The document discusses recent developments in DNS, including DNS cookies, DNSSEC, and DANE for SMIME authentication. It describes how DNS cookies provide weak authentication for queries and responses to help mitigate DDoS attacks. It outlines how DNSSEC and the DANE protocol enable SMIME authentication via DNS resource records. The document also summarizes evolving DNS amplification attacks and methods to mitigate them, such as limiting queries from misbehaving clients and blacklisting open recursive resolvers.
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...APNIC
This document discusses a "Water Torture" DNS DDoS attack targeting QTNet, a Japanese telecommunications carrier. The attack works by botnets sending large numbers of random DNS queries to open resolvers, overwhelming cache DNS servers. QTNet saw this traffic grow in May 2014, overloading their cache DNS server. To block the attack, QTNet used iptables hashlimit module to limit queries to authoritative DNS servers, and is asking customers to update router firmware to prevent open resolvers. The fundamental problems are open resolvers enabling reflection and direct traffic from botnets, and QTNet may implement IP address blocking of port 53 traffic from the internet.
This document discusses DNS cache poisoning vulnerabilities, including:
- Explanations of how cache poisoning works by entering non-authoritative records into a resolver's cache.
- A timeline of vulnerabilities discovered from 1993-2008 related to implementation issues that allowed cache poisoning.
- Countermeasures like DNSSEC that add authentication and integrity to DNS to prevent cache poisoning attacks.
This document discusses DNS DDoS attack types and defenses. It describes the history of major DNS DDoS attacks from 2012 to 2013, including attacks against Spamhaus and GoDaddy. It then analyzes different DNS DDoS attack types like bandwidth consuming attacks, massive query attacks, amplification attacks using open resolvers, and attacks using non-existent domain queries. Finally, it discusses defenses like packet filtering, rate limiting, response rate limiting (RRL), and distributing DNS infrastructure.
This document discusses DNS cache poisoning. It begins by explaining what DNS is and its purpose of mapping domain names to IP addresses. It then discusses how DNS servers implement caching to improve performance and defines DNS cache poisoning as getting unauthorized entries into a DNS server's cache. The document outlines how an attacker could poison a cache to redirect traffic to a machine they control in order to perform man-in-the-middle attacks or install malware. It describes various methods of poisoning caches locally or remotely, such as between end users and nameservers or between nameservers themselves using the Kaminsky attack. Defenses like DNSSEC are mentioned along with encouragement to try cache poisoning in a controlled lab environment.
Install and Understand DNSSEC in Linux Server running BIND 9 with CHROOT JAIL system and Service.
By Utah Networxs
Follow - @fabioandpires
Follow - @utah_networxs
Dns protocol design attacks and securityMichael Earls
The document discusses DNS security and attacks such as cache poisoning, denial of service attacks through query flooding, and man-in-the-middle attacks through DNS hijacking. It provides examples using tools like dnsFlood.pl and dnshijacker to demonstrate these attacks, and recommends mitigations like restricting queries, preventing unauthorized zone transfers, using DNSSEC, and configuring TSIG to secure DNS messages.
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...APNIC
This document discusses a "Water Torture" DNS DDoS attack targeting QTNet, a Japanese telecommunications carrier. The attack works by botnets sending large numbers of random DNS queries to open resolvers, overwhelming cache DNS servers. QTNet saw this traffic grow in May 2014, overloading their cache DNS server. To block the attack, QTNet used iptables hashlimit module to limit queries to authoritative DNS servers, and is asking customers to update router firmware to prevent open resolvers. The fundamental problems are open resolvers enabling reflection and direct traffic from botnets, and QTNet may implement IP address blocking of port 53 traffic from the internet.
This document discusses DNS cache poisoning vulnerabilities, including:
- Explanations of how cache poisoning works by entering non-authoritative records into a resolver's cache.
- A timeline of vulnerabilities discovered from 1993-2008 related to implementation issues that allowed cache poisoning.
- Countermeasures like DNSSEC that add authentication and integrity to DNS to prevent cache poisoning attacks.
This document discusses DNS DDoS attack types and defenses. It describes the history of major DNS DDoS attacks from 2012 to 2013, including attacks against Spamhaus and GoDaddy. It then analyzes different DNS DDoS attack types like bandwidth consuming attacks, massive query attacks, amplification attacks using open resolvers, and attacks using non-existent domain queries. Finally, it discusses defenses like packet filtering, rate limiting, response rate limiting (RRL), and distributing DNS infrastructure.
This document discusses DNS cache poisoning. It begins by explaining what DNS is and its purpose of mapping domain names to IP addresses. It then discusses how DNS servers implement caching to improve performance and defines DNS cache poisoning as getting unauthorized entries into a DNS server's cache. The document outlines how an attacker could poison a cache to redirect traffic to a machine they control in order to perform man-in-the-middle attacks or install malware. It describes various methods of poisoning caches locally or remotely, such as between end users and nameservers or between nameservers themselves using the Kaminsky attack. Defenses like DNSSEC are mentioned along with encouragement to try cache poisoning in a controlled lab environment.
Install and Understand DNSSEC in Linux Server running BIND 9 with CHROOT JAIL system and Service.
By Utah Networxs
Follow - @fabioandpires
Follow - @utah_networxs
Dns protocol design attacks and securityMichael Earls
The document discusses DNS security and attacks such as cache poisoning, denial of service attacks through query flooding, and man-in-the-middle attacks through DNS hijacking. It provides examples using tools like dnsFlood.pl and dnshijacker to demonstrate these attacks, and recommends mitigations like restricting queries, preventing unauthorized zone transfers, using DNSSEC, and configuring TSIG to secure DNS messages.
In this installment of the Men & Mice webinar series, Mr. Carsten Strotmann will talk about the role that DNS plays in fighting malware and spam.
The discussion will dig into DNS blacklists, domain reputation, Response Policy Zones and how the new TLDs have changed the game.
This document provides an introduction to a DNSSEC training course hosted by RIPE NCC. It explains that DNSSEC protects against DNS spoofing and data corruption by using digital signatures to authenticate DNS data and establish its integrity. The course aims to raise awareness of DNSSEC and provide guidance on deployment. It outlines DNSSEC mechanisms like using new resource records and signing zones to authenticate communication between servers and establish authenticity of DNS data.
The document discusses DNS DDoS attacks and possible mitigations. It notes that the October 2016 DDoS attack against DNS provider DYN used compromised IoT devices to launch queries against authoritative name servers, exhausting their resources. Potential mitigations discussed include increasing server capacity, longer TTLs to reduce query frequency, filtering queries by name or IP, and leveraging DNSSEC with NSEC aggressive caching to have recursive resolvers directly answer NXDOMAIN queries rather than referring them to authoritative servers. However, the document argues that piecemeal solutions will not prevent future attacks and a more resilient DNS infrastructure is needed through open discussion and cooperation across stakeholders.
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
Encryption is coming to mainstream DNS. This briefing discusses the history, protocols and architecture of encrypted DNS, specifically DNS over TLS and DNS over HTTPS. It also describes the impact of DoT and DoH on various operational models.
This briefing was given during DNSheads Vienna #5 at the nic.at office in Vienna on Jan 30 2018.
1. The DNS is widely used but lacks security measures like encryption, making it easy to monitor users' activities and inject false responses.
2. Efforts to add authenticity through DNSSEC have had limited success due to technical challenges and lack of adoption.
3. The DNS is increasingly being used for application-level functions through extensions, but this increases the privacy risks as DNS queries reveal more user intentions.
4. Solutions exist like DNS over TLS and DNS over HTTPS to provide encryption, but full deployment faces economic and technical barriers, risking further fragmentation of the DNS.
1. The document discusses DNS cache poisoning using a man-in-the-middle attack. It provides details on setting up the attack using Kali Linux, Windows Server 2008, and Windows 7. It clones the Facebook website and poisons the DNS cache so traffic is redirected to the fake site.
2. Testing confirms the attack was successful when pinging the fake Facebook site returns the IP of the Kali machine for both Windows systems. The document also proposes short and long-term solutions to prevent DNS cache poisoning attacks, such as disabling open recursive name servers and implementing DNSSEC.
3. In conclusion, the document notes that while DNS cache poisoning is easy to setup, protection requires more effort but is still important for network
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53Amazon Web Services
In this session, we show you how to use Amazon Route 53 to consolidate your DNS data and manage it centrally. Learn how to use Amazon Route 53 for public DNS and for private DNS in VPC, and also learn how to combine Amazon Route 53 private DNS with your own DNS infrastructure.
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
This document provides an overview of DNSSEC (Domain Name System Security Extensions). It discusses how DNSSEC introduces digital signatures to cryptographically protect DNS data and prevent man-in-the-middle attacks. It also describes some common DNS record types used in DNSSEC like DNSKEY, RRSIG, and DS. The document notes that while DNSSEC deployment has increased in top-level domains and root servers, adoption remains low at the second-level domain level, and more work is still needed for full deployment.
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
This webinar discusses local name resolution protocols in Windows networks. It focuses on Link Local Multicast Name Resolution (LLMNR) and Peer Name Resolution Protocol (PNRP). LLMNR provides serverless name resolution on the local subnet using multicast queries. PNRP is a peer-to-peer name resolution protocol that operates over IPv6 or IPv4-IPv6 tunnels. The webinar explains how these protocols work, how to configure and use them, and potential security issues to be aware of when using them. It also advertises upcoming Men & Mice training courses on DNS and name resolution topics.
Google has changed Chrome's code to enforce HTTPS encryption on all ".dev" domains by default. This causes problems for developers who use ".dev" locally without HTTPS. Alternatives for local domain names include subdomains of owned domains, reserved domains like ".test", or protocols besides DNS like LLMNR and mDNS. Unbound and BIND can configure local zones to resolve names without internet access.
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F18.shtml
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Website: https://samsclass.info/40/40_F16.shtml
Updated 8-21-17
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
The DNS protocol has built-in high availability for authoritative DNS servers (this will be better explained in the webinar!), but client machines can see a degraded DNS service if a DNS resolver (caching DNS server) is failing.
In this webinar, we will look into how the DNS clients in popular operating systems (Windows, Linux, macOS/iOS) choose the DNS resolver among a list of available servers, and how a DNS resolver service can be made failure-tolerant with open-source solutions such as “dnsdist” from PowerDNS and “relayd” from OpenBSD.
The document discusses various methods for securing DNS, including restricting zone transfers to prevent enumeration of internal hosts, restricting dynamic updates to authorized sources, protecting against spoofing by disabling recursion and restricting queries, and implementing a split DNS configuration to control external visibility of internal domains. It provides configuration examples for BIND and Microsoft DNS servers to implement these security remedies.
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
The focus of this webinar will be to take a deeper look into this local name-resolution system and the implementations for other Unix systems like Linux and FreeBSD. Linux’s new über-Daemon “systemd” supports both mDNS and the Windows LLMNR (Link-Local-Multicast-Name-Resolution). We will also show how well a Systemd-Linux behaves in heterogenous networks running both Windows and macOS.
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Used in this "DNS Security" course:
https://samsclass.info/40/40_F17.shtml
Based on "DNS Security" by Anestis Karasaridis, Amazon Digital Services, Inc., ASIN: B007ZW50WE
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
The document discusses using an experimental system that can perform thousands of DNS and HTTP measurements per day on random internet users to test DNSSEC implementation. It proposes configuring five domains - one validly signed, one invalidly signed, one with IPv6-only NS, one with large IPv6 responses, and one without DNSSEC - to test clients' DNSSEC support, validation, IPv6 capability, and response handling. Initial results from testing 1.8 million clients worldwide found 4.4% of resolvers and 14.15% of clients appear to support DNSSEC. Further analysis of 7,500 New Zealand experiments identified variability between internet providers in estimated DNSSEC support rates. Future work to improve DNSSEC activity detection is proposed
4Developers 2015: Procesy biznesowe z perspektywy atakującego - Mateusz OlejarkaPROIDEA
Mateusz Olejarka
Language: Polish
Procesy biznesowe w aplikacjach WWW stanowią interesujący cel dla potencjalnego intruza. Są to kluczowe miejsca aplikacji - te, które tworzą wartość zarówno dla samego użytkownika, jak i właściciela aplikacji. W trakcie prezentacji spojrzymy na szereg przykładowych procesów z perspektywy atakującego. Zastanowimy się wspólnie, gdzie w danym procesie szukać zysku jako atakujący oraz jakie przypadki testowe warto sprawdzić. Omówimy co było nie tak z implementacją, jak ją naprawić oraz czego unikać w przyszłości.
Testowanie zabezpieczeń logiki biznesowej różni się od szukania technicznych podatności. Wymaga mniej wiedzy technicznej i lepszego zrozumienia założeń biznesowych. Prezentacja ma charakter warsztatowy i jest ukierunkowana na interakcję z uczestnikami. Prowadzący przedstawia założenia odnośnie danego procesu oraz jego kroki, pozostawiając publiczności wymyślanie w jaki sposób go zaatakować.
JDD2014: Using ASCII art to analyzeyour source code with NEO4J and OSS tools ...PROIDEA
If you ever looked at compiler’s AST’s, module dependencies and call graphs you’ve long realized that all the stuff we write is actually easily representable as a graph.
Some years ago I had the idea to pull the essence of Java Projects into the graph to have some fun. Nowadays there are several tools which help me do that and
I can wield the power of Ascii-Art to query these interesting structures.
Join me for a peek into the JDK that you might not have ever done before. I’ll also show some OSS tools that help you with quickly getting started gaining insights.
I’ll talk about some cool applications that use this approach to gain insights that they were not easily able to otherwise.
In this installment of the Men & Mice webinar series, Mr. Carsten Strotmann will talk about the role that DNS plays in fighting malware and spam.
The discussion will dig into DNS blacklists, domain reputation, Response Policy Zones and how the new TLDs have changed the game.
This document provides an introduction to a DNSSEC training course hosted by RIPE NCC. It explains that DNSSEC protects against DNS spoofing and data corruption by using digital signatures to authenticate DNS data and establish its integrity. The course aims to raise awareness of DNSSEC and provide guidance on deployment. It outlines DNSSEC mechanisms like using new resource records and signing zones to authenticate communication between servers and establish authenticity of DNS data.
The document discusses DNS DDoS attacks and possible mitigations. It notes that the October 2016 DDoS attack against DNS provider DYN used compromised IoT devices to launch queries against authoritative name servers, exhausting their resources. Potential mitigations discussed include increasing server capacity, longer TTLs to reduce query frequency, filtering queries by name or IP, and leveraging DNSSEC with NSEC aggressive caching to have recursive resolvers directly answer NXDOMAIN queries rather than referring them to authoritative servers. However, the document argues that piecemeal solutions will not prevent future attacks and a more resilient DNS infrastructure is needed through open discussion and cooperation across stakeholders.
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
Encryption is coming to mainstream DNS. This briefing discusses the history, protocols and architecture of encrypted DNS, specifically DNS over TLS and DNS over HTTPS. It also describes the impact of DoT and DoH on various operational models.
This briefing was given during DNSheads Vienna #5 at the nic.at office in Vienna on Jan 30 2018.
1. The DNS is widely used but lacks security measures like encryption, making it easy to monitor users' activities and inject false responses.
2. Efforts to add authenticity through DNSSEC have had limited success due to technical challenges and lack of adoption.
3. The DNS is increasingly being used for application-level functions through extensions, but this increases the privacy risks as DNS queries reveal more user intentions.
4. Solutions exist like DNS over TLS and DNS over HTTPS to provide encryption, but full deployment faces economic and technical barriers, risking further fragmentation of the DNS.
1. The document discusses DNS cache poisoning using a man-in-the-middle attack. It provides details on setting up the attack using Kali Linux, Windows Server 2008, and Windows 7. It clones the Facebook website and poisons the DNS cache so traffic is redirected to the fake site.
2. Testing confirms the attack was successful when pinging the fake Facebook site returns the IP of the Kali machine for both Windows systems. The document also proposes short and long-term solutions to prevent DNS cache poisoning attacks, such as disabling open recursive name servers and implementing DNSSEC.
3. In conclusion, the document notes that while DNS cache poisoning is easy to setup, protection requires more effort but is still important for network
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53Amazon Web Services
In this session, we show you how to use Amazon Route 53 to consolidate your DNS data and manage it centrally. Learn how to use Amazon Route 53 for public DNS and for private DNS in VPC, and also learn how to combine Amazon Route 53 private DNS with your own DNS infrastructure.
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
This document provides an overview of DNSSEC (Domain Name System Security Extensions). It discusses how DNSSEC introduces digital signatures to cryptographically protect DNS data and prevent man-in-the-middle attacks. It also describes some common DNS record types used in DNSSEC like DNSKEY, RRSIG, and DS. The document notes that while DNSSEC deployment has increased in top-level domains and root servers, adoption remains low at the second-level domain level, and more work is still needed for full deployment.
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
This webinar discusses local name resolution protocols in Windows networks. It focuses on Link Local Multicast Name Resolution (LLMNR) and Peer Name Resolution Protocol (PNRP). LLMNR provides serverless name resolution on the local subnet using multicast queries. PNRP is a peer-to-peer name resolution protocol that operates over IPv6 or IPv4-IPv6 tunnels. The webinar explains how these protocols work, how to configure and use them, and potential security issues to be aware of when using them. It also advertises upcoming Men & Mice training courses on DNS and name resolution topics.
Google has changed Chrome's code to enforce HTTPS encryption on all ".dev" domains by default. This causes problems for developers who use ".dev" locally without HTTPS. Alternatives for local domain names include subdomains of owned domains, reserved domains like ".test", or protocols besides DNS like LLMNR and mDNS. Unbound and BIND can configure local zones to resolve names without internet access.
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F18.shtml
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Website: https://samsclass.info/40/40_F16.shtml
Updated 8-21-17
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
The DNS protocol has built-in high availability for authoritative DNS servers (this will be better explained in the webinar!), but client machines can see a degraded DNS service if a DNS resolver (caching DNS server) is failing.
In this webinar, we will look into how the DNS clients in popular operating systems (Windows, Linux, macOS/iOS) choose the DNS resolver among a list of available servers, and how a DNS resolver service can be made failure-tolerant with open-source solutions such as “dnsdist” from PowerDNS and “relayd” from OpenBSD.
The document discusses various methods for securing DNS, including restricting zone transfers to prevent enumeration of internal hosts, restricting dynamic updates to authorized sources, protecting against spoofing by disabling recursion and restricting queries, and implementing a split DNS configuration to control external visibility of internal domains. It provides configuration examples for BIND and Microsoft DNS servers to implement these security remedies.
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
The focus of this webinar will be to take a deeper look into this local name-resolution system and the implementations for other Unix systems like Linux and FreeBSD. Linux’s new über-Daemon “systemd” supports both mDNS and the Windows LLMNR (Link-Local-Multicast-Name-Resolution). We will also show how well a Systemd-Linux behaves in heterogenous networks running both Windows and macOS.
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Used in this "DNS Security" course:
https://samsclass.info/40/40_F17.shtml
Based on "DNS Security" by Anestis Karasaridis, Amazon Digital Services, Inc., ASIN: B007ZW50WE
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
The document discusses using an experimental system that can perform thousands of DNS and HTTP measurements per day on random internet users to test DNSSEC implementation. It proposes configuring five domains - one validly signed, one invalidly signed, one with IPv6-only NS, one with large IPv6 responses, and one without DNSSEC - to test clients' DNSSEC support, validation, IPv6 capability, and response handling. Initial results from testing 1.8 million clients worldwide found 4.4% of resolvers and 14.15% of clients appear to support DNSSEC. Further analysis of 7,500 New Zealand experiments identified variability between internet providers in estimated DNSSEC support rates. Future work to improve DNSSEC activity detection is proposed
4Developers 2015: Procesy biznesowe z perspektywy atakującego - Mateusz OlejarkaPROIDEA
Mateusz Olejarka
Language: Polish
Procesy biznesowe w aplikacjach WWW stanowią interesujący cel dla potencjalnego intruza. Są to kluczowe miejsca aplikacji - te, które tworzą wartość zarówno dla samego użytkownika, jak i właściciela aplikacji. W trakcie prezentacji spojrzymy na szereg przykładowych procesów z perspektywy atakującego. Zastanowimy się wspólnie, gdzie w danym procesie szukać zysku jako atakujący oraz jakie przypadki testowe warto sprawdzić. Omówimy co było nie tak z implementacją, jak ją naprawić oraz czego unikać w przyszłości.
Testowanie zabezpieczeń logiki biznesowej różni się od szukania technicznych podatności. Wymaga mniej wiedzy technicznej i lepszego zrozumienia założeń biznesowych. Prezentacja ma charakter warsztatowy i jest ukierunkowana na interakcję z uczestnikami. Prowadzący przedstawia założenia odnośnie danego procesu oraz jego kroki, pozostawiając publiczności wymyślanie w jaki sposób go zaatakować.
JDD2014: Using ASCII art to analyzeyour source code with NEO4J and OSS tools ...PROIDEA
If you ever looked at compiler’s AST’s, module dependencies and call graphs you’ve long realized that all the stuff we write is actually easily representable as a graph.
Some years ago I had the idea to pull the essence of Java Projects into the graph to have some fun. Nowadays there are several tools which help me do that and
I can wield the power of Ascii-Art to query these interesting structures.
Join me for a peek into the JDK that you might not have ever done before. I’ll also show some OSS tools that help you with quickly getting started gaining insights.
I’ll talk about some cool applications that use this approach to gain insights that they were not easily able to otherwise.
PLNOG14: DNS jako niedoceniana broń ISP w walce ze złośliwym oprogramowaniem ...PROIDEA
Przemek Jaroszewski - CERT Polska
Language: Polish
DNS jest protokołem dającym bardzo szerokie możliwości monitorowania złośliwego oprogramowania oraz aktywnej walki z nim - począwszy od algorytmów i heurystyk wykrywania podejrzanych domen po DNS blackholing. Mechanizmy są tym skuteczniejsze, im więcej podmiotów jest w nie zaangażowane, nie tylko na poziomie zbierania i dystrybucji informacji, ale także znoszenia zagrożeń. W niniejszej prezentacji chcemy zaproponować kilka projektów, które dzięki współpracy ISP pozwoliłyby na podniesienie skuteczności ochrony użytkowników przed złośliwym oprogramowaniem na nowy poziom.
Zarejestruj się na kolejną edycję PLNOG już dziś: krakow.plnog.pl
4Developers 2015: Clean JavaScript code - only dream or reality - Sebastian Ł...PROIDEA
Sebastian Łaciak
Language: English
JavaScript isn’t longer language used only by secondary school students. It is powerful tool to build next generation web application. You can use TDD, integration test, simple IDEs, static code analysis, object oriented design and well known patterns. Can't believe it? See you in new JS reality.
PLNOG14: Darmowe narzędzia wspomagające proces zabezpieczania Twojej firmy - ...PROIDEA
Borys Łącki - LogicalTrust
Language: Polish
Systematyczne dbanie o bezpieczeństwo systemów i sieci to skomplikowany oraz kosztowny proces. Prelegent w oparciu o wieloletnie praktyczne doświadczenie w zakresie zabezpieczenia zasobów IT firm, przedstawi najpopularniejsze narzędzia wspomagające zarządzanie bezpieczeństwem infrastruktury IT w firmach. Dzięki praktycznemu podsumowaniu wad i zalet poszczególnych otwartych rozwiązań, uczestnik prezentacji będzie mógł trafniej podjąć decyzje dotyczące wyboru konkretnego oprogramowania.
Zarejestruj się na kolejną edycję PLNOG już dzisiaj: krakow.plnog.pl
PLNOG 13: Krystian Baniak: Value Added Services PlatformPROIDEA
Krystian Baniak is a Senior Security Consultant with over 14 years of industry experience from both telco and enterprise domains. Having started his professional career as a software developer, he continued as network engineer, penetration testing specialist and security auditor. Today he is a senior consultant and security solutions architect. Krystian Baniak professional experience has been acquired on numerous international engagements.
From educational standpoint, Krystian Baniak has a PhD in telecommunication, MSc in information system security and received certifications from ISC2, F5 and Cisco.
Topic of Presentation: Value Added Services Platform
Language: Polish
Abstract: Value Added Platform as a tool for service provider’s infrastructure monetization. Practical presentation of Infradata VAS platform solution architecture with a demo of the Content Injection and Parental Control services.
4Developers 2015: Legacy Code, szkoła przetrwania - Katarzyna ŻmudaPROIDEA
YouTube: https://www.youtube.com/watch?v=H5tz0Tv7Mys&list=PLnKL6-WWWE_WNYmP_P5x2SfzJ7jeJNzfp&index=29
Katarzyna Żmuda
Language: Polish
Jak pracować z kodem, który zastaliśmy? Jak nie dać się pokusie dopisania kolejnego IF-a, skoro przez tyle lat wszyscy dopisywali i przecież działało? Jak z kolei nie ulec chęci napisania wszystkiego od nowa?
Podczas prezentacji pokażę problemy, na które natykamy się podczas pracy z legacy code oraz sposoby na to, aby praca ta stawała się coraz łatwiejsza i przyjemniejsza.
Przykłady kodu będą napisane w C#.
PLNOG 13: M. Czerwonka, T. Kossut: IPv6 in mobile networkPROIDEA
Orange Polska presented their two-stage implementation of IPv6 in mobile networks. Their solution uses CLAT, PLAT, and DNS64 to provide a single path for IPv4 and IPv6 traffic. They discussed the IPv6 architecture, transition technologies, and statistics on IPv6 usage. Orange Polska also presented ongoing research on improving DNS64, PLAT, and developing combo NAT boxes. The presentation concluded with a demonstration of IPv6 tethering capabilities.
JDD2014: JEE'ish development without hassle - Jakub MarchwickiPROIDEA
This happens in every community: You don’t need Rails, to build a web application in Ruby. You don’t need templating engine for PHP - PHP is a templating language! We over engineer and over engineer, again and again.
Same happens in Java. Hibernate + EJB + JSF is not the only blessed stack for development of web application… one can argue it’s the worst. Same with Spring; no longer lighweight, no so robust - still powerful but not necessary the easiest. So what are the options for an average Java developer?
In this talk I’ll walk through multiple options, for modern Java web development: easy, quick, flexible and still state of an art. Starting for just obvious unknowns like embedded jetty, though micro pure-webframeworks, smaller and bigger swiss army knifes, which try to promise both: cover most of the application stack, still keeping things robust.
JDD2014: What you won't read in books about implementing REST services - Jak...PROIDEA
The document discusses RESTful API design and security best practices. It covers REST constraints like being stateless and cacheable. It also discusses topics like POST vs PUT, filtering queries, API documentation, handling exceptions, authentication, and preventing vulnerabilities like SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and XML external entities (XXE).
PLNOG 13: Emil Gągała: EVPN – rozwiązanie nie tylko dla Data CenterPROIDEA
Ethernet VPN (EVPN) is a new standards-based protocol that interconnects Layer 2 domains over a shared IP/MPLS network. It improves on previous protocols like VPLS by supporting features like all-active multi-homing and control plane learning of MAC addresses. EVPN is ideally suited for datacenter interconnectivity but can also be used in other cases beyond just data centers. Major networking vendors support EVPN as shown by their participation in the relevant IETF working group.
4Developers 2015: Varnish tips & tricks - Piotr PasichPROIDEA
Piotr Pasish
Language: Polish
Phil Karlton twierdzi, że są tylko dwie trudne rzeczy w programowaniu - nazewnictwo oraz inwalidacja cache. Można śmiało powiedzieć, że nie tylko inwalidacja, ale cache sam w sobie. Jak prawie wszystko w programowaniu, tak i Varnish został stworzony, by rozwiązywać najczęstsze problemy - tym razem związane z chwilowym przechowywaniem danych oraz dostarczaniem ich użytkownikowi w jak najkrótszym czasie.
Prezentacja obejmuje przedstawienie najpopularniejszych problemów oraz metod ich rozwiązywania z Varnish oraz przegląd zaawansowanych możliwości narzędzia - zarządzanie cachem, praca z API, security, a nawet streamingiem danych przez http.
Vikten av jämställdhet för en globalt hållbar tryggad livsmedelsförsörjning o...SIANI
Viveka Carlestam presenterade WeEffekts specifika satsning på kvinnor i utvecklingsarbetet. WeEffekt startade redan 1958 och har sedan dess varit en biståndsorganisation inom kooperationen som arbetar med att långsiktigt förbättra människors levnadsvillkor. WeEffect arbetar i mer än 24 länder och med 160 lokala organisationer. Då man upptäckte att kvinnor inte gynnades till samma nivå som män i sina projekt i Latin Amerika bestämde man sig 2006 för att satsa mer än 50% av biståndet på kvinnor. Läs mer på: www.siani.se
Katarina Eriksson, Senior Project & Partnership Development Manager at Tetra ...SIANI
The representative of the Private Sector, Katarina Eriksson, Senior Project & Partnership Development Manager at Tetra Laval, presented a school milk project that focuses simultaneously on reduction of malnutrition and on job creation in Thailand by developing local milk production.
This document discusses empowering women in agriculture to reduce gender barriers. It finds that the average yield gap between men and women farmers is 20-30% due to inequities in resource access, and closing this gap could increase agricultural output by 2.5-4% and reduce the number of undernourished people by 100-150 million. It then profiles three women - Monica Munachonga advocates for gender equity in government policies, Violet Shivutse empowers grassroots women, and Rudo Gaidzwana focuses on improving women's access to land and resources. The document calls for practical recommendations over the next few days to better empower women in agriculture.
Perennial possibilities for increasing food and ecosystem securitySIANI
This document discusses the potential benefits of perennial grain crops compared to annual crops. Model systems show that perennial grasslands harvested for over 75 years have higher soil carbon and nitrogen levels compared to annual wheat fields. Studies also show reductions in soil carbon stocks and aggregate stability when native grasslands are converted to annual cropland. Perennial crops could help address agriculture's impacts on biodiversity and ecosystems by diversifying crop rotations and reducing inputs. They also have potential for higher yields under certain conditions. Breeding programs are working to develop perennial versions of crops like sorghum, wheat and sunflowers to help increase food security while improving soil health and mitigating climate change. However, fully developing perennial grain crops suitable for
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
ION Islamabad, 25 January 2017
By Champika Wijayatunga, ICANN
DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.
ION Trinidad and Tobago, 5 February 2015 - The Business Case for DNSSEC
Patrick Hosein (TTNIC)
DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So how can we get DNSSEC deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
Signing DNSSEC answers on the fly at the edge: challenges and solutions, by Jono Bergquist.
A presentation given at the APNIC 40 APOPS 2 session on Tue, 8 Sep 2015.
The document provides an overview of DNS history and requirements for maintaining a DNS infrastructure. It discusses how DNS has evolved since 1983 to support features like load balancing, geobalancing, failover, and security protocols. When choosing a DNS software product or service provider, key considerations include scalability, supported features, dynamic configuration, failover capabilities, and protection against DDoS attacks. Maintaining DNS with multiple service providers can improve performance and reliability compared to a single provider.
A contemporary network service heavily depends on domain name system operating normally. Yet, often issues and caveats of typical DNS setup are being overlooked. DNS (like BGP before) is expected to "just work" everywhere, however, just as BGP, this is a complex protocol and a complex solution where a lot of things could go wrong in multiple ways under different circumstances. This talk is supposed to provide some assistance both in maintaining your own DNS infrastructure and in relying on service providers doing this.
Why Implement DNSSEC?
Champika Wijayatunga from ICANN discusses the importance of implementing DNSSEC. DNSSEC introduces digital signatures to cryptographically secure DNS data and protect against threats like cache poisoning, spoofing, and man-in-the-middle attacks. While DNSSEC does not protect server threats or ensure data correctness, it does establish the authenticity and integrity of DNS data retrieved. Fully implementing DNSSEC allows businesses and users to be confident they are receiving unmodified DNS information. However, more needs to be done to increase awareness and provide turnkey solutions in order for widespread DNSSEC adoption.
Infoblox - turning DNS from security target to security toolJisc
This document discusses how DNS has historically been exploited by malicious actors but can now be used as a security tool through techniques like Response Policy Zones (RPZs) and passive DNS. It explains how RPZs allow DNS servers to redirect or refuse queries based on policies. Passive DNS involves collecting DNS response data that can reveal suspicious activity patterns. Together, RPZs and passive DNS enable network administrators to leverage DNS to mitigate threats rather than just be complicit in attacks.
The document discusses various DNS security threats such as DNS hijacking, cache poisoning, and tunneling. It provides examples of how DNS tunneling works by encoding data in domain names and using subdomains for communication. The document also outlines some mitigation techniques for DNS tunneling, including payload analysis, traffic analysis, and restricting unusual DNS behaviors and record types.
Presentation on 'The Path to Resolverless DNS' by Geoff HustonAPNIC
Presentation on 'The Path to Resolverless DNS' by Geoff Huston for OARC 39 and 47th CENTR technical workshop, held in Belgrade on 22 and 23 October 2022
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
Leveraging DNS data to detect new Internet threats has been gaining in popularity in the past few years. However, most industry and academic work examines DNS solely from the authoritative layer through the use of passive DNS. This presentation covers three novel methods that can be used to detect network threats at an Internet scale by analyzing DNS traffic below and above the recursive layer, monitoring malware hosting IP infrastructures, and applying graph analytics on DNS lookup patterns.
This document provides a history of the development of the Domain Name System (DNS) and describes some of its key components and functions. It discusses how DNS was created in 1983 to provide a decentralized naming system as networks and sites grew larger. It also describes some important upgrades to DNS, including incremental zone transfers and notification mechanisms. Additionally, the document outlines DNS record types, zones, policies, and integration with DHCP. It provides examples of how policies can be used for application load balancing and filtering. Finally, it briefly discusses newer DNS features in Windows Server like response rate limiting, DANE support, unknown record types, and IPv6 root hints.
DNS Security WebTitan Web Filter - Stop Malware Dryden Geary
This document discusses the network threat challenges organizations face from malware, attacks, and exploits that target their DNS infrastructure. It outlines how DNS protection solutions like WebTitan can help by filtering high-risk websites in real-time to block malware, ransomware, viruses and other threats while enforcing acceptable web access policies. WebTitan provides complete DNS layer protection, custom filtering and reporting without any hardware or software to install.
Similar to PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński (20)
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Certyfikowany PL Kierowca, Tata, Obywatel, Podatnik
DNS - Co nowego w świecie (D)i(N)o(S)aurów.
DNS Dobrze znany i szeroko wykorzystywany protokół w sieciach i Internecie.
Czy wydarzyło się coś nowego? Czy coś pozmieniało się w standardach?
Może pojawiła się nowa forma ataku?
Postaram się opowiedzieć co sieci piszczy w temacie DNS.
Jeżeli czas i jakość Internetu w trakcie konferencji pozwoli może uda się zademonstrować bardzo modne ostatnio zjawisko ;-) Co dokładnie?
Nie powiem.
Zapraszam na Sesje!
Prowadzący
Adam Obszyński (Infoblox)
Historia DNS – 2/3 slajdy
Q – DNS Cookies + DANE???
DDOS – Ataki + ochrona np. fetches albo foresight
Pupularnosc – konflikty w ggTLD
Historia DNS – 2/3 slajdy
Q – DNS Cookies + DANE???
DDOS – Ataki + ochrona np. fetches albo foresight
Pupularnosc – konflikty w ggTLD
Paul Mockapetris
Notify Poul Vixie
Historia DNS – 2/3 slajdy
Q – DNS Cookies + DANE???
DDOS – Ataki + ochrona np. fetches albo foresight
Pupularnosc – konflikty w ggTLD
If query received with bad or no Server Cookie, send back short error message
Bad guy Resolver behind a NAT
Could get Server Cookie and attack other resolvers behind the NAT
Solution: Mix Resolver Cookie into Server Cookie hash so multiple resolvers that appear to be at the same IP address are distinguished
Anycast Servers
Need to use the same server secret or assure that queries from the same resolver usually go to the same server
dig +dnssec type52 _443._tcp.www.freebsd.org
Icann51
dig +dnssec type52 _443._tcp.www.freebsd.org
dig +dnssec type52 _443._tcp.www.freebsd.org
dig +dnssec type52 _443._tcp.www.freebsd.org
Historia DNS – 2/3 slajdy
Q – DNS Cookies + DANE???
DDOS – Ataki + ochrona np. fetches albo foresight
Pupularnosc – konflikty w ggTLD
ICAN 49
CHECK YOUR NS records….
Deployment of myTAC 2-Factor (2FA) authentication modules. SMS – Computer authentication with verification using SMS Smart – Smartphone application-based (IOS & Android)
Points of Protection
– Authentication Process
– Password Recovery
It may be a faster rate as well…1000s of packets per second is possible and we have seen it
Responses start with NXDOMAIN , gradually more to ServFail as the load increase and then non-responsive as the target vitcim’s DNS fails
Target could be the internal recursive server in which case the volume of these queries from each client will be higher. If the target is a website (maybe a gaming site or govt site), then the volume is slower from each client to avoid detection but more number of clients will originate these queries to DDoS the target victim.
Phantom domain mitigation - Automatic black-holing of non-responsive and misbehaving servers, and the zones they serve
A list of known dead servers and zones is created
ADP drops all queries to these servers on the non-responsive list
For traffic to flaky servers and zones, rate limiting is applied
Any server that exceeded the limit of responsiveness will be sent fewer queries for a configurable of time
Limits configured through CLI
2. Adjustable recursive timeout
Timeout for recursive name lookup can be lowered to quickly free up DNS resolver resources under attack
Prevents maxing out on the number of outstanding DNS queries
What is the default now?? Are we changing the default??
Configured through CLI
we had given this to some customers who were experiencing NXD attack. We are now productizing this.
A misbehaving server can pretend to be authoritative for lots of domains . So blackhole these servers.
We have learnt through the customer experiences and the pcap files, there are multiple flavor of attacks that need different ways of mitigation.
Henry Stern, Farsight | ICANN50 | London
How to get data?
False positivies
Historia DNS – 2/3 slajdy
Q – DNS Cookies + DANE???
DDOS – Ataki + ochrona np. fetches albo foresight
Pupularnosc – konflikty w ggTLD