informazioni: domini@dominioweb.org Costo Anno i.e..it 8,80.com 8,80.net 8,80.org 8,80.info 8,80.biz 8,80.eu 11,90.name 10,30.mobi 20,00.de 20,00.ch 25,00.ws 10,00.tel

More information

Lecture 2 CS 3311. An example of a middleware service: DNS Domain Name System

Lecture 2 CS 3311. An example of a middleware service: DNS Domain Name System Lecture 2 CS 3311 An example of a middleware service: DNS Domain Name System The problem Networked computers have names and IP addresses. Applications use names; IP uses for routing purposes IP addresses.

More information

IPv6 support in the DNS

IPv6 support in the DNS IPv6 support in the DNS How important is the DNS? Getting the IP address of the remote endpoint is necessary for every communication between TCP/IP applications Humans are unable to memorize millions of

More information

One year of DANE Tales and Lessons Learned. sys4.de

One year of DANE Tales and Lessons Learned. sys4.de One year of DANE Tales and Lessons Learned sys4.de DANE secures Security Why secure Security? Encryption Models Opportunistic Encryption > Expect anything > Proceed if absent > Try if offered > Proceed

More information

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services Internet Corporation for Assigned Names & Numbers How does the DNS work? A typical DNS query The

More information

DNS at NLnet Labs. Matthijs Mekking

DNS at NLnet Labs. Matthijs Mekking DNS at NLnet Labs Matthijs Mekking Topics NLnet Labs DNS DNSSEC Recent events NLnet Internet Provider until 1997 The first internet backbone in Holland Funding research and software projects that aid the

More information

DNS/DNSSEC loose ends

DNS/DNSSEC loose ends DNS/DNSSEC loose ends Karst Koymans & Niels Sijm Informatics Institute University of Amsterdam Friday, September 21, 2012 Karst Koymans & Niels Sijm (UvA) DNS/DNSSEC loose ends Friday, September 21, 2012

More information

DNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)

DNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In) DNSSEC: A Vision Anil Sagar Additional Director Indian Computer Emergency Response Team (CERT-In) Outline DNS Today DNS Attacks DNSSEC: An Approach Countering DNS Attacks Conclusion 2 DNS Today DNS is

More information

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce 18/02/15 Networks: DNS attacks 1 Domain Name System The domain name system (DNS) is an applica>on- layer protocol

More information

DNSSEC and DNS Proxying

DNSSEC and DNS Proxying DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare DNS is big 3 CloudFlare DNS is fast 4 CloudFlare DNS is always under attack 5 CloudFlare A secure reverse proxy for

More information

DNSSEC Practice Statement (DPS)

DNSSEC Practice Statement (DPS) DNSSEC Practice Statement (DPS) 1. Introduction This document, "DNSSEC Practice Statement ( the DPS ) for the zones under management of Zodiac Registry Limited, states ideas of policies and practices with

More information

The Domain Name System (DNS)

The Domain Name System (DNS) The Domain Name System (DNS) Each Internet host is assigned a host name and an IP address Host names are structured character strings, e.g., www.cs.iastate.edu IP addresses are 32 bit integers, e.g., 129.186.3.6

More information

Network Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015

Network Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015 Network Security DNS (In)security Radboud University, The Netherlands Autumn 2015 A short recap Routing means directing (Internet) traffic to its target Internet is divided into 52, 000 Autonomous Systems

More information

High-speed cryptography and DNSCurve. D. J. Bernstein University of Illinois at Chicago

High-speed cryptography and DNSCurve. D. J. Bernstein University of Illinois at Chicago High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address,

More information

DNS: Domain Name System

DNS: Domain Name System DNS: Domain Name System People: many identifiers: SSN, name, passport # Internet hosts, routers: IP address (32 bit) - used for addressing datagrams name, e.g., ww.yahoo.com - used by humans Q: map between

More information

DomainWire. Edition 11 Q1 2015. Council of European National Top level Domain Registries - www.centr.org

DomainWire. Edition 11 Q1 2015. Council of European National Top level Domain Registries - www.centr.org DomainWire Edition 11 Q1 2015 Global TLD Stat Report DomainWire Stat Report is CENTR s quarterly publication covering status and trends in global top-level domains with a focus on European cctlds (country

More information

Domain Name System Security

Domain Name System Security Domain Name System Security Guevara Noubir Network Security Northeastern University 1 Domain Name System DNS is a fundamental applica=on layer protocol Not visible but invoked every =me a remote site is

More information

CS3250 Distributed Systems

CS3250 Distributed Systems CS3250 Distributed Systems Lecture 4 More on Network Addresses Domain Name System DNS Human beings (apart from network administrators and hackers) rarely use IP addresses even in their human-readable dotted

More information

DNS Abuse Handling. Champika Wijayatunga APRICOT2015 Fukuoka Japan Feb 2015

DNS Abuse Handling. Champika Wijayatunga APRICOT2015 Fukuoka Japan Feb 2015 DNS Abuse Handling Champika Wijayatunga APRICOT2015 Fukuoka Japan Feb 2015 Acknowledgements Dave Piscitello Vice President, Security and ICT Coordination ICANN 2 2 Agenda 1 2 3 Brief Overview of DNS Defining

More information

DNSSEC for Everybody: A Beginner s Guide

DNSSEC for Everybody: A Beginner s Guide DNSSEC for Everybody: A Beginner s Guide San Francisco, California 14 March 2011 4:00 to 5:00 p.m. Colonial Room The Schedule 2 This is Ugwina. She lives in a cave on the edge of the Grand Canyon... This

More information

DNS Domain Name System

DNS Domain Name System Domain Name System DNS Domain Name System The domain name system is usually used to translate a host name into an IP address Domain names comprise a hierarchy so that names are unique, yet easy to remember.

More information

DNSSEC and Its Potential for DDoS Attacks

DNSSEC and Its Potential for DDoS Attacks DNSSEC and Its Potential for DDoS Attacks A Comprehensive Measurement Study Roland van Rijswijk-Deij University of Twente and SURFnet bv r.m.vanrijswijk@utwente.nl Anna Sperotto University of Twente a.sperotto@utwente.nl

More information

Enabling Secure On-line DNS Dynamic Update

Enabling Secure On-line DNS Dynamic Update Enabling Secure On-line DNS Dynamic Update Xunhua Wand, Yih Huang, David Rine Department of Computer Science George Meson University Yvo Desmdt Department of Computer Science Florida State University by

More information

Domain Name System (or Service) (DNS) Computer Networks Term B10

Domain Name System (or Service) (DNS) Computer Networks Term B10 Domain Name System (or Service) (DNS) Computer Networks Term B10 DNS Outline DNS Hierarchial Structure Root Name Servers Top-Level Domain Servers Authoritative Name Servers Local Name Server Caching and

More information

Agenda. Network Services. Domain Names. Domain Name. Domain Names Domain Name System Internationalized Domain Names. Domain Names & DNS

Agenda. Network Services. Domain Names. Domain Name. Domain Names Domain Name System Internationalized Domain Names. Domain Names & DNS Agenda Network Services Domain Names & DNS Domain Names Domain Name System Internationalized Domain Names Johann Oberleitner SS 2006 Domain Names Naming of Resources Problems of Internet's IP focus IP

More information

Overview of DNSSEC deployment worldwide

Overview of DNSSEC deployment worldwide The EURid Insights series aims to analyse specific aspects of the domainname environment. The reports are based on surveys, studies and research conducted by EURid in cooperation with industry experts

More information

DNSSEC update TF Mobility, Vienna

DNSSEC update TF Mobility, Vienna DNSSEC update TF Mobility, Vienna Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 18th 2010 Overview - Introduction - DNSSEC validation on resolvers - Update on what we ve learned so far

More information

DATA COMMUNICATOIN NETWORKING

DATA COMMUNICATOIN NETWORKING DATA COMMUNICATOIN NETWORKING Instructor: Ouldooz Baghban Karimi Course Book: Computer Networking, A Top-Down Approach By: Kurose, Ross Introduction Course Overview Basics of Computer Networks Internet

More information

Detecting Search Lists in Authoritative DNS

Detecting Search Lists in Authoritative DNS Detecting Search Lists in Authoritative DNS Andrew Simpson March 10 th, 2014 Summary Early research into name collisions has postulated that search list interaction drives some portion of the DNS requests

More information

Domain Name System DNS

Domain Name System DNS CE443 Computer Networks Domain Name System DNS Behnam Momeni Computer Engineering Department Sharif University of Technology Acknowledgments: Lecture slides are from Computer networks course thought by

More information

.eu Insights. Website usage trends among top-level domains 2014

.eu Insights. Website usage trends among top-level domains 2014 .eu Insights Website usage trends among top-level domains 2014 January 2014 .eu Insights The EURid Insights series aims to analyse specific aspects of the domain name environment. The reports are based

More information

Chapter 2 Application Layer

Chapter 2 Application Layer Chapter 2 Application Layer A note on the use of these ppt slides: We re making these slides freely available to all (faculty, students, readers). They re in PowerPoint form so you see the animations;

More information

CS 557 - Lecture 22 DNS Security

CS 557 - Lecture 22 DNS Security CS 557 - Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall 2013 The Domain Name System Virtually every application uses the Domain Name System (DNS). DNS database

More information

Resilient Networking. Thorsten Strufe. Module 5: Name Resolution / DNS

Resilient Networking. Thorsten Strufe. Module 5: Name Resolution / DNS Resilient Networking Thorsten Strufe Module 5: Name Resolution / DNS Disclaimer: This module prepared in cooperation with Mathias Fischer, Michael Roßberg, and Günter Schäfer Dresden, SS 15 Module Outline

More information

Author: Kai Engert, kaie at redhat dot com or kaie at kuix dot de For updates to this document, please check http://kuix.

Author: Kai Engert, kaie at redhat dot com or kaie at kuix dot de For updates to this document, please check http://kuix. Spam Salt aka Message Salt An invention against email abuse (Spam), introducing an email sender authentication mechanism. Author: Kai Engert, kaie at redhat dot com or kaie at kuix dot de For updates to

More information

INTERNET DOMAIN NAME SYSTEM

INTERNET DOMAIN NAME SYSTEM INTERNET DOMAIN NAME SYSTEM http://www.tutorialspoint.com/internet_technologies/internet_domain_name_system.htm Copyright tutorialspoint.com Overview When DNS was not into existence, one had to download

More information

Section 1 Overview... 4. Section 2 Home... 5

Section 1 Overview... 4. Section 2 Home... 5 ecogent User Guide 2012 Cogent Communications, Inc. All rights reserved. Every effort has been made to ensure that the information in this User Guide is accurate. Information in this document is subject

More information

SIDN Server Measurements

SIDN Server Measurements SIDN Server Measurements Yuri Schaeffer 1, NLnet Labs NLnet Labs document 2010-003 July 19, 2010 1 Introduction For future capacity planning SIDN would like to have an insight on the required resources

More information

A Security Evaluation of DNSSEC with NSEC3

A Security Evaluation of DNSSEC with NSEC3 A Security Evaluation of DNSSEC with NSEC3 Jason Bau Stanford University Stanford, CA, USA jbau@stanford.edu Abstract Domain Name System Security Extensions (DNSSEC) with Hashed Authenticated Denial of

More information

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011 The Internet is for Everyone. Become an ISOC Member. Cyber Security Symposium 2011 Where is Hong Kong in the secure Internet infrastructure development Warren Kwok, CISSP Internet Society Hong Kong 12

More information

QUESTIONS AND ANSWERS

QUESTIONS AND ANSWERS TECHNOLOGY CONSULTANCY Innovative. Reliable. Efficient. QUESTIONS AND ANSWERS WEB HOSTING SERVICES What you need to know about Web Hosting Q&A - WEBHOSTING 1. What is web hosting? Web Hosting is a service

More information

The Domain Name System

The Domain Name System Internet Engineering 241-461 Robert Elz kre@munnari.oz.au kre@coe.psu.ac.th http://fivedots.coe.psu.ac.th/~kre DNS The Domain Name System Kurose & Ross: Computer Networking Chapter 2 (2.5) James F. Kurose

More information

IANA Functions to cctlds Sofia, Bulgaria September 2008

IANA Functions to cctlds Sofia, Bulgaria September 2008 IANA Functions to cctlds Sofia, Bulgaria September 2008 Kim Davies Internet Assigned Numbers Authority Internet Corporation for Assigned Names & Numbers What is IANA? Internet Assigned Numbers Authority

More information

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. . Computer System Security and Management SMD139 Lecture 5: Domain Name System Peter A. Jonsson DNS Translation of Hostnames to IP addresses Hierarchical distributed database DNS Hierarchy The Root Name

More information

Password Cracking Beyond Brute-Force

Password Cracking Beyond Brute-Force Password Cracking Beyond Brute-Force by Immanuel Willi Most password mechanisms work by comparing a password against a stored reference value. It is insecure to store the whole password, so one-way functions

More information

Domain Name System. CS 571 Fall 2006. 2006, Kenneth L. Calvert University of Kentucky, USA All rights reserved

Domain Name System. CS 571 Fall 2006. 2006, Kenneth L. Calvert University of Kentucky, USA All rights reserved Domain Name System CS 571 Fall 2006 2006, Kenneth L. Calvert University of Kentucky, USA All rights reserved DNS Specifications Domain Names Concepts and Facilities RFC 1034, November 1987 Introduction

More information

THE DOMAIN NAME SYSTEM DNS

THE DOMAIN NAME SYSTEM DNS Announcements THE DOMAIN NAME SYSTEM DNS Internet Protocols CSC / ECE 573 Fall, 2005 N. C. State University copyright 2005 Douglas S. Reeves 2 Today s Lecture I. Names vs. Addresses II. III. IV. The Namespace

More information

Wildcard and SAN: Understanding Multi-Use SSL Certificates

Wildcard and SAN: Understanding Multi-Use SSL Certificates Wildcard and SAN: Understanding Multi-Use SSL Certificates LEVERAGING MULTI-USE DIGITAL CERTIFICATES TO SIMPLIFY CERTIFICATE MANAGEMENT AND REDUCE COSTS Wildcard and SAN: Understanding Multi-Use SSL Certificates

More information

The Internet, Intranets, and Extranets. What is the Internet. What is the Internet cont d.

The Internet, Intranets, and Extranets. What is the Internet. What is the Internet cont d. C H A P T E R 7 The Internet, Intranets, and Extranets What is the Internet Millions of computers, all linked together on a computer network. A home computer usually links to the Internet using a phone

More information

Snow Agent System Pilot Deployment version

Snow Agent System Pilot Deployment version Pilot Deployment version Security policy Revision: 1.0 Authors: Per Atle Bakkevoll, Johan Gustav Bellika, Lars, Taridzo Chomutare Page 1 of 8 Date of issue 03.07.2009 Revision history: Issue Details Who

More information

Guidance for Preparing Domain Name Orders, Seizures & Takedowns

Guidance for Preparing Domain Name Orders, Seizures & Takedowns Guidance for Preparing Domain Name Orders, Seizures & Takedowns Abstract This thought paper offers guidance for anyone who prepares an order that seeks to seize or take down domain names. Its purpose is

More information

Root zone update for TLD managers Mexico City, Mexico March 2009

Root zone update for TLD managers Mexico City, Mexico March 2009 Root zone update for TLD managers Mexico City, Mexico March 2009 Kim Davies Manager, Root Zone Services Internet Corporation for Assigned Names & Numbers A quick census 280 delegated 11 testing 280 delegated

More information

.uk Policy Experience: Release of short domain names. Accra. 21 April 2011

.uk Policy Experience: Release of short domain names. Accra. 21 April 2011 .uk Policy Experience: Release of short domain names AfTLD Presentation Accra 21 April 2011 Agenda 1.Issue 2.Rule changes 3.Sunrise process 4.Where are we now? 5.Lessons learned... 6.Q&A 2 What is the

More information

Internet Security [1] VU 184.216. Engin Kirda engin@infosys.tuwien.ac.at

Internet Security [1] VU 184.216. Engin Kirda engin@infosys.tuwien.ac.at Internet Security [1] VU 184.216 Engin Kirda engin@infosys.tuwien.ac.at Christopher Kruegel chris@auto.tuwien.ac.at Administration Challenge 2 deadline is tomorrow 177 correct solutions Challenge 4 will

More information

DDoS Vulnerability Analysis of Bittorrent Protocol

DDoS Vulnerability Analysis of Bittorrent Protocol DDoS Vulnerability Analysis of Bittorrent Protocol Ka Cheung Sia kcsia@cs.ucla.edu Abstract Bittorrent (BT) traffic had been reported to contribute to 3% of the Internet traffic nowadays and the number

More information

Chapter 8. Network Security

Chapter 8. Network Security Chapter 8 Network Security Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic Principles Need for Security Some people who

More information

.be domain names & registrars

.be domain names & registrars .be domain names & registrars 2014 2 Number of new.be registrations 193,659 222,919 232,746 257,637 267,780 306,341 299,846 264,930 2007 2008 2009 2010 2011 2012 2013 2014 Movements in the number of domain

More information

Domain Name System. Overview. Domain Name System. Domain Name System

Domain Name System. Overview. Domain Name System. Domain Name System Overview Domain Name System We look first at how the Domain Name System (DNS) is implemented and the role it plays in the Internet We examine some potential DNS vulnerabilities and in particular we consider

More information

The Domain Name System

The Domain Name System DNS " This is the means by which we can convert names like news.bbc.co.uk into IP addresses like 212.59.226.30 " Purely for the benefit of human users: we can remember numbers (e.g., telephone numbers),

More information

The Collateral Damage of Internet Censorship by DNS Injection

The Collateral Damage of Internet Censorship by DNS Injection The Collateral Damage of Internet Censorship by DNS Injection Anonymous presented by Philip Levis 1 Basic Summary Great Firewall of China injects DNS responses to restrict access

More information

DomainWire. Edition 13 Q3 2015. Council of European National Top level Domain Registries - www.centr.org

DomainWire. Edition 13 Q3 2015. Council of European National Top level Domain Registries - www.centr.org DomainWire Edition 13 Q3 2015 Global TLD Stat Report DomainWire Stat Report is CENTR s quarterly publication covering status and trends in global top-level domains with a focus on European cctlds (country

More information

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment Dan York, CISSP Senior Content Strategist, Internet Society Eurasia Network Operators' Group (ENOG) 4 Moscow, Russia October

More information

Adobe Systems Software Ireland Ltd

Adobe Systems Software Ireland Ltd Adobe Systems Software Ireland Ltd Own motion investigation report 13/00007 Timothy Pilgrim, Australian Privacy Commissioner Contents Overview... 2 Background... 3 Relevant provisions of the Privacy Act...

More information

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends 3. The Environment Surrounding DNS DNS is used in many applications, serving as an important Internet service. Here we discuss name collision issues that have arisen with recent TLD additions, and examine

More information

Lesson 13: DNS Security. Javier Osuna josuna@gmv.com GMV Head of Security and Process Consulting Division

Lesson 13: DNS Security. Javier Osuna josuna@gmv.com GMV Head of Security and Process Consulting Division Lesson 13: DNS Security Javier Osuna josuna@gmv.com GMV Head of Security and Process Consulting Division Introduction to DNS The DNS enables people to use and surf the Internet, allowing the translation

More information

Deploying DNSSEC: From End-Customer To Content

Deploying DNSSEC: From End-Customer To Content Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel Moderator: Dan York, Senior Content Strategist, Internet Society Panelists: Sanjeev Gupta, Principal Technical

More information

Dynamic Searchable Encryption in Very Large Databases: Data Structures and Implementation

Dynamic Searchable Encryption in Very Large Databases: Data Structures and Implementation Dynamic Searchable Encryption in Very Large Databases: Data Structures and Implementation David Cash, Joseph Jaeger, Stanislaw Jarecki, Charanjit Jutla, Hugo Krawczyk, Marcel Roşu and Michael Steiner Rutgers

More information

Chapter 9: Name Services. 9.1 Introduction 9.2 Name services and the DNS 9.3 Directory services 9.6 Summary

Chapter 9: Name Services. 9.1 Introduction 9.2 Name services and the DNS 9.3 Directory services 9.6 Summary Chapter 9: Name Services 9.1 Introduction 9.2 Name services and the DNS 9.3 Directory services 9.6 Summary Learning objectives To understand the need for naming systems in distributed systems To be familiar

More information

The Domain Name System from a security point of view

The Domain Name System from a security point of view The Domain Name System from a security point of view Simon Boman Patrik Hellström Email: {simbo105, pathe321}@student.liu.se Supervisor: David Byers, {davby@ida.liu.se} Project Report for Information Security

More information

AppInspect: Large-scale Evaluation of Social Networking Apps

AppInspect: Large-scale Evaluation of Social Networking Apps AppInspect: Large-scale Evaluation of Social Networking Apps ACM COSN, Boston, 10/08/2013 Markus Huber, Martin Mulazzani, Sebastian Schrittwieser, Edgar Weippl mhuber[at]sba-research[dot]org Main Contributions

More information

Computer Networks: Domain Name Service (DNS)

Computer Networks: Domain Name Service (DNS) Computer Networks: Domain Name Service (DNS) CS 3516 D- term 2013 Instructor: Krishna Venkatasubramanian Quiz 2 DNS: domain name system people: many identifiers: SSN, name, passport # Internet hosts, routers:

More information

DNS security: poisoning, attacks and mitigation

DNS security: poisoning, attacks and mitigation DNS security: poisoning, attacks and mitigation The Domain Name Service underpins our use of the Internet, but it has been proven to be flawed and open to attack. Richard Agar and Kenneth Paterson explain

More information

Vorlesung Kommunikationsnetze Domain Name System

Vorlesung Kommunikationsnetze Domain Name System Picture 15 13 Vorlesung Kommunikationsnetze Domain Name System Prof. Dr. H. P. Großmann mit B. Wiegel sowie A. Schmeiser und M. Rabel Sommersemester 2009 Institut für Organisation und Management von Informationssystemen

More information

18-731 Midterm. Name: Andrew user id:

18-731 Midterm. Name: Andrew user id: 18-731 Midterm 6 March 2008 Name: Andrew user id: Scores: Problem 0 (10 points): Problem 1 (10 points): Problem 2 (15 points): Problem 3 (10 points): Problem 4 (20 points): Problem 5 (10 points): Problem

More information

DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNSSEC, the time has come!

DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNSSEC, the time has come! DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNSSEC, the time has come! Amir Herzberg and Haya Shulman Dept. of Computer Science Bar Ilan University 8/1/2013 About us Bar Ilan University

More information

Database Design Patterns. Winter 2006-2007 Lecture 24

Database Design Patterns. Winter 2006-2007 Lecture 24 Database Design Patterns Winter 2006-2007 Lecture 24 Trees and Hierarchies Many schemas need to represent trees or hierarchies of some sort Common way of representing trees: An adjacency list model Each

More information

How do I get to www.randomsite.com?

How do I get to www.randomsite.com? Networking Primer* *caveat: this is just a brief and incomplete introduction to networking to help students without a networking background learn Network Security. How do I get to www.randomsite.com? Local

More information

Secure Remote Password (SRP) Authentication

Secure Remote Password (SRP) Authentication Secure Remote Password (SRP) Authentication Tom Wu Stanford University tjw@cs.stanford.edu Authentication in General What you are Fingerprints, retinal scans, voiceprints What you have Token cards, smart

More information

DNS. Spring 2016 CS 438 Staff 1

DNS. Spring 2016 CS 438 Staff 1 DNS Spring 2016 CS 438 Staff 1 Host Names vs. IP addresses Host names Mnemonic name appreciated by humans Variable length, full alphabet of characters Provide little (if any) information about physical

More information

Domain Name System 2015-04-28 17:49:44 UTC. 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Domain Name System 2015-04-28 17:49:44 UTC. 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Domain Name System 2015-04-28 17:49:44 UTC 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Contents Domain Name System... 4 Domain Name System... 5 How DNS Works

More information