dns sec client analysis
play

DNS(SEC) client analysis assisted by Bart Gijsen (TNO) DNS-OARC, - PowerPoint PPT Presentation

Aug 22, 2022 •351 likes •568 views

powered by DNS(SEC) client analysis assisted by Bart Gijsen (TNO) DNS-OARC, San Francisco, March 2011 Overview DNS traffic analysis CLIENT [8], [9] Resolver [7] (DNS proxy) Authoritative Authoritative Applic. Root DNS ) Root

  1. powered by DNS(SEC) client analysis assisted by Bart Gijsen (TNO) DNS-OARC, San Francisco, March 2011

  2. ‘Overview’ DNS traffic analysis CLIENT [8], [9] Resolver [7] (DNS proxy) Authoritative Authoritative Applic. Root DNS ) Root DNS browser Cache [1] DNS resolver SW Cache Authoritative Authoritative Operating system TLD TLD Server OS DNS stub Cache Authoritative Authoritative [13],[14] Tx device SLD SLD [2] [4] [6] [16] [5] Focus of DNS analysis has been on resolver and authoritative � bulk data analysis

  3. Key question: How will DNSSEC change the behavior of DNS client querying? More specific … How do DNS stub resolvers react to response types such as ServFail, responses > 512 Bytes, …?

  4. Experiments Experiments DNS client DNS client Impact Impact analysis analysis Summary & Summary & next steps next steps 4 11-3-2011

  5. Experimental set-up Configure OS / browser on client machine OS: Windows XP, Windows 7, Ubuntu Linux, Mac OSX Controlled DNS Server Browsers: IE, Firefox, Chrome, Safari not all combi’s, but quite some … clean OS image all settings left on defaults DNS Resolver Monitoring station Client

  6. Test execution Execute test run query each URLs with predefined response (ldns tool) Valid, Valid (>512 Bytes), NXdomain, Partial, ServFail, No reply, Truncated, Recursion refused query via ping (=> OS only) and via browser (=> browser & OS) repeat query once to check impact of caching � Observe the number of repeated queries and delays

  7. Example of DNS client behaviour: Linux-Ubuntu /w Firefox example: servfail response 3 immediate retries in case of servfail response and IPv4? OS sends servfail to FireFox; Firefox makes OS retry 16 queries in 0.14 seconds

  8. Browser & OS DNS query amplification Response type Response type Firefox Firefox Linux Linux Total Total Valid Valid x1 x1 x1 x1 x1 x1 NXdomain / Partial NXdomain / Partial x2 x2 x2 x2 x4 x4 ServFail / No response / Refused ServFail / No response / Refused x2 x2 x4 x4 x8 x8 Truncated Truncated x1 x1 1+TCP 1+TCP 1+TCP 1+TCP Response type Response type Safari Safari Mac OSX Mac OSX Total Total Valid Valid x1 x1 x1 x1 x1 x1 NXdomain / Partial NXdomain / Partial x1 x1 x2 x2 x2 x2 ServFail / No response / Refused ServFail / No response / Refused x1 x1 x4 x4 x4 x4 Truncated Truncated x1 x1 1+TCP 1+TCP 1+TCP 1+TCP DNS query count in case of: single authoritative NS; in case of primary and secondary => 2x only IPv4; in case of IPv4 and IPv6 => 2x

  9. Browser & OS DNS query amplification Response type Response type IE IE Windows XP Windows XP Total Total Valid / NXdomain Valid / NXdomain x1 x1 x1 x1 x1 x1 Partial / ServFail / Refused Partial / ServFail / Refused x1 x1 x1 x1 x1 x1 No response No response x1 x1 x5 x5 x5 x5 Truncated Truncated x1 x1 1+TCP 1+TCP 1+TCP 1+TCP Response type Response type Chrome Chrome Windows XP Windows XP Total Total Valid / NXdomain Valid / NXdomain x1 x1 x1 x1 x1 x1 Partial / ServFail / Refused Partial / ServFail / Refused x1 x1 x1 x1 x1 x1 No response No response x1 x1 x5 x5 x5 x5 Truncated Truncated x1 x1 1+TCP 1+TCP 1+TCP 1+TCP In fact, same behaviour for IE, Chrome, Firefox, Safari on Windows XP or Windows 7

  10. Other sources of aggressive DNS clients (not investigated) Greedy – synchronisation apps: bonjour, facebook apps, … may generate continuous stream of DNS requests Browser pre-fetching Firefox by default queries “anticipated next URLs” for a page Chrome pre-fetches stored, successfully retrieved URLs, when started Ubuntu Linux: by default no DNS caching

  11. Impact of the caching resolver Some damping of aggressive client behaviour by (BIND9) resolver In case of no-response the resolver retries (7 retries, with exponential timer back-off), while holding back client side retries Valid, NXdomain and truncated responses are cached Controlled DNS Server TCP session for truncated responses is handled by resolver DNS Resolver Monitoring station Client But also some amplification / modification by the resolver Resolver ‘double checks’ ServFail responses Unvalidatable response is returned as ServFail to client by non-DNSSEC enabled resolver Also: partial, recursion refused and timeout are fed back as ServFail

  12. Causes of aggressive DNS client behavior? GNU Library C (‘glibc’) DNS service static code analysis: overall glibc no ordinary characteristics found dynamic code analysis of DNS part: ‘responsible’ code part is pinpointed code part is complex � improvement not found yet Ok, before we drill down to the cause … what’s the impact?

  13. Experiments Experiments DNS client DNS client Impact Impact analysis analysis Summary & Summary & next steps next steps 13 11-3-2011

  14. Impact model (“ perfect behavior ”) Response Repeat query User Firefox Linux Resid.GW BIND9 Authoritative NS Query to Root 900 900.000 Root 1,0E-01 9,0E-02 9,0E-02 Valid 1,98 Valid (>512B) (Repeated queries) 0,00 682.200 Nxdomain 22,32 2,2E-03 2,2E-03 2,2E-03 Repeat-NXdomain 67,0 4,5E-03 8,9E-03 Partial 0,0E+00 0,0E+00 0,0E+00 0,00 Repeat-Partial 0,0E+00 0,0E+00 0,0 Servfail 9,0E-06 9,0E-06 9,0E-06 0,09 Repeat-Servfail 1,3 1,8E-05 7,2E-05 Timeout 0,0E+00 0,0E+00 0,0E+00 0,00 Repeat-Timeout 0,0E+00 0,0E+00 0,0 Refused 0,0E+00 0,0E+00 0,0E+00 0,00 Repeat-Refused 0,0 0,0E+00 0,0E+00 Truncated 0,00 Repeat-Truncated 0,0 Query to TLD 181.980 TLD Valid 127,39 Valid (>512B) 1,82 69.152 (Repeated queries) Nxdomain 9,1E-04 9,1E-04 9,1E-04 9,10 Repeat-NXdomain 1,8E-03 3,6E-03 27,3 Partial 0,00 0,0E+00 0,0E+00 0,0E+00 Repeat-Partial 0,0E+00 0,0E+00 0,0 Servfail 1,8E-04 1,8E-04 1,8E-04 1,82 Repeat-Servfail 3,6E-04 1,5E-03 25,5 Timeout 0,00 0,0E+00 0,0E+00 0,0E+00 Repeat-Timeout 0,0 0,0E+00 0,0E+00 Refused 1,8E-04 1,8E-04 1,8E-04 1,82 Repeat-Refused 3,6E-04 1,5E-03 12,7 Truncated 3,64 Repeat-Truncated 3,6 Query to SLD SLD 31.285 Valid 2,9E-02 2,2E-02 2,2E-02 224,03 Valid (>512B) 3,20 12.162 1,5E-04 1,5E-04 1,5E-04 3,2E-04 Nxdomain 1,6E-03 1,6E-03 1,6E-03 16,00 Repeat-NXdomain 3,2E-03 6,4E-03 48,0 Partial 0,0E+00 0,0E+00 0,0E+00 0,00 Repeat-Partial 0,0 0,0E+00 0,0E+00 Servfail 3,20 3,2E-04 3,2E-04 3,2E-04 Repeat-Servfail 6,4E-04 2,6E-03 44,8 Timeout 1,7E-04 1,7E-04 1,7E-04 0,0E+00 0,00 Repeat-Timeout 0,0 3,4E-04 1,3E-03 Refused 3,20 3,2E-04 3,2E-04 3,2E-04 Repeat-Refused 6,4E-04 2,6E-03 22,4 Truncated 6,4E-04 6,4E-04 6,4E-04 6,40 Repeat-Truncated 6,4

  15. Impact on average DNS traffic volume CLIENT Resolver (DNS proxy) Authoritative Applic. browser Root DNS -1% Cache DNS resolver SW Cache Authoritative -3% TLD Operating system Server OS DNS stub Cache -3% Authoritative -3% SLD Tx device Predicted query load reduction as result of modifying aggressive Linux/Mac behavior is small penetration of Linux / Mac OSX relatively low behavior occurs in case of ‘exceptions’ (ServFail, NXdomain, …)

  16. Impact outlook - scenario: 10% DNSSEC validation error for SLD CLIENT Resolver (DNS proxy) Authoritative Applic. browser Root DNS -1% Cache DNS resolver SW Cache Authoritative -3% TLD Operating system Server OS DNS stub Cache -10% Authoritative -3% SLD Tx device DNSSEC configuration errors at a domain will attract more traffic, due to observed behavior

  17. Impact outlook - scenario: NXdomain caching disabled at resolver CLIENT Resolver (DNS proxy) Authoritative Applic. browser Root DNS -15% Cache DNS resolver SW Cache Authoritative -3% TLD Operating system Server OS DNS stub Cache -3% Authoritative -2% SLD Tx device Some amplification of bogus traffic to the Root

  18. Experiments Experiments DNS client DNS client Impact Impact analysis analysis Summary & Summary & next steps next steps 18 11-3-2011

  19. Summary Linux and Mac clients display aggressive DNS behavior, in case of non-valid responses Resolvers partly damp aggressive behavior, but also amplify it Impact of client behavior on average DNS traffic is relatively low because fraction of Mac / Linux traffic is relatively low and behavior occurs in particular for minority of DNS responses Although, for some particular cases the behavior amplifies traffic volume and rate

  20. Next steps Share experiences with other experts Contribute to improving DNS function in the glibc(?) alternative for pinpointed code part causing the amplification Further quantitative scenario impact analysis further verification with ISP (SURFnet), SIDN data compare to greedy apps behavior Is mobile internet different from other ISP traffic? ABI Research: “in 2015 62% of mobile device will be Linux-based” …

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Multi-Threaded Servers December 6, 2007 1 Client-Server Communication Client Client Client

Multi-Threaded Servers December 6, 2007 1 Client-Server Communication Client Client Client

Multi-Threaded Servers December 6, 2007 1 Client-Server Communication Client Client Client Client Client Client Client Client Client Google Client Client Client Client Client Client Many clients; 1 server Server starts and then

333 views • 6 slides
CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Client-side JavaScript Browser Analysis of JavaScript Plugins eval and code Extensions obfuscation Firefox extension model

812 views • 51 slides
Agenda 1. Introduction 2. Client 3. Scope 4. Methodology 5. SWOT Analysis 6. Conclusion

Agenda 1. Introduction 2. Client 3. Scope 4. Methodology 5. SWOT Analysis 6. Conclusion

Agenda 1. Introduction 2. Client 3. Scope 4. Methodology 5. SWOT Analysis 6. Conclusion 2 INTRODUCTION Our Team Ajay Andy Nikhil Suraj 4 Introduction Client Scope Methodology SWOT Conclusion OUR CLIENT Allison Tjaden

570 views • 35 slides
Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server

Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server

E LIOM Tierless Web programming from the ground up Gabriel R ADANNE Jrme V OUILLON Vincent B ALAT Vasilis P APAVASILEIOU Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server DOM 2 2 / 22 1

778 views • 42 slides
Feasibility analysis for an on-campus teahouse Client: Harold Linde, MFA Consultants: Esra, Kay,

Feasibility analysis for an on-campus teahouse Client: Harold Linde, MFA Consultants: Esra, Kay,

Feasibility analysis for an on-campus teahouse Client: Harold Linde, MFA Consultants: Esra, Kay, and Nealah Whats the project? T o provide the client, Harold Linde, with a feasibility study for the design of a secure, accessible, and

339 views • 20 slides
SRS Client Future direction of SRS client Current Client Tested on 5 different distros in

SRS Client Future direction of SRS client Current Client Tested on 5 different distros in

SRS Client Future direction of SRS client Current Client Tested on 5 different distros in 32 bit and 64 bit Requires a dedicated test/build box Difficult Crypt::OpenPGP dependencies Poor error reporting Not thread

495 views • 5 slides
InfoAnywhere Client Profile Client Overview Client Name: TestPerson Palliative #2650 First

InfoAnywhere Client Profile Client Overview Client Name: TestPerson Palliative #2650 First

Please Note: This view was saved in October 2018. Elements of this page may have been updated, added or removed. If client data is on this screen, it is purely fictitious in nature and was taken from our test system. Please excuse the

308 views • 6 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
CLIENT-SIDE RUNTIME ANALYSIS AND ENFORCEMENT Ben Livshits, Microsoft Research Overview of

CLIENT-SIDE RUNTIME ANALYSIS AND ENFORCEMENT Ben Livshits, Microsoft Research Overview of

CLIENT-SIDE RUNTIME ANALYSIS AND ENFORCEMENT Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Background (rehash) Better runtimes CSP HTML5 Sandbox Language restrictions AdSafe FBJS Tradeoffs of

998 views • 48 slides
1 Picturing the client relation (See diagram tool of EiffelStudio.) SUPPLIER CLIENT I ntro. to

1 Picturing the client relation (See diagram tool of EiffelStudio.) SUPPLIER CLIENT I ntro. to

Chair of Softw are Engineering Einfhrung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer October 2006 February 2007 Lecture 4: The Interface of a Class 2 Client, supplier Definitions A client of a

704 views • 11 slides
Module 3: Metadata Repository Understanding Analysis Cube Storage Options Client

Module 3: Metadata Repository Understanding Analysis Cube Storage Options Client

Overview Microsoft Data Warehousing Overview Analysis Services Components Module 3: Metadata Repository Understanding Analysis Cube Storage Options Client Architecture Services Architecture Office 2000 OLAP Components

388 views • 5 slides
Caches & Memcache Example Client N. America Client System Asia + Caches Client Africa

Caches & Memcache Example Client N. America Client System Asia + Caches Client Africa

Caches & Memcache Example Client N. America Client System Asia + Caches Client Africa Client Client Client while(get(done1) == false) while(get(done2) == false) put (k1, f(data)) ; ; put (done1, true) put (k2, g(get(k1));

839 views • 61 slides
Extravagance Where do we even start??? This client came to us as a referral from another client

Extravagance Where do we even start??? This client came to us as a referral from another client

Residential Bathroom $75,000 $100,000 Actual Project Cost: $90,000.00 English Tudor Rustic Extravagance Where do we even start??? This client came to us as a referral from another client for whom we had done a beautiful kitchen

284 views • 27 slides
PgBouncer and a Bit of Queueing Theory Peter Eisentraut peter.eisentraut@2ndquadrant.com

PgBouncer and a Bit of Queueing Theory Peter Eisentraut peter.eisentraut@2ndquadrant.com

PgBouncer and a Bit of Queueing Theory Peter Eisentraut peter.eisentraut@2ndquadrant.com @petereisentraut client client client client client client client client client client client DB max_connections = 10000 max_connections =

592 views • 27 slides
Primary/Backup CS 452 Single-node key/value store Client Put key1 value1 Client

Primary/Backup CS 452 Single-node key/value store Client Put key1 value1 Client

Primary/Backup CS 452 Single-node key/value store Client Put key1 value1 Client Redis Put key2 value2 Client Get key1 Single-node state machine Client Op1 args1 State machine Client Op2 args2 Client Op

942 views • 42 slides
Primary/Backup CS 452 Single-node key/value store Client Put key1 value1 Client

Primary/Backup CS 452 Single-node key/value store Client Put key1 value1 Client

Primary/Backup CS 452 Single-node key/value store Client Put key1 value1 Client Redis Put key2 value2 Client Get key1 Single-node state machine Client Op1 args1 State machine Client Op2 args2 Client Op

788 views • 46 slides
ADS UI Replacement Training Part 1 Gina Wansor Sr. Client Trainer, Customer Readiness June 11,

ADS UI Replacement Training Part 1 Gina Wansor Sr. Client Trainer, Customer Readiness June 11,

ADS UI Replacement Training Part 1 Gina Wansor Sr. Client Trainer, Customer Readiness June 11, 2020 ISO PUBLIC Revision 7/2/2020 Objectives After this training, the attendee will be able to: Identify upcoming dates, changes, and

585 views • 54 slides
cert.govt.nz security week slides https://www.cert.govt.nz/ PART 2 Matts Security Tips and

cert.govt.nz security week slides https://www.cert.govt.nz/ PART 2 Matts Security Tips and

Before we get started cert.govt.nz security week slides https://www.cert.govt.nz/ PART 2 Matts Security Tips and Tricks Hackers What do they want? Your Financial or Personal Info Hack your bank accounts, transfer money Sell

868 views • 39 slides
Caching and Mobility Support in a Publish-Subscribe Internet Architecture George Xylomenos,

Caching and Mobility Support in a Publish-Subscribe Internet Architecture George Xylomenos,

Caching and Mobility Support in a Publish-Subscribe Internet Architecture George Xylomenos, Xenofon Vasilakos, Christos Tsilopoulos, Vasilios A. Siris, and George C. Polyzos Presented by Max Nicosia Motivation Need for Mobility

573 views • 17 slides
Cache Algorithms Online Algorithm Huaping Wang Apr.21 1 Outline Introduction of cache

Cache Algorithms Online Algorithm Huaping Wang Apr.21 1 Outline Introduction of cache

Cache Algorithms Online Algorithm Huaping Wang Apr.21 1 Outline Introduction of cache algorithms A worst-case competitive analysis of FIFO and LRU algorithms The randomized marker algorithm Competitive analysis for the randomized marker

291 views • 27 slides
Slide 2 Caching is both the most effective AND the most cost-effective method for schools to

Slide 2 Caching is both the most effective AND the most cost-effective method for schools to

Slide 2 Caching is both the most effective AND the most cost-effective method for schools to optimise internet connections. ApplianSys caching appliance CACHE BOX is the most widely selected caching solution by far in the E-Rate program since

600 views • 30 slides
Best Practices for Choosing Content Reporting Tools and Datasources Andrew Grohe Pentaho

Best Practices for Choosing Content Reporting Tools and Datasources Andrew Grohe Pentaho

Best Practices for Choosing Content Reporting Tools and Datasources Andrew Grohe Pentaho Director of Services Delivery, Hitachi Vantara Agenda Discuss best practices for choosing content with Pentaho Business Analytics Platform. This session

273 views • 25 slides
TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA

TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA

TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA DFRWS 2015 DUBLIN, 24 MARCH 2015 REAL CASE Management salaries of a private company were published on a Blog Through an analysis of the

228 views • 21 slides
WordPress Site Speed WordPress Maui Meetup - October 15, 2015 Why Does Speed Matter? A ff

WordPress Site Speed WordPress Maui Meetup - October 15, 2015 Why Does Speed Matter? A ff

WordPress Site Speed WordPress Maui Meetup - October 15, 2015 Why Does Speed Matter? A ff ects Google ranking and page crawling since 2010 Akamai survey: 75% of the 1,058 people asked would not return to websites that took longer than 4

166 views • 15 slides

More recommend