zone poisoning and gdpr
play

Zone Poisoning and GDPR Maciej Korczyski , Carlos Gan, Micha Krl, - PowerPoint PPT Presentation

Sep 21, 2023 •258 likes •606 views

Zone Poisoning and GDPR Maciej Korczyski , Carlos Gan, Micha Krl, Orcun Cetin, Qasim Lone, and Michel van Eeten Grenoble Institute of Technology, UGA maciej.korczynski@univ-grenoble-alpes.fr TechDay@ICANN63, Barcelona 22 October 2018

  1. Zone Poisoning and GDPR Maciej Korczyński , Carlos Gañán, Michał Król, Orcun Cetin, Qasim Lone, and Michel van Eeten Grenoble Institute of Technology, UGA maciej.korczynski@univ-grenoble-alpes.fr TechDay@ICANN63, Barcelona 22 October 2018

  2. Agenda • Attacks against DNS name resolution path • What is zone poisoning? • Root problem: misconfigured dynamic updates in DNS • Zone poisoning (requirements, specifics, threats, demo) • Global measurement • Affected domains and DNS servers • Notifications • Conclusions

  3. Attacks against DNS name resolution path • Most attacks compromise the resolution path somewhere between the user and the authoritative name server for a domain Source: https://www.dns-oarc.net/files/pres/OARC-CENTRtech31.pdf

  4. Attacks against DNS name resolution path • Most attacks compromise the resolution path somewhere between the user and the authoritative name server for a domain • E.g. Traditional cache poisoning attacks or attacks against individual clients being directed to use a rogue DNS server * * Dagon et al, Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority, in NDSS, 2008

  5. Attacks against DNS name resolution path • What about attacks against the authoritative end of the path (authoritative DNS servers)?

  6. Attacks against DNS name resolution path • What about attacks against the authoritative end of the path (authoritative DNS servers)? • Domain Shadowing: is the process of using users domain registration logins to create malicious subdomains

  7. Attacks against DNS name resolution path • What about attacks against the authoritative end of the path (authoritative DNS servers)? • Domain Shadowing: is the process of using users domain registration logins to create malicious subdomains * E.g.: legitimate.com • secure.wellsfargo.legitimate.com • bankofamerica.legitimate.com • hsbc.com.legitimate.com • … * Biasini, N., and Esler, J. Threat Spotlight: Angler Lurking in the Domain Shadows. http://blogs.cisco.com, March 2015.

  8. Attacks against DNS name resolution path • What about attacks against the authoritative end of the path (authoritative DNS servers)? • A more ambitious vector is hacking the registrars directly * E.g. Twitter and New York Times websites replaced in August 2013 * Arthur, C. Twitter and New York Times Still Patchy as Registrar Admits SEA Hack. https://www.theguardian.com, 2013.

  9. Attacks against DNS name resolution path • We explore an attack against the authoritative end of the path: the zone file of the authoritative name server using non-secure DNS dynamic update protocol extension * * "Zone Poisoning: The How and Where of Non-Secure DNS Dynamic Updates", Maciej Korczyński , Michal Król, and Michel van Eeten, ACM SIGCOMM Internet Measurement Conference (IMC'16) , pages 271-278, Santa Monica, November 2016

  10. Dynamic updates in DNS • Complies with the standard DNS message • Can add/delete any type of resource record (A, AAAA, CNAME, NS, etc.) • Propagates between slave and master servers • Server verifies if: • Prerequisites set by the requestor are met (e.g. RR exists) • Restrictions are met (if any)

  11. Secure dynamic updates • Security considerations in the original RFC 2136 • Security measures (RFC 2137 -> RFC 3007) • DNS Security Extensions • Public-key authentication • Resource heavy • Secret Key Transaction Authentication for DNS (TSIG) • Shared secret • HMAC-MD5 • Lightweight

  12. Implementations • BIND • Disabled by default • ''allow-update" with a list of allowed hosts (with available option "any") • TSIG supported since 8.2

  13. Implementations • BIND • Disabled by default • ''allow-update" with a list of allowed hosts (with available option "any") • TSIG supported since 8.2 zone "example.com" { type master; file "db.example.com"; allow-update { 192.2.2.200; }; // just our DHCP server };

  14. Implementations • BIND • Disabled by default • ''allow-update" with a list of allowed hosts (with available option "any") • TSIG supported since 8.2 zone "example.com" { type master; file "db.example.com"; allow-update { 192.2.2.200; }; // just our DHCP server }; • Microsoft DNS • By default updates only via extended TSIG • Non-secure updates also allowed • Secure updates not available for standard primary zones

  15. Zone poisoning • Requirements: • Non-secure updates allowed • The attacker knows the name of a zone and its NS • Specifics: • Single packet attack • No need to get response • Difficult to detect • Threats: • Running fake website/mail server • Reputation abuse ( paypal.user.example.com ) • Subdomain delegation

  16. Zone poisoning • Requirements: • Non-secure updates allowed • The attacker knows the name of a zone and its NS • Specifics: • Single packet attack • No need to get response • Difficult to detect • Threats: • Running fake website/mail server • Reputation abuse ( paypal.user.example.com ) • Subdomain delegation :~$ nsupdate > server 192.2.2.101 > zone example.com > update add paypal.example.com 86400 A 10.10.10.10 > send

  17. Ethical considerations • Single packet sent • No modifications on existing records • Previous state restored on all servers • Website reference in the added record • Opt-out mechanism • Notifications

  18. Datasets • Alexa top 1 Million domains • Other datasets • DNSDB (Farsight Security* ) • Project Sonar Data Repository* * • Zone files * https://www.farsightsecurity.com ** https://scans.io

  19. Affected domains and name servers • First global scan (October 2016) • First campaign (April 2016): • Second global scan (February 2017) • Random sample • 2,626 A resource records • 188 name servers • All campaigns: • 1,877 domains (0.065%) • 5 Billion packets • Alexa 1M • 752,511 A RR • 881 added A RRs • 7,333 name servers • 560 name servers • 418,573 domains (2 nd level • 587 domains (0.062%) domains and subdomains)

  20. Affected domains Type in # in % Business 181 31 Entertainment 92 15.7 Educational 90 15.3 Governmental 56 9.5 News services 41 7 Adult 13 2.2 Financial services 9 1.5 Health care 8 1.4 Other 95 16.2 Total 587 100

  21. Affected domains Type in # in % Business 181 31 Entertainment 92 15.7 Educational 90 15.3 Governmental 56 9.5 News services 41 7 Adult 13 2.2 Financial services 9 1.5 Health care 8 1.4 Other 95 16.2 Total 587 100

  22. Servers: implementation distribution All servers Vulnerable servers

  23. Notifications • After the first global scan we sent notifications to: • DNS service providers (DNS SOA records) • Generic email addresses ( abuse@domain, hostmaster@domain ) • Website owners (domain WHOIS) • network operators (IP WHOIS) • Notifications with demonstrative content (external link demonstrating an existence of the vulnerability) vs. standard vulnerability notification

  24. Notifications • Obtaining WHOIS data at scale is a problem • Contact information is extremely unreliable • 40% of emails to domain owners, failed to be delivered (registrant WHOIS) • RFC standards are widely ignored • 70% of the emails sent to the persons responsible for the name servers (DNS SOA RNAME) , affected by zone poisoning, failed to be delivered • 84% of the messages to generic emails ( hostmaster@domain, abuse@domain ) generated a delivery failure. • Network operators are more reachable • 8,6% generated a delivery failure. * "Make Notifications Great Again: Learning How to Notify in the Age of Large-Scale Vulnerability Scanning", Orcun Cetin, Carlos Ganan, Maciej Korczyński and Michel van Eeten, WEIS 2017 , La Jolla, CA, June 2017

  25. Notifications • Notifications did lead to more remediation than in the control groups (11% - 18% in comparison to 5% in control group) • Overall remediation rates were low • Remediation did not improve when a website was provided with a live demonstration of the vulnerability * "Make Notifications Great Again: Learning How to Notify in the Age of Large-Scale Vulnerability Scanning", Orcun Cetin, Carlos Ganan, Maciej Korczyński and Michel van Eeten, WEIS 2017 , La Jolla, CA, June 2017

  26. Notifications • Ongoing study: notifications to CERTS • 7 notifications campaigns: • 1 st -- 3 rd campaign targeted to TF-CSIRTs (Task Force on Computer Security Incident Response Teams) • 4 th -- 7 th campaign targeted to National CERTs

  27. Notifications

  28. National CERTs across continents Vulnerable Vulnerable Remediate Remediate domains servers d Domains d Servers Eastern Asia 2449 860 32000 1194 Northern 2159 827 3416 1257 America Western Asia 1205 247 1506 368 South America 691 210 959 362 South-Eastern 581 182 790 272 Asia Eastern 281 180 655 307 Europe Northern 538 177 829 279 Europe Western 521 158 1090 286 Europe Southern Asia 313 141 707 242 Southern 345 117 623 196 Europe Others 410 206 951 337

  29. Notification campaigns summary • 752,511 A RR -> 11,912 A RR (remediation: 98,4% ) • 418,573 domains -> 9,535 (remediation: 97,7% ) • 7,333 name servers -> 3,345 (remediation: 45,6% )

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data

GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data

GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data Protection Regulation Came into force on May 25 th Replaces the current 1995 Data Protection Directive and Data Protection Act (1998). What is GDPR?

570 views • 18 slides
CARBON MONOXIDE POISONING The Silent Killer PATHOPHYSIOLOGY OF CARBON MONOXIDE 1. CO poisoning

CARBON MONOXIDE POISONING The Silent Killer PATHOPHYSIOLOGY OF CARBON MONOXIDE 1. CO poisoning

CARBON MONOXIDE POISONING The Silent Killer PATHOPHYSIOLOGY OF CARBON MONOXIDE 1. CO poisoning is the most common exposure poisoning in the United States and the rest of the world. 2. It is an odorless, colorless gas that can cause sudden

198 views • 15 slides
Poison and Poisoning Azwin bin Md Tumin National Poison Centre Outline a. Definition b.

Poison and Poisoning Azwin bin Md Tumin National Poison Centre Outline a. Definition b.

Poison and Poisoning Azwin bin Md Tumin National Poison Centre Outline a. Definition b. Forefathers of toxicology c. Famous poisoning cases d. Misconception about poisoning e. Basic principles of poisoning f. Factors influencing toxic

843 views • 16 slides
Pharmacists Role in Prevention & Management of Poisoning Prof. Rahmat Awang National Poison

Pharmacists Role in Prevention & Management of Poisoning Prof. Rahmat Awang National Poison

Overview of Poisoning Incidence and the Pharmacists Role in Prevention & Management of Poisoning Prof. Rahmat Awang National Poison Centre Universiti Sains Malaysia 1st. National Poisoning Symposium 2016: Pharmacists Role in Poisoning

570 views • 33 slides
Data minimization & concentration: Intended and unintended consequences of the GDPR Garrett

Data minimization & concentration: Intended and unintended consequences of the GDPR Garrett

garjoh_canuck Data minimization & concentration: Intended and unintended consequences of the GDPR Garrett Johnson (Boston U) Scott Shriver (U Colorado Boulder) GDPR Impact GDPR General Data Protection Regulation EU EEA Brexit GDPR

833 views • 27 slides
DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the

DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the

Anatomy of a DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the Domain Name System (DNS) Cache Poisoning Cyber attack. We will cover: - Real-world examples of DNS cache poisoning - A defjnition of

607 views • 58 slides
Protection Regulation (GDPR) Presentation Structure What is the GDPR? When and where does

Protection Regulation (GDPR) Presentation Structure What is the GDPR? When and where does

Presentation by Michalis Mantzaris, PhD Introduction to General Data Protection Regulation (GDPR) Presentation Structure What is the GDPR? When and where does it apply? Consisting elements and Guideline provision Key changes and

605 views • 23 slides
Overview What is the GDPR? What are the main changes? Risks? What do you need to do

Overview What is the GDPR? What are the main changes? Risks? What do you need to do

Overview What is the GDPR? What are the main changes? Risks? What do you need to do to be compliant? Data Breaches How does the GDPR affect you? Steps to Compliance Summary What is the GDPR? q The EU's General Data

355 views • 17 slides
PROTECTION REGULATIONS May 2018 GDPR What is GDPR What is different Principles

PROTECTION REGULATIONS May 2018 GDPR What is GDPR What is different Principles

GENERAL DATA PROTECTION REGULATIONS May 2018 GDPR What is GDPR What is different Principles of of GDPR How does it effect school How are school preparing How does it effect individual staff How can

475 views • 12 slides
Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require?

Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require?

Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require? How does an Australian business comply? Action Plan Section 1: GDPR is here Privacy in the digital age Historically, privacy was almost

513 views • 40 slides
Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The

Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The

Almost one year after the GDPR, where are we now? Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The first year of the GDPR can best be described as "quiet test run. What are the most striking

405 views • 8 slides
GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU General Data Protection 1995 Regulation 2016 Data Protection Act 1998 Data Protection Bill 2017-19 Fines DPA GDPR Maximum Fine 500k Two

622 views • 17 slides
Childhood Lead Poisoning in Ohio 2 Objectives Overview of childhood lead poisoning in Ohio

Childhood Lead Poisoning in Ohio 2 Objectives Overview of childhood lead poisoning in Ohio

1 Childhood Lead Poisoning in Ohio 2 Objectives Overview of childhood lead poisoning in Ohio Provide an overview of the Public Health Lead Investigation Process Bring awareness to funding resources for lead hazard control 3

1.35k views • 71 slides
Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey

Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey

Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey July 1, 2019 What is a Poisoning Attack? Data poisoning is an attack on machine learning models wherein the attacker adds (or modifies) examples

1.28k views • 12 slides
GDPR Dont be scared Even if you cant answer all the questions on the form GDPR Dont

GDPR Dont be scared Even if you cant answer all the questions on the form GDPR Dont

GDPR Dont be scared Even if you cant answer all the questions on the form GDPR Dont be scared 60% of people welcome the rights under GDPR 48% of UK adults plan to activate their rights 56% welcome the right to object to marketing

1.32k views • 37 slides
GDPR Breach & Automated Decision Making Part 5 of our series on GDPR and its impact on the

GDPR Breach & Automated Decision Making Part 5 of our series on GDPR and its impact on the

GDPR Breach & Automated Decision Making Part 5 of our series on GDPR and its impact on the recruitment industry This webinar is provided for information purposes and is NOT intended to be legal advice pertaining to the subject matter. If you

617 views • 38 slides
Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed

Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed

Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed, ICML 2019 Multi-party Learning Application: Federated Learning Federated Learning : Train a centralized

589 views • 34 slides
Welcome! Philadelphia Has More Than 3x As Many Poisoned Children Compared to Flint, Michigan

Welcome! Philadelphia Has More Than 3x As Many Poisoned Children Compared to Flint, Michigan

Philly Lead Poisoning Prevention Summit Welcome! Philadelphia Has More Than 3x As Many Poisoned Children Compared to Flint, Michigan Note: Graph measures children under 7 years old. Summit Goals: Eliminating Lead Hazards So Children Are

253 views • 10 slides
FIREWISE PRINCIPLES Mountain Shadows June 23, 2012 Fire Behavior and Firewise: 1) You cant

FIREWISE PRINCIPLES Mountain Shadows June 23, 2012 Fire Behavior and Firewise: 1) You cant

FIREWISE PRINCIPLES Mountain Shadows June 23, 2012 Fire Behavior and Firewise: 1) You cant change the topography ; 2) Everybody talks about the weather, but nobody does anything about it; ----Mark Twain 3) The ) The only y wa way y

570 views • 23 slides
Who are the Sikhs? The Punjabi word ' Sikh means learner. We are knowledge seekers,

Who are the Sikhs? The Punjabi word ' Sikh means learner. We are knowledge seekers,

Who are the Sikhs? The Punjabi word ' Sikh means learner. We are knowledge seekers, learning from our Gurus about God. We are learning from one another and from life. On Calhoun, look for our Nishaan Sahib (flag) covered in

504 views • 36 slides
Education Daniel F. ONeill, Psy.D. Linda L. McDowell, Ph.D. Millersville University Freshman

Education Daniel F. ONeill, Psy.D. Linda L. McDowell, Ph.D. Millersville University Freshman

CHOICES: An Innovative Approach to Alcohol Education Daniel F. ONeill, Psy.D. Linda L. McDowell, Ph.D. Millersville University Freshman Year Experience National Conference February 9, 2009 Orlando, Florida CALL TO ACTION A Call to

321 views • 30 slides
Drugs during Confinement: A look at different sources of information Jorge Ameth Villatoro

Drugs during Confinement: A look at different sources of information Jorge Ameth Villatoro

Drugs during Confinement: A look at different sources of information Jorge Ameth Villatoro Velzquez Coordinator of the Surveys and Data Analysis Unit Ramn de la Fuente Muiz National Institute of Psychiatry Online Training Seminar Drug

387 views • 25 slides
Learnings (and stories) from the Canadian Managed Alcohol Program Study (CMAPS) Bernie Pauly

Learnings (and stories) from the Canadian Managed Alcohol Program Study (CMAPS) Bernie Pauly

Learnings (and stories) from the Canadian Managed Alcohol Program Study (CMAPS) Bernie Pauly RN, Ph.D,)Tim Stockwell (Ph.D) , and CMAPS Team Territorial Acknowledgement Funded by: Harms of Alcohol Use Acute Social Chronic Injuries

566 views • 42 slides
Non-HIV-related causes of death in people w ith AIDS in New York City, 1999-2003 DB Hanna, MR

Non-HIV-related causes of death in people w ith AIDS in New York City, 1999-2003 DB Hanna, MR

Non-HIV-related causes of death in people w ith AIDS in New York City, 1999-2003 DB Hanna, MR Pfeiffer, LV Torian, JE Sackoff HIV Epidemiology Program NYC Department of Health and Mental Hygiene January 27, 2005 AIDS mortality rate by

372 views • 36 slides

More recommend