The Collateral Damage of Internet Censorship by DNS Injection

Similar documents
The Collateral Damage of Internet Censorship by DNS Injection

The Collateral Damage of Internet Censorship by DNS Injection

DNS Tampering and Root Servers

The curse of the Open Recursor. Tom Paseka Network Engineer

The Impact of DNSSEC. Matthäus Wander. on the Internet Landscape. Duisburg, June 19, 2015

Towards a Comprehensive Picture of the Great Firewall s DNS Censorship

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

The Great DNS Wall of China

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

Computer Networks: Domain Name System

The Survey Report on DNS Cache & Recursive Service in China Mainland

HW2 Grade. CS585: Applications. Traditional Applications SMTP SMTP HTTP 11/10/2009

DNS traffic analysis -- Issues of IPv6 and CDN --

Detecting Search Lists in Authoritative DNS

Measuring the Web: Part I - - Content Delivery Networks. Prof. Anja Feldmann, Ph.D. Dr. Ramin Khalili Georgios Smaragdakis, PhD

Harness Your Internet Activity!

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

EECS 489 Winter 2010 Midterm Exam

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Internet Measurement Research

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

Internet (IPv4) Topology Mapping. Department of Computer Science The University of Texas at Dallas

Multihoming: An Overview

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Application Note. SIP Domain Management

How Your Computer Accesses the Internet through your Wi-Fi for Boats Router

Citrix NetScaler and Microsoft SharePoint 2013 Hybrid Deployment Guide

Use Domain Name System and IP Version 6

LinkProof DNS Quick Start Guide

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

2. What is the maximum value of each octet in an IP address? A. 28 B. 255 C. 256 D. None of the above

DNS Basics. DNS Basics

- Domain Name System -

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services (5 days)

Click on Start Control Panel Windows Firewall. This will open the main Windows Firewall configuration window.

Internet Performance Impacts of Canadian Content Hosting

Using IPM to Measure Network Performance

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

APNIC elearning: BGP Basics. Contact: erou03_v1.0

How the Great Firewall discovers hidden circumvention servers. Roya Ensafi David Fifield Philipp Winter Nick Weaver Nick Feamster Vern Paxson

Exterior Gateway Protocols (BGP)

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

Load Balancing. Final Network Exam LSNAT. Sommaire. How works a "traditional" NAT? Un article de Le wiki des TPs RSM.

allow all such packets? While outgoing communications request information from a

GLOBAL SERVER LOAD BALANCING WITH SERVERIRON

My Services Online Service Support. User Guide for DNS and NTP services

INTERNET DOMAIN NAME SYSTEM

Network Layers. CSC358 - Introduction to Computer Networks

Chapter 3 Security and Firewall Protection

SIP, Security and Session Border Controllers

Monitoring the DNS. Gustavo Lozano Event Name XX XXXX 2015

Managing (VoIP) Applications DYSWIS

WPAD TECHNOLOGY WEAKNESSES. Sergey Rublev Expert in information security, "Positive Technologies"

Ignoring the Great Firewall of China

Security of IPv6 and DNSSEC for penetration testers

LAN TCP/IP and DHCP Setup

An Intrusion Detection System for Kaminsky DNS Cache poisoning

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

nexvortex Setup Guide

Preventing your Network from Being Abused by Spammers

Customer Tips. Basic Configuration and Troubleshooting. for the user. Overview. Basic Configuration. Xerox Multifunction Devices.

Source-Connect Network Configuration Last updated May 2009

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Peering in Hong Kong. Che-Hoo CHENG CUHK/HKIX

LISP Functional Overview

DNS Record Injection Vulnerabilities in Home Routers

Internet Load Balancing Guide. Peplink Balance Series. Peplink Balance. Internet Load Balancing Solution Guide

NANOG DNS BoF. DNS DNSSEC IPv6 Tuesday, February 1, 2011 NATIONAL ENGINEERING & TECHNICAL OPERATIONS

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Encryption. Administrator Guide

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

BGP route monitoring. Mar, 25, 2008 Matsuzaki maz Yoshinobu

Lesson 5-3: Border Gateway Protocol

The Bomgar Appliance in the Network

Installing Policy Patrol on a separate machine

Creating a VPN with overlapping subnets

State of the Cloud DNS Report

Citrix NetScaler Global Server Load Balancing Primer:

INFORMATION SECURITY REVIEW

Transcription:

The Collateral Damage of Internet Censorship by DNS Injection Anonymous <zion.vlab@gmail.com> presented by Philip Levis 1

Basic Summary Great Firewall of China injects DNS responses to restrict access to domain names This affects traffic originating outside China 26.4% of open resolvers affected.de is the most affected TLD (70% of open resolvers in kr) Explain how, where, and why this happens Present several possible solutions 2

Just To Be Clear This talk assumes that the Great Firewall of China is not designed to restrict Internet access to computers outside of China. Collateral damage means restricting access to computers outside China. 3

DNS Overview root. top level domain (TLD).com,.edu,.cn,.de Internet domain (authoritative) stanford.edu, baidu.cn www.stanford.edu? client resolver 171.53.10.4 4

DNS Injection DNS server Censoring AS www.youtube.com? resolver client 5

DNS Injection DNS server Censoring AS DNS injector www.youtube.com? resolver client 6

DNS Injection DNS server DNS injector Censoring AS lemon IP resolver client 7

DNS Injection DNS server Censoring AS DNS injector Typically affects both inbound and outbound queries lemon IP resolver client 8

DNS Injection DNS server Censoring AS DNS injector Typically affects both inbound and outbound queries. lemon IP resolver client 9 Typically does not suppress correct response, just wins race to respond.

Methodology HoneyQueries to detect autonomous systems paths to whom see DNS injection TraceQueries to identify location of injectors on affected paths StepNXQueries to measure collateral damage of DNS injection 10

HoneyQuery HoneyQuery: DNS query to sensitive domains, sent to unresponsive IP Assumption: all observed DNS responses are from DNS injectors Send from a single vantage point (AS 40676) 14 million IPs that cover all /24 subnets Paths spread to discover all injecting autonomous systems Record IPs in responses: lemon IPs 11

Probed Domain Names Domain www.google.com www.facebook.com www.twitter.com www.youtube.com www.yahoo.com www.appspot.com www.xxx.com www.urltrends.com www.live.com www.wikipedia.com Category Search Engine Social Network Social Network Streaming Media Portal Web Hosting Pornography Site Ranking Portal Reference 12

Blacklisted Domains Domain www.google.com www.facebook.com www.twitter.com www.youtube.com www.yahoo.com www.appspot.com www.xxx.com www.urltrends.com www.live.com www.wikipedia.com Category Search Engine Social Network Social Network Streaming Media Portal Web Hosting Pornography Site Ranking Portal Reference 13

HoneyQuery Results 28 lemon IPs found Use later to detect injected responses 388,988 (2.7%) of HoneyQueries responded Use to generate poisoned path list Destination Count Percentage CN 388,206 99.80% CA 363 0.09% US 127 0.03% HK 111 0.03% IN 94 0.02% Top 5 of 16 regions Why are paths to IP addresses outside of China experiencing DNS injection? 14

TraceQuery For each IP address in the poisoned path list, send a DNS query to a blacklisted domain with increasing TTL Queries which reach an injector will trigger a response Mark IP address and autonomous system of router for TTL that triggers response Sometimes queries trigger multiple responses, from multiple injectors 15

Example www.facebook.com? AS1 AS2 AS3 AS4 16

Example www.facebook.com? AS1 AS2 AS3 AS4 17

Example lemon IP AS1 AS2 AS3 AS4 18

Example lemon IP AS1 AS2 AS3 AS4 19

Example lemon IP, lemon IP AS1 AS2 AS3 AS4 20

Example lemon IP, lemon IP, good IP AS1 AS2 AS3 AS4 21

Example lemon IP, lemon IP, good IP AS1 AS2 Injector A AS3 Injector B AS4 22

TraceQuery Results Found 3,120 router IP addresses associated with DNS injection All 3,120 IP addresses belong to 39 Chinese autonomous systems AS Name AS Number IPs Chinanet 4134 1952 CNCGroup China169 Backbone 4837 489 China Telecom (Group) 4812 289 CHINA RAILWAY Internet (CRNEt) 9394 78 China Netcom Corp. 9929 67 Top 5 ASes by router IP count How much does this affect the Internet? 23

Methodology Tested 43,842 open DNS resolvers in 173 countries outside of China List from probing DNS servers of Alexa 1M top websites Supplemented by lists from researchers Query for blacklisted domain from vantage point, check if response is lemon IP Test blacklisted name for all 312 TLDs Also, check against TCP-based DNS queries (injectors do not target DNS queries over TCP) 24

StepNX Query To identify where injection occurs, inject random strings into domain name Injectors use very liberal pattern matching Generate invalid names, expect NXDOMAIN response www.facebook.com.{invalid}: path to root server www.facebook.com.{invalid}.com: path to TLD server Repeat 200 times to try different servers/paths DNS Level Affected Resolvers Affected Rate Root 1 0.002% TLD 11573 26.4% Authoritative 99 0.23% Which resolution step sees injection 25

StepNX Query To identify where injection occurs, inject random strings into domain name Injectors use very liberal pattern matching Generate invalid names, expect NXDOMAIN response www.facebook.com.{invalid}: path to root server www.facebook.com.{invalid}.com: path to TLD server Repeat 200 times to try different servers/paths DNS Level Affected Resolvers Affected Rate Root 1 0.002% TLD 11573 26.4% Authoritative 99 0.23% Which resolution step sees injection 26

Who s Affected? 3 TLDs affected almost completely (99.53%) cn, xn--fiqs8s, xn--fiqz9s Expected: domains from within Great Firewall of China 11,573 (26.4%) of resolvers affected for one or more of 16 unexpected TLDs 27 TLD Affected Resolvers de 8192 xn--3e0b707e 5641 kr 4842 kp 384 co 90 travel 90 pl 90 no 90 iq 90 hk 90 fi 90 uk 90 xn--j6w193g 90 jp 90 nz 90 ca 90 16 unexpected TLDs affected by DNS injection on path from an open resolver

Whose Resolvers? Open resolvers in 109 regions affected Region Affected Resolvers Percentage Iran 157 88% Myanmar 163 85% Korea 198 79% Hong Kong 403 75% Taiwan 1146 66% India 250 60% Top 6 regions by affected open resolver percentage 28

Details:.de Region Resolvers Affected kr 76% my 66% hk 54% ar 44% il 42% ir 36% tw 36% bg 31% jp 28% ro 25% 10 regions whose open resolvers are most greatly affected for.de queries 29

nic.de,194.0.0.53) goes through a censoring AS (AS7497) in China, which is the cause of the collateral damage on this resolver. We show the AS path in Figure 5: 39737, 6939, 10026, 7497, 24151, 31529. Example.de Injection AS3549 (GBLX Global Crossing, US) AS3356 (LEVEL3,US) AS 1280 (ISC, US) AS4847 CNIX-AP AS9700 KRNIC-AS- KR AS4635 HKIX- RS1 HK AS4641 ASN- CUHKNET HK AS 24151 CNNIC CRITICAL-AP (CN) AS8763 DENIC- AS DENIC eg DE AS 10026 Pacnet Global (HK) AS7497 CSTNET-AS- AP(CN) AS 6939 Hurricane Electric (US) AS 39737 Net Vision Telcom SRL (RO) ASes in China... AS 24136 CNNIC-AP AS 23596 EDNSKR1 NIDA KR AS 31529 DENIC eg (DE) 30 Figure 5: Topology of ASes neighboring CNNIC

nic.de,194.0.0.53) goes through a censoring AS (AS7497) in China, which is the cause of the collateral damage on this resolver. We show the AS path in Figure 5: 39737, 6939, 10026, 7497, 24151, 31529. Example.de Injection AS3549 (GBLX Global Crossing, US) AS3356 (LEVEL3,US) AS 1280 (ISC, US) AS4847 CNIX-AP AS9700 KRNIC-AS- KR AS4635 HKIX- RS1 HK AS4641 ASN- CUHKNET HK AS 24151 CNNIC CRITICAL-AP (CN) AS8763 DENIC- AS DENIC eg DE AS 10026 Pacnet Global (HK) AS7497 CSTNET-AS- AP(CN) AS 6939 Hurricane Electric (US) AS 39737 Net Vision Telcom SRL (RO) ASes in China... AS 24136 CNNIC-AP AS 23596 EDNSKR1 NIDA KR AS 31529 DENIC eg (DE) 31 Figure 5: Topology of ASes neighboring CNNIC

nic.de,194.0.0.53) goes through a censoring AS (AS7497) in China, which is the cause of the collateral damage on this resolver. We show the AS path in Figure 5: 39737, 6939, 10026, 7497, 24151, 31529. Example.de Injection AS3549 (GBLX Global Crossing, US) AS3356 (LEVEL3,US) AS 1280 (ISC, US) AS4847 CNIX-AP AS9700 KRNIC-AS- KR AS4635 HKIX- RS1 HK AS4641 ASN- CUHKNET HK AS 24151 CNNIC CRITICAL-AP (CN) AS8763 DENIC- AS DENIC eg DE AS 10026 Pacnet Global (HK) AS7497 CSTNET-AS- AP(CN) AS 6939 Hurricane Electric (US) AS 39737 Net Vision Telcom SRL (RO) ASes in China... AS 24136 CNNIC-AP AS 23596 EDNSKR1 NIDA KR AS 31529 DENIC eg (DE) 32 Figure 5: Topology of ASes neighboring CNNIC

Solutions DNS injectors could filter out transit queries Autonomous systems could avoid transit through injecting neighbors Particularly, TLD operators could monitor peering paths Security extensions for DNS (DNSSEC) prevent injection DNSSEC has signed responses Resolvers would reject injected responses, accept slower ones from authoritative servers.de and.kr both support DNSSEC 33

Conclusion Great Firewall of China s DNS injection is affecting lookups originating outside China Caused by queries traversing Chinese ASes Effect is greatest at routes between resolvers and TLDs Suggestions on preventing collateral damage Some recent changes... 34

Questions please contact Anonymous <zion.vlab@gmail.com>

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information