SlideShare ist ein Scribd-Unternehmen logo

Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulnerable DNS servers using asynchronous I/O mechanism

Als PPTX, PDF herunterladen
Ruo Ando
Ruo Ando

Feasibility study of large scale attacks of DNS. We have found 10,334,293 DNS servers in 34 hours of first measurement (2013/05/31 – 2013/06/02) and 30285322 DNS servers in 26 hours of second measurement (2013/07/05).

Technologie
1 von 16
Unraveling large scale geographical distribution of vulnerable DNS servers using asynchronous I/O mechanism 2013/11/15 12:10 – 12:35 Ruo Ando, Yuuki Takano and Satoshi Uda Network Security Institute, National Institute of Information and Communication Technology, Tokyo, Japan
Introduction: obtaining attacker‟s landscape for mitigation and/or protection Feasiblity study of large scale attacks of DNS. Despite of its importance, we are not able to get comprehensive view of the situation of deployment of DNS servers in real-world. We have implemented aync I/O based crawler and found … [1] More than 10,000 obsolete version of BIND (4.x and 8.x) is still running and therefore remain exploitable. Send parse handler handler [2] 4835 (9.4.1) + 28680 (9.4.2) servers can be compromised by Kaminsky attack. Event base loop (nonblocking) Checking availability fd Recv (async) [3] we have found 24, 971, 990 Open Resolver servers of which RA flag is true.
Introduction: speed, speed and speed from “10,334,293 in 34 hours” to “30,285,322 in 26 hours” We have found 10,334,293 DNS servers in 34 hours of first measurement (2013/05/31 – 2013/06/02) and 30285322 DNS servers in 26 hours of second measurement (2013/07/05). Second Measurement 350000 300000 250000 200000 150000 100000 50000 0 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 time (hours) # of DNS servers detected # of DNS servers detected First Measurement 1800000 1600000 1400000 1200000 1000000 800000 600000 400000 200000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 time (hours) Minimum Speed: 73 serves per second (06/02:22:00 – 23:00) Maximum speed: 474 servers per second (07/05:17:30 – 18:30)
Monitoring result: current DNS situation is catastrophic [1] More than 10,000 obsolete version of BIND (4.x and 8.x) is still running and therefore remain exploitable. [2] Kaminsky attack is possible in 4835 (9.4.1) + 28680 (9.4.2) servers. We'd debated doing the same thing ourselves for some time but worried about the collateral damage of what would happen if such a list fell into the hands of the bad guys. The last five days have made clear that the bad guys have the list of open resolvers and they are getting increasingly brazen in the attacks they are willing to launch. We are in full support of the Open Resolver Project and believe it is incumbent on all network providers to work with their customers to close any open resolvers running on their networks. [3] we have found 24, 971, 990 Open Resolver servers of which RA flag is true. Internet Under Attack: World's Largest DDoS Attack Almost Broke The Internet http://blog.cloudflare.com/the-ddos-that-almost-broke-theinternet
Fake response by IP address spoofing Dan Kaminsky Attack for DNS Cache poisoning (2003) Dummy Query For non-existent domain Recursive query Kaminski Attack: The big security news of Summer 2008 has been Dan Kaminsky's discovery of a serious vulnerability in DNS. This vulnerability could allow an attacker to redirect network clients to alternate servers of his own choosing, presumably for ill ends. This all led to a mad dash to patch DNS servers worldwide, and though there have been many writeups of just how the vulnerability manifests itself, we felt the need for one in far more detail. Hence, one of our Illustrated Guides. http://unixwiz.net/techtips/iguidekaminsky-dns-vuln.html Regular response about non-existent domain Metasploit: DNS BailiWicked Host Attack msf > use auxiliary/spoof/dns/ use auxiliary/spoof/dns/bailiwicked_domain use auxiliary/spoof/dns/compare_results use auxiliary/spoof/dns/bailiwicked_host Exploit ID: CAU-EX-2008-0002 Release Date: 2008.07.23 Title: bailiwicked_host.rb Description: Kaminsky DNS Cache Poisoning Flaw Exploit Tested: BIND 9.4.1-9.4.2 [2] 4835 (9.4.1) + 28680 (9.4.2) servers can be compromised by Kaminsky attack.
Related work: crawler design and DNS monitoring • Unraveling the BitTorrent Ecosystem, IEEE Transactions on Parallel and Distributed Systems archive Volume 22 Issue 7, July 2011 • Mining your Ps and Qs: detection of widespread weak keys in network devices, Security'12 Proceedings of the 21st USENIX conference on Security symposium • Crawling BitTorrent DHTs for fun and profit, WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies • Comparing DNS resolvers in the wild, IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Proposed method and improvements 2013/05/31 – 2013/06/02 -> 2013/07/05 – 2013/07/06 blocking Non-blocking Send with timer handler Recv (async) underministic Send parse handler handler Event base loop fd 10,334,293 DNS servers in 34 hours 30285322 DNS servers in 26 hours Two callbacks with one timeout ev_dns = event_new(ev_base, sockfd, EV_READ | EV_PERSIST, callback_dns, NULL); event_add(ev_dns, NULL); timeval tv = {0, QUERY_CYCLE * 1000}; ev_send = event_new(ev_base, -1, EV_TIMEOUT | EV_PERSIST, send_query, NULL); event_add(ev_send, &tv); event_base_dispatch(ev_base); Send loop : 225 ^ 4 = 4228250625 handler Checking availability fd Two callbacks with nonblocking mode ev_map[sockfd_a] = event_new(ev_base, sockfd_a, EV_READ | EV_PERSIST, callback_dns, NULL); event_add(ev_map[sockfd_a], NULL); ev_map[sockfd_ver] = event_new(ev_base, sockfd_ver, EV_READ | EV_PERSIST, send_query, &five_seconds); event_add(ev_map[sockfd_ver], NULL); event_base_dispatch(ev_base); Send loop : 225 ^ 4 = 4228250625
Handling two callbacks with libevent Asynchronous I/O crawler callback_dns(evutil_socket_t fd, short what, void *arg) send_query(evutil_socket_t fd, short what, void *arg) 43event_base *ev_base; 309 ev_dns = event_new(ev_base, sockfd, EV_READ | EV_PERSIST, callback_dns, NULL); 310 event_add(ev_dns, NULL); 311 312 timeval tv = {0, QUERY_CYCLE * 1000}; 313 ev_send = event_new(ev_base, -1, EV_TIMEOUT | EV_PERSIST, send_query, NULL); 314 event_add(ev_send, &tv); { "_id" : “X.X.X.X", "recv_date" : ISODate("2013-06-01T01:00:44.086Z"), "rir" : "APNIC", "type" : "Nominum Vantio", "type_ver" : "5.3.2.2", "ver" : "Nominum Vantio 5.3.2.2" } MongoDB NoSQL Datastore
Offline analysis for obtaining geographical distribution Asynchronous I/O crawler callback_dns( evutil_socket_t fd, short what, void *arg) MongoDB NoSQL Datastore my $connection = MongoDB::Connection->new ( host => „X.X.X.X', port => 27017 ); my $database = $connection->DNSCrawl2; my $collection = $database->servers_bind4; [1] store (logical address) [2] query [4] Store geological information { "_id" : “x.x.x.x", "country" : "JP", "longitude" : "139.751404", "city" : "Tokyo", "latitude" : "35.685001" } 248 for (it = ans.begin(); it != ans.end(); ++it) { 249 if (ntohs(it->m_type) == DNS_TYPE_TXT && 250 ntohs(it->m_class) == DNS_CLASS_CH) { 251 ptr_cdpi_dns_txt p_txt; 252 253 p_txt = DNS_RDATA_TO_TXT(it->m_rdata); 254 255 b.append("ver", p_txt->m_txt); [3] GeoIP Lookup my $data = $collection->find(); while (my $object = $data->next) { $id = $object->{'_id'}; $ver = $object->{'ver'}; $type = $object->{'type'}; my @r3 = trap { $collection2->insert({ _id => $id, type => $type, country => $country_code[1],});
First measurement (10334327 / 4228250625 in 34 hours) root@node31:~/blink/DNS/all# wc -l all-dump-2 Send with timer 10334327 all-dump-2 root@node31:~/blink/DNS/all# grep 1370011411915 all-dump { "_id" : “*.*.126.199", "recv_date" : { "$date" : 1370011411915 }, "rir" : "APNIC", "ver" : "" } handler Recv (async) underministic handler 2013/05/31 14:43:31 root@node31:~/blink/DNS/all# grep 1370134969890 all-dump fd { "_id" : “*.*.132.51", "recv_date" : { "$date" : 1370134969890 }, "rir" : "RIPE NCC" } 2013/06/02 01:02:49 First Measurement VM 350000 # of DNS servers detected 300000 Open Vswitch 250000 200000 MongoDB 150000 100000 50000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 time (hours) Minimum Speed: 73 serves per second (06/02:22:00 – 23:00)
First Measurement: Measurement scope and statistics Total Type APNIC RIPE ARIN LACNIC AFRINI C other # # # # # # # BIND 9.x 2,369,863 336,263 769,182 860,335 96,703 10,953 296,427 BIND 8.x 15,771 3,265 7,065 3,828 355 15 1,243 BIND 4.x 1,935 99 1,362 349 28 Dnsmasq 946,294 495,205 158,282 59,145 159,969 25,993 47,700 Nominum 450,079 209,051 198,019 18,808 14,500 7,465 2,236 Nominum 502 15 23 67 25 PowerDNS 94,299 4,946 57,115 28,138 1,013 35 3,052 Unbound 30,588 5,461 17,926 5,447 1,030 206 518 NSD 25,837 1,296 7,955 13,835 257 13 2,481 5,324 1,296 386 400 3,217 can’t detect 3,067,979 1,943,992 620,895 291,737 113,120 9,706 88,529 no version info 3,325,822 739,726 1,307,181 710,867 327,504 29,272 211,272 10,334,293 3,740,615 3,145,391 1,992,956 717,721 83,658 653,952 Windows Total N/A 97 N/A 372 N/A 25 We have crawled 10,334,293 servers in 24 hours using two machines. In measurement, we have detected old versions of BIND 4.x and 8.x Nomium, PowerDNS and so on. More than 40% of all connected servers did show the banner. Surprisingly, many DNS servers with the obsolete version of BIND such as 8.x and 4.x has been detected. Also, we have monitored approximately 94% of all servers which is registered to APNIC, RIPE, ARIN, LACNIC and AFRNIC.
Kaminsky attack is still breeding danger 4835 + 28680 is exploitable for DNS cache poisoning Exploit ID: CAU-EX-2008-0002 Release Date: 2008.07.23 Title: bailiwicked_host.rb Description: Kaminsky DNS Cache Poisoning Flaw Exploit Tested: BIND 9.4.1-9.4.2 > db.servers.find({“type_ver”:“9.4.1”,“rir”:“APNIC”}).count()1106 > db.servers.find({"type_ver":"9.4.1","rir":"ARIN"}).count() 1404 > db.servers.find({"type_ver":"9.4.1","rir":"LACNIC"}).count() 197 > db.servers.find({"type_ver":"9.4.1","rir":"AFRINIC"}).count() 10 > db.servers.find({"type_ver":"9.4.1"}).count() 4835 msf > use auxiliary/spoof/dns/ use auxiliary/spoof/dns/bailiwicked_domain use auxiliary/spoof/dns/compare_results use auxiliary/spoof/dns/bailiwicked_host > db.servers.find({"type_ver":"9.4.1"}).count() 4835 > db.servers.find({"type_ver":"9.4.2","rir":"APNIC"}).count() 2059 > db.servers.find({"type_ver":"9.4.2","rir":"ARIN"}).count() 3045 DO NOT execute metasploit on 4835 + 28680 servers outside ! > db.servers.find({"type_ver":"9.4.2","rir":"LACNIC"}).count() 1298 > db.servers.find({"type_ver":"9.4.2","rir":"AFRINIC"}).count() 112 > db.servers.find({"type_ver":"9.4.2"}).count() 28680
Second measurement (30285322 / 4228250625 in 26 hours) root@node21:/pcap/blink/DNS/all# wc -l all-dump 30285322 all-dump Send root@node21:/pcap/blink/DNS/all# grep 1373045182508 all-dump { "_id" : “*.*.8.131", "date1" : { "$date" : 1373045182508 }, "date2" : { "$date" : 1373045182561 }, "is_eq_dst" : true, "is_ra" : false, "rcode_a" : 5, "rcode_ver" : 0, "recv_a_port" : 53, "rir" : "APNIC", "ver" : "Go away!" } parse handler handler 2013/07/05 17:26:22 Event base loop root@node21:/pcap/blink/DNS/all# grep 1373139484961 all-dump { "_id" : “*.*.172.47", "date1" : { "$date" : 1373139484961 }, "fqdn" : "dsl-178-35-172-47.avtlg.ru", "is_eq_dst" : true, "is_ra" : false, "rcode_a" : 0, "recv_a_port" : 53, "rir" : "RIPE NCC" } Checking availability fd 2013/07/06 19:38:04 Second Measurement # of DNS servers detected 1800000 Physical machine 1600000 1400000 1200000 1000000 800000 MongoDB 600000 400000 200000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 time (hours) Maximum speed: 474 servers per second (07/05:17:30 – 18:30)
Detecting Open Resolvers > db.servers.find"), "date2" : ISODate("2013-0706T04:04:44.550Z"), "fqdn" : “*.*.dynamic.totbb.net", "is_eq_dst" : true, "is_ra" : true, "rcode_a" : 0, "rcode_ver" : 0, "recv_a_port" : 53, "rir" : "APNIC", "type" : "BIND 9.x", "type_ver" : "9.3.4-P1", "ver" : "9.3.4-P1" } The last five days have made clear that the bad guys have the list of open resolvers > db.servers.find({"is_ra" : true}).count() and they are getting increasingly brazen in the attacks they are willing to launch. 24971990 -- Open Resovler project QR Z OpCode AD AA CD RA: recursion available openresolverproject.org TC RD RCODE RA root@node44:/var/log/unbound# tail -f unbound.log [1384487371] unbound[1707:0] info: *.*.59.160 Sandia.gov. ANY IN [1384487371] unbound[1707:0] info: *.*.59.160 Sandia.gov. ANY IN ANY IN [1384487371] unbound[1707:0] info: *.*.59.160 siska1.com. ANY IN [1384487371] unbound[1707:0] info: *.*.189.69 cheatsharez.com. ANY IN [1384487371] unbound[1707:0] info: *.*.237.247 siska1.com. ANY IN [1384487371] unbound[1707:0] info: *.*.237.247 siska1.com. ANY IN [1384487371] unbound[1707:0] info: *.*.115.91 Sandia.gov. ANY IN [1384487371] unbound[1707:0] info: *.*.115.91 Sandia.gov. ANY IN
Conclusion We have presented the feasible study information gathering which could cause large scale attack on DNS servers. [1] with asynchronous crawler by sender called with timeout, 4228250625 addresses has been scanned in 34 hours with discovery of 10,334,293 DNS servers. (2013/05/31 – 2013/06/02) [2] with asynchronous crawler by receiver activated with non-blocking mode, 4228250625 addresses in 26 hours has been scanned with discovery of 30,285,322 DNS servers. (2013/07/05 – 2013/07/06). Between [1] and [2], we have speed gap of 6-7 times. Minimum Speed: 73 serves per second (06/02:22:00 – 23:00) Maximum speed: 474 servers per second (07/05:17:30 – 18:30) -> crawler on openVswith is slow. Nonblocking mode (event_base_loop(NONBLOCKING)) can be applied and faster. Key findings: [1] More than 10,000 obsolete version of BIND (4.x and 8.x) is still running and therefore remain exploitable. [2] 4835 (9.4.1) + 28680 (9.4.2) servers can be compromised by Kaminsky attack. [3] we have found 24, 971, 990 Open Resolver servers of which RA flag is true.
Thank you for listening ! Merci de votre attention! ando.ruo@gmail.com Slides are going to be released in SlideShare after some modifications.

Empfohlen

Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSRicardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSMichiel Cazemier
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and RiskSukbum Hong
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
Openstack meetup lyon_2017-09-28
Openstack meetup lyon_2017-09-28Openstack meetup lyon_2017-09-28
Openstack meetup lyon_2017-09-28Xavier Lucas
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingBeibei Yang
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 

Empfohlen

Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSRicardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSMichiel Cazemier
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and RiskSukbum Hong
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
Openstack meetup lyon_2017-09-28
Openstack meetup lyon_2017-09-28Openstack meetup lyon_2017-09-28
Openstack meetup lyon_2017-09-28Xavier Lucas
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingBeibei Yang
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slidesDan Kaminsky
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labDeploy360 Programme (Internet Society)
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practicekuchinskaya
 
Enabling a Secure Multi-Tenant Environment for HPC
Enabling a Secure Multi-Tenant Environment for HPCEnabling a Secure Multi-Tenant Environment for HPC
Enabling a Secure Multi-Tenant Environment for HPCinside-BigData.com
 
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStack
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStackExperiences in Providing Secure Mult-Tenant Lustre Access to OpenStack
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStackinside-BigData.com
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSDeploy360 Programme (Internet Society)
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the InternetRIPE NCC
 
Optimal Strategies for Large-Scale Batch ETL Jobs
Optimal Strategies for Large-Scale Batch ETL JobsOptimal Strategies for Large-Scale Batch ETL Jobs
Optimal Strategies for Large-Scale Batch ETL JobsEmma Tang
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...APNIC
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020APNIC
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Bangladesh Network Operators Group
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSIS
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSISDETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSIS
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSISAIRCC Publishing Corporation
 

Weitere ähnliche Inhalte

Was ist angesagt?

232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slidesDan Kaminsky
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practicekuchinskaya
 
Enabling a Secure Multi-Tenant Environment for HPC
Enabling a Secure Multi-Tenant Environment for HPCEnabling a Secure Multi-Tenant Environment for HPC
Enabling a Secure Multi-Tenant Environment for HPCinside-BigData.com
 
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStack
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStackExperiences in Providing Secure Mult-Tenant Lustre Access to OpenStack
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStackinside-BigData.com
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the InternetRIPE NCC
 
Optimal Strategies for Large-Scale Batch ETL Jobs
Optimal Strategies for Large-Scale Batch ETL JobsOptimal Strategies for Large-Scale Batch ETL Jobs
Optimal Strategies for Large-Scale Batch ETL JobsEmma Tang
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...APNIC
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020APNIC
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 

Was ist angesagt? (20)

232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practice
 
Enabling a Secure Multi-Tenant Environment for HPC
Enabling a Secure Multi-Tenant Environment for HPCEnabling a Secure Multi-Tenant Environment for HPC
Enabling a Secure Multi-Tenant Environment for HPC
 
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStack
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStackExperiences in Providing Secure Mult-Tenant Lustre Access to OpenStack
Experiences in Providing Secure Mult-Tenant Lustre Access to OpenStack
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLS
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
 
Optimal Strategies for Large-Scale Batch ETL Jobs
Optimal Strategies for Large-Scale Batch ETL JobsOptimal Strategies for Large-Scale Batch ETL Jobs
Optimal Strategies for Large-Scale Batch ETL Jobs
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 

Ähnlich wie Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulnerable DNS servers using asynchronous I/O mechanism

Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSIS
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSISDETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSIS
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSISAIRCC Publishing Corporation
 
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSIS
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSISDETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSIS
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSISijcsit
 
2016 state of the internet threat advisory dnssec ddos amplification attacks
2016 state of the internet threat advisory dnssec ddos amplification attacks2016 state of the internet threat advisory dnssec ddos amplification attacks
2016 state of the internet threat advisory dnssec ddos amplification attacksAndrey Apuhtin
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Andreas Taudte
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPROIDEA
 
Ntp in Amplification Inferno
Ntp in Amplification InfernoNtp in Amplification Inferno
Ntp in Amplification InfernoSriram Krishnan
 
AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSJames Bromberger
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
containerit at useR!2017 conference, Brussels
containerit at useR!2017 conference, Brusselscontainerit at useR!2017 conference, Brussels
containerit at useR!2017 conference, BrusselsDaniel Nüst
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA
 
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareSurviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareCloudflare
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivitySqrrl
 

Ähnlich wie Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulnerable DNS servers using asynchronous I/O mechanism (20)

Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSIS
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSISDETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSIS
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSIS
 
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSIS
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSISDETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSIS
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSIS
 
2016 state of the internet threat advisory dnssec ddos amplification attacks
2016 state of the internet threat advisory dnssec ddos amplification attacks2016 state of the internet threat advisory dnssec ddos amplification attacks
2016 state of the internet threat advisory dnssec ddos amplification attacks
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 
D do s
D do sD do s
D do s
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
Ntp in Amplification Inferno
Ntp in Amplification InfernoNtp in Amplification Inferno
Ntp in Amplification Inferno
 
AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNS
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
containerit at useR!2017 conference, Brussels
containerit at useR!2017 conference, Brusselscontainerit at useR!2017 conference, Brussels
containerit at useR!2017 conference, Brussels
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
 
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareSurviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
 
Infoblox Secure DNS Solution
Infoblox Secure DNS SolutionInfoblox Secure DNS Solution
Infoblox Secure DNS Solution
 
Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker Activity
 
DDoS.ppt
DDoS.pptDDoS.ppt
DDoS.ppt
 

Mehr von Ruo Ando

KISTI-NII Joint Security Workshop 2023.pdf
KISTI-NII Joint Security Workshop 2023.pdfKISTI-NII Joint Security Workshop 2023.pdf
KISTI-NII Joint Security Workshop 2023.pdfRuo Ando
 
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤Ruo Ando
 
解説#86 決定木 - ss.pdf
解説#86 決定木 - ss.pdf解説#86 決定木 - ss.pdf
解説#86 決定木 - ss.pdfRuo Ando
 
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~Ruo Ando
 
解説#83 情報エントロピー
解説#83 情報エントロピー解説#83 情報エントロピー
解説#83 情報エントロピーRuo Ando
 
解説#82 記号論理学
解説#82 記号論理学解説#82 記号論理学
解説#82 記号論理学Ruo Ando
 
解説#81 ロジスティック回帰
解説#81 ロジスティック回帰解説#81 ロジスティック回帰
解説#81 ロジスティック回帰Ruo Ando
 
解説#74 連結リスト
解説#74 連結リスト解説#74 連結リスト
解説#74 連結リストRuo Ando
 
解説#76 福岡正信
解説#76 福岡正信解説#76 福岡正信
解説#76 福岡正信Ruo Ando
 
解説#77 非加算無限
解説#77 非加算無限解説#77 非加算無限
解説#77 非加算無限Ruo Ando
 
解説#1 C言語ポインタとアドレス
解説#1 C言語ポインタとアドレス解説#1 C言語ポインタとアドレス
解説#1 C言語ポインタとアドレスRuo Ando
 
解説#78 誤差逆伝播
解説#78 誤差逆伝播解説#78 誤差逆伝播
解説#78 誤差逆伝播Ruo Ando
 
解説#73 ハフマン符号
解説#73 ハフマン符号解説#73 ハフマン符号
解説#73 ハフマン符号Ruo Ando
 
【技術解説20】 ミニバッチ確率的勾配降下法
【技術解説20】 ミニバッチ確率的勾配降下法【技術解説20】 ミニバッチ確率的勾配降下法
【技術解説20】 ミニバッチ確率的勾配降下法Ruo Ando
 
【技術解説4】assertion failureとuse after-free
【技術解説4】assertion failureとuse after-free【技術解説4】assertion failureとuse after-free
【技術解説4】assertion failureとuse after-freeRuo Ando
 
ITmedia Security Week 2021 講演資料
ITmedia Security Week 2021 講演資料 ITmedia Security Week 2021 講演資料
ITmedia Security Week 2021 講演資料 Ruo Ando
 
ファジングの解説
ファジングの解説ファジングの解説
ファジングの解説Ruo Ando
 
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月Ruo Ando
 
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰Ruo Ando
 
Intel Trusted Computing Group 1st Workshop
Intel Trusted Computing Group 1st WorkshopIntel Trusted Computing Group 1st Workshop
Intel Trusted Computing Group 1st WorkshopRuo Ando
 

Mehr von Ruo Ando (20)

KISTI-NII Joint Security Workshop 2023.pdf
KISTI-NII Joint Security Workshop 2023.pdfKISTI-NII Joint Security Workshop 2023.pdf
KISTI-NII Joint Security Workshop 2023.pdf
 
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
Gartner 「セキュリティ&リスクマネジメントサミット 2019」- 安藤
 
解説#86 決定木 - ss.pdf
解説#86 決定木 - ss.pdf解説#86 決定木 - ss.pdf
解説#86 決定木 - ss.pdf
 
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
SaaSアカデミー for バックオフィス アイドルと学ぶDX講座 ~アイドル戦略に見るDXを専門家が徹底解説~
 
解説#83 情報エントロピー
解説#83 情報エントロピー解説#83 情報エントロピー
解説#83 情報エントロピー
 
解説#82 記号論理学
解説#82 記号論理学解説#82 記号論理学
解説#82 記号論理学
 
解説#81 ロジスティック回帰
解説#81 ロジスティック回帰解説#81 ロジスティック回帰
解説#81 ロジスティック回帰
 
解説#74 連結リスト
解説#74 連結リスト解説#74 連結リスト
解説#74 連結リスト
 
解説#76 福岡正信
解説#76 福岡正信解説#76 福岡正信
解説#76 福岡正信
 
解説#77 非加算無限
解説#77 非加算無限解説#77 非加算無限
解説#77 非加算無限
 
解説#1 C言語ポインタとアドレス
解説#1 C言語ポインタとアドレス解説#1 C言語ポインタとアドレス
解説#1 C言語ポインタとアドレス
 
解説#78 誤差逆伝播
解説#78 誤差逆伝播解説#78 誤差逆伝播
解説#78 誤差逆伝播
 
解説#73 ハフマン符号
解説#73 ハフマン符号解説#73 ハフマン符号
解説#73 ハフマン符号
 
【技術解説20】 ミニバッチ確率的勾配降下法
【技術解説20】 ミニバッチ確率的勾配降下法【技術解説20】 ミニバッチ確率的勾配降下法
【技術解説20】 ミニバッチ確率的勾配降下法
 
【技術解説4】assertion failureとuse after-free
【技術解説4】assertion failureとuse after-free【技術解説4】assertion failureとuse after-free
【技術解説4】assertion failureとuse after-free
 
ITmedia Security Week 2021 講演資料
ITmedia Security Week 2021 講演資料 ITmedia Security Week 2021 講演資料
ITmedia Security Week 2021 講演資料
 
ファジングの解説
ファジングの解説ファジングの解説
ファジングの解説
 
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
AI(機械学習・深層学習)との協働スキルとOperational AIの事例紹介 @ ビジネス+ITセミナー 2020年11月
 
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
【AI実装4】TensorFlowのプログラムを読む2 非線形回帰
 
Intel Trusted Computing Group 1st Workshop
Intel Trusted Computing Group 1st WorkshopIntel Trusted Computing Group 1st Workshop
Intel Trusted Computing Group 1st Workshop
 

Kürzlich hochgeladen

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Kürzlich hochgeladen (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulnerable DNS servers using asynchronous I/O mechanism

  • 1. Unraveling large scale geographical distribution of vulnerable DNS servers using asynchronous I/O mechanism 2013/11/15 12:10 – 12:35 Ruo Ando, Yuuki Takano and Satoshi Uda Network Security Institute, National Institute of Information and Communication Technology, Tokyo, Japan
  • 2. Introduction: obtaining attacker‟s landscape for mitigation and/or protection Feasiblity study of large scale attacks of DNS. Despite of its importance, we are not able to get comprehensive view of the situation of deployment of DNS servers in real-world. We have implemented aync I/O based crawler and found … [1] More than 10,000 obsolete version of BIND (4.x and 8.x) is still running and therefore remain exploitable. Send parse handler handler [2] 4835 (9.4.1) + 28680 (9.4.2) servers can be compromised by Kaminsky attack. Event base loop (nonblocking) Checking availability fd Recv (async) [3] we have found 24, 971, 990 Open Resolver servers of which RA flag is true.
  • 3. Introduction: speed, speed and speed from “10,334,293 in 34 hours” to “30,285,322 in 26 hours” We have found 10,334,293 DNS servers in 34 hours of first measurement (2013/05/31 – 2013/06/02) and 30285322 DNS servers in 26 hours of second measurement (2013/07/05). Second Measurement 350000 300000 250000 200000 150000 100000 50000 0 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 time (hours) # of DNS servers detected # of DNS servers detected First Measurement 1800000 1600000 1400000 1200000 1000000 800000 600000 400000 200000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 time (hours) Minimum Speed: 73 serves per second (06/02:22:00 – 23:00) Maximum speed: 474 servers per second (07/05:17:30 – 18:30)
  • 4. Monitoring result: current DNS situation is catastrophic [1] More than 10,000 obsolete version of BIND (4.x and 8.x) is still running and therefore remain exploitable. [2] Kaminsky attack is possible in 4835 (9.4.1) + 28680 (9.4.2) servers. We'd debated doing the same thing ourselves for some time but worried about the collateral damage of what would happen if such a list fell into the hands of the bad guys. The last five days have made clear that the bad guys have the list of open resolvers and they are getting increasingly brazen in the attacks they are willing to launch. We are in full support of the Open Resolver Project and believe it is incumbent on all network providers to work with their customers to close any open resolvers running on their networks. [3] we have found 24, 971, 990 Open Resolver servers of which RA flag is true. Internet Under Attack: World's Largest DDoS Attack Almost Broke The Internet http://blog.cloudflare.com/the-ddos-that-almost-broke-theinternet
  • 5. Fake response by IP address spoofing Dan Kaminsky Attack for DNS Cache poisoning (2003) Dummy Query For non-existent domain Recursive query Kaminski Attack: The big security news of Summer 2008 has been Dan Kaminsky's discovery of a serious vulnerability in DNS. This vulnerability could allow an attacker to redirect network clients to alternate servers of his own choosing, presumably for ill ends. This all led to a mad dash to patch DNS servers worldwide, and though there have been many writeups of just how the vulnerability manifests itself, we felt the need for one in far more detail. Hence, one of our Illustrated Guides. http://unixwiz.net/techtips/iguidekaminsky-dns-vuln.html Regular response about non-existent domain Metasploit: DNS BailiWicked Host Attack msf > use auxiliary/spoof/dns/ use auxiliary/spoof/dns/bailiwicked_domain use auxiliary/spoof/dns/compare_results use auxiliary/spoof/dns/bailiwicked_host Exploit ID: CAU-EX-2008-0002 Release Date: 2008.07.23 Title: bailiwicked_host.rb Description: Kaminsky DNS Cache Poisoning Flaw Exploit Tested: BIND 9.4.1-9.4.2 [2] 4835 (9.4.1) + 28680 (9.4.2) servers can be compromised by Kaminsky attack.
  • 6. Related work: crawler design and DNS monitoring • Unraveling the BitTorrent Ecosystem, IEEE Transactions on Parallel and Distributed Systems archive Volume 22 Issue 7, July 2011 • Mining your Ps and Qs: detection of widespread weak keys in network devices, Security'12 Proceedings of the 21st USENIX conference on Security symposium • Crawling BitTorrent DHTs for fun and profit, WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies • Comparing DNS resolvers in the wild, IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
  • 7. Proposed method and improvements 2013/05/31 – 2013/06/02 -> 2013/07/05 – 2013/07/06 blocking Non-blocking Send with timer handler Recv (async) underministic Send parse handler handler Event base loop fd 10,334,293 DNS servers in 34 hours 30285322 DNS servers in 26 hours Two callbacks with one timeout ev_dns = event_new(ev_base, sockfd, EV_READ | EV_PERSIST, callback_dns, NULL); event_add(ev_dns, NULL); timeval tv = {0, QUERY_CYCLE * 1000}; ev_send = event_new(ev_base, -1, EV_TIMEOUT | EV_PERSIST, send_query, NULL); event_add(ev_send, &tv); event_base_dispatch(ev_base); Send loop : 225 ^ 4 = 4228250625 handler Checking availability fd Two callbacks with nonblocking mode ev_map[sockfd_a] = event_new(ev_base, sockfd_a, EV_READ | EV_PERSIST, callback_dns, NULL); event_add(ev_map[sockfd_a], NULL); ev_map[sockfd_ver] = event_new(ev_base, sockfd_ver, EV_READ | EV_PERSIST, send_query, &five_seconds); event_add(ev_map[sockfd_ver], NULL); event_base_dispatch(ev_base); Send loop : 225 ^ 4 = 4228250625
  • 8. Handling two callbacks with libevent Asynchronous I/O crawler callback_dns(evutil_socket_t fd, short what, void *arg) send_query(evutil_socket_t fd, short what, void *arg) 43event_base *ev_base; 309 ev_dns = event_new(ev_base, sockfd, EV_READ | EV_PERSIST, callback_dns, NULL); 310 event_add(ev_dns, NULL); 311 312 timeval tv = {0, QUERY_CYCLE * 1000}; 313 ev_send = event_new(ev_base, -1, EV_TIMEOUT | EV_PERSIST, send_query, NULL); 314 event_add(ev_send, &tv); { "_id" : “X.X.X.X", "recv_date" : ISODate("2013-06-01T01:00:44.086Z"), "rir" : "APNIC", "type" : "Nominum Vantio", "type_ver" : "5.3.2.2", "ver" : "Nominum Vantio 5.3.2.2" } MongoDB NoSQL Datastore
  • 9. Offline analysis for obtaining geographical distribution Asynchronous I/O crawler callback_dns( evutil_socket_t fd, short what, void *arg) MongoDB NoSQL Datastore my $connection = MongoDB::Connection->new ( host => „X.X.X.X', port => 27017 ); my $database = $connection->DNSCrawl2; my $collection = $database->servers_bind4; [1] store (logical address) [2] query [4] Store geological information { "_id" : “x.x.x.x", "country" : "JP", "longitude" : "139.751404", "city" : "Tokyo", "latitude" : "35.685001" } 248 for (it = ans.begin(); it != ans.end(); ++it) { 249 if (ntohs(it->m_type) == DNS_TYPE_TXT && 250 ntohs(it->m_class) == DNS_CLASS_CH) { 251 ptr_cdpi_dns_txt p_txt; 252 253 p_txt = DNS_RDATA_TO_TXT(it->m_rdata); 254 255 b.append("ver", p_txt->m_txt); [3] GeoIP Lookup my $data = $collection->find(); while (my $object = $data->next) { $id = $object->{'_id'}; $ver = $object->{'ver'}; $type = $object->{'type'}; my @r3 = trap { $collection2->insert({ _id => $id, type => $type, country => $country_code[1],});
  • 10. First measurement (10334327 / 4228250625 in 34 hours) root@node31:~/blink/DNS/all# wc -l all-dump-2 Send with timer 10334327 all-dump-2 root@node31:~/blink/DNS/all# grep 1370011411915 all-dump { "_id" : “*.*.126.199", "recv_date" : { "$date" : 1370011411915 }, "rir" : "APNIC", "ver" : "" } handler Recv (async) underministic handler 2013/05/31 14:43:31 root@node31:~/blink/DNS/all# grep 1370134969890 all-dump fd { "_id" : “*.*.132.51", "recv_date" : { "$date" : 1370134969890 }, "rir" : "RIPE NCC" } 2013/06/02 01:02:49 First Measurement VM 350000 # of DNS servers detected 300000 Open Vswitch 250000 200000 MongoDB 150000 100000 50000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 time (hours) Minimum Speed: 73 serves per second (06/02:22:00 – 23:00)
  • 11. First Measurement: Measurement scope and statistics Total Type APNIC RIPE ARIN LACNIC AFRINI C other # # # # # # # BIND 9.x 2,369,863 336,263 769,182 860,335 96,703 10,953 296,427 BIND 8.x 15,771 3,265 7,065 3,828 355 15 1,243 BIND 4.x 1,935 99 1,362 349 28 Dnsmasq 946,294 495,205 158,282 59,145 159,969 25,993 47,700 Nominum 450,079 209,051 198,019 18,808 14,500 7,465 2,236 Nominum 502 15 23 67 25 PowerDNS 94,299 4,946 57,115 28,138 1,013 35 3,052 Unbound 30,588 5,461 17,926 5,447 1,030 206 518 NSD 25,837 1,296 7,955 13,835 257 13 2,481 5,324 1,296 386 400 3,217 can’t detect 3,067,979 1,943,992 620,895 291,737 113,120 9,706 88,529 no version info 3,325,822 739,726 1,307,181 710,867 327,504 29,272 211,272 10,334,293 3,740,615 3,145,391 1,992,956 717,721 83,658 653,952 Windows Total N/A 97 N/A 372 N/A 25 We have crawled 10,334,293 servers in 24 hours using two machines. In measurement, we have detected old versions of BIND 4.x and 8.x Nomium, PowerDNS and so on. More than 40% of all connected servers did show the banner. Surprisingly, many DNS servers with the obsolete version of BIND such as 8.x and 4.x has been detected. Also, we have monitored approximately 94% of all servers which is registered to APNIC, RIPE, ARIN, LACNIC and AFRNIC.
  • 12. Kaminsky attack is still breeding danger 4835 + 28680 is exploitable for DNS cache poisoning Exploit ID: CAU-EX-2008-0002 Release Date: 2008.07.23 Title: bailiwicked_host.rb Description: Kaminsky DNS Cache Poisoning Flaw Exploit Tested: BIND 9.4.1-9.4.2 > db.servers.find({“type_ver”:“9.4.1”,“rir”:“APNIC”}).count()1106 > db.servers.find({"type_ver":"9.4.1","rir":"ARIN"}).count() 1404 > db.servers.find({"type_ver":"9.4.1","rir":"LACNIC"}).count() 197 > db.servers.find({"type_ver":"9.4.1","rir":"AFRINIC"}).count() 10 > db.servers.find({"type_ver":"9.4.1"}).count() 4835 msf > use auxiliary/spoof/dns/ use auxiliary/spoof/dns/bailiwicked_domain use auxiliary/spoof/dns/compare_results use auxiliary/spoof/dns/bailiwicked_host > db.servers.find({"type_ver":"9.4.1"}).count() 4835 > db.servers.find({"type_ver":"9.4.2","rir":"APNIC"}).count() 2059 > db.servers.find({"type_ver":"9.4.2","rir":"ARIN"}).count() 3045 DO NOT execute metasploit on 4835 + 28680 servers outside ! > db.servers.find({"type_ver":"9.4.2","rir":"LACNIC"}).count() 1298 > db.servers.find({"type_ver":"9.4.2","rir":"AFRINIC"}).count() 112 > db.servers.find({"type_ver":"9.4.2"}).count() 28680
  • 13. Second measurement (30285322 / 4228250625 in 26 hours) root@node21:/pcap/blink/DNS/all# wc -l all-dump 30285322 all-dump Send root@node21:/pcap/blink/DNS/all# grep 1373045182508 all-dump { "_id" : “*.*.8.131", "date1" : { "$date" : 1373045182508 }, "date2" : { "$date" : 1373045182561 }, "is_eq_dst" : true, "is_ra" : false, "rcode_a" : 5, "rcode_ver" : 0, "recv_a_port" : 53, "rir" : "APNIC", "ver" : "Go away!" } parse handler handler 2013/07/05 17:26:22 Event base loop root@node21:/pcap/blink/DNS/all# grep 1373139484961 all-dump { "_id" : “*.*.172.47", "date1" : { "$date" : 1373139484961 }, "fqdn" : "dsl-178-35-172-47.avtlg.ru", "is_eq_dst" : true, "is_ra" : false, "rcode_a" : 0, "recv_a_port" : 53, "rir" : "RIPE NCC" } Checking availability fd 2013/07/06 19:38:04 Second Measurement # of DNS servers detected 1800000 Physical machine 1600000 1400000 1200000 1000000 800000 MongoDB 600000 400000 200000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 time (hours) Maximum speed: 474 servers per second (07/05:17:30 – 18:30)
  • 14. Detecting Open Resolvers > db.servers.find"), "date2" : ISODate("2013-0706T04:04:44.550Z"), "fqdn" : “*.*.dynamic.totbb.net", "is_eq_dst" : true, "is_ra" : true, "rcode_a" : 0, "rcode_ver" : 0, "recv_a_port" : 53, "rir" : "APNIC", "type" : "BIND 9.x", "type_ver" : "9.3.4-P1", "ver" : "9.3.4-P1" } The last five days have made clear that the bad guys have the list of open resolvers > db.servers.find({"is_ra" : true}).count() and they are getting increasingly brazen in the attacks they are willing to launch. 24971990 -- Open Resovler project QR Z OpCode AD AA CD RA: recursion available openresolverproject.org TC RD RCODE RA root@node44:/var/log/unbound# tail -f unbound.log [1384487371] unbound[1707:0] info: *.*.59.160 Sandia.gov. ANY IN [1384487371] unbound[1707:0] info: *.*.59.160 Sandia.gov. ANY IN ANY IN [1384487371] unbound[1707:0] info: *.*.59.160 siska1.com. ANY IN [1384487371] unbound[1707:0] info: *.*.189.69 cheatsharez.com. ANY IN [1384487371] unbound[1707:0] info: *.*.237.247 siska1.com. ANY IN [1384487371] unbound[1707:0] info: *.*.237.247 siska1.com. ANY IN [1384487371] unbound[1707:0] info: *.*.115.91 Sandia.gov. ANY IN [1384487371] unbound[1707:0] info: *.*.115.91 Sandia.gov. ANY IN
  • 15. Conclusion We have presented the feasible study information gathering which could cause large scale attack on DNS servers. [1] with asynchronous crawler by sender called with timeout, 4228250625 addresses has been scanned in 34 hours with discovery of 10,334,293 DNS servers. (2013/05/31 – 2013/06/02) [2] with asynchronous crawler by receiver activated with non-blocking mode, 4228250625 addresses in 26 hours has been scanned with discovery of 30,285,322 DNS servers. (2013/07/05 – 2013/07/06). Between [1] and [2], we have speed gap of 6-7 times. Minimum Speed: 73 serves per second (06/02:22:00 – 23:00) Maximum speed: 474 servers per second (07/05:17:30 – 18:30) -> crawler on openVswith is slow. Nonblocking mode (event_base_loop(NONBLOCKING)) can be applied and faster. Key findings: [1] More than 10,000 obsolete version of BIND (4.x and 8.x) is still running and therefore remain exploitable. [2] 4835 (9.4.1) + 28680 (9.4.2) servers can be compromised by Kaminsky attack. [3] we have found 24, 971, 990 Open Resolver servers of which RA flag is true.
  • 16. Thank you for listening ! Merci de votre attention! ando.ruo@gmail.com Slides are going to be released in SlideShare after some modifications.