SlideShare a Scribd company logo

Whalebone-UKNOF44security992_new_impl.pptx

Download as PPTX, PDF
Ans Sembiring
Ans Sembiring

security

Internet
1 of 12
The latest news in the DNS resolution
Based on our own practical experience • Whalebone provides DNS resolution for millions of people and devices • Standard compliance, low latency and stability is a must • Added anti-malware and anomaly detection layer • Based on Knot Resolver by CZ.NIC hacker.com safety.com
Random subdomain attacks • Also called slow drip attacks • Targeted domain is attacked through default resolvers for the botnet devices globally • Generating many queries to random (therefore non- existent) subdomains from the whole botnet will eventually take the domain down • Eating up the resolver cache and outgoing bandwidth xyz.ddostarget.com abc.ddostarget.com 123.ddostarget.com ...
DNSSEC aggressive cache • No need to contact the authoritative server for the proof of non-existence • No need to cache responses for such non-existent subdomains • Shielding the authoritative servers (the queries are handled on the resolver) • Detailed numbers and simulations: DNSSEC aggressive cache (RFC 8198), Petr Špaček (CZ.NIC), https://ripe76.ripe.net/presentations/71-RIPE76- presentation-RFC8198.pdf
Variant of random subdomain attack mx2.mx2.mx1.mx1.mx1.mx2.mx2.mx1.mx1.mx2.mx1.mx2.mx2.mx2.mta-sts.mx2.mx2.webmail.weaverpublishing.com. mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx1.mx2.mx1.mx2.mx2.mx2.weaverpublishing.com. mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx1.mx2.mx1.mx2.mx2.mx2.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx2.mx1.mx2.mx1.mx2.mx2.mta-sts.mx2.mx1.mx2.mx2.mx2.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx2.mx1.mta-sts.mx2.mx1.mx1.mx1.mx1.mx2.mx1.webdisk.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx2.mx1.mta-sts.mx2.mx1.mx1.mx1.mx1.mx2.mx1.webdisk.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx2.mx1.mx2.mx1.mx2.mx2.mta-sts.mx2.mx1.mx2.mx2.mx2.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx1.mta-sts.mx1.mx2.mx2.mx1.cpanel.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx1.mta-sts.mx1.mx2.mx2.mx1.cpanel.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx2.mx1.mx2.mta-sts.mx1.mx2.mx2.autodiscover.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx2.mx1.mx2.mta-sts.mx1.mx2.mx2.autodiscover.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx2.mta-sts.mx2.mx1.mx1.mx1.mx2.mail.weaverpublishing.com. mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx1.mx2.mx2.mx2.mta-sts.mx1.mx2.mx2.mta-sts.mx2.mx2.weaverpublishing.com. mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx1.mx2.mail.weaverpublishing.com. mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx1.mx2.mail.weaverpublishing.com. Targeted domain: weaverpublishing.com weaverpublishing.com nameserver = ns1.weaverpublishing.com weaverpublishing.com nameserver = ns2.weaverpublishing.com
DNSSEC aggressive cache - issues • F5 BIG-IP Load balancer faulty implementation of proof of non-existence • Query for non-existent record type get NSEC3 response stating that only TXT records exist -> Resolver returns NXDOMAIN for ongoing A records • Workaround and fix provided by the vendor, still not applied at many organizations • Issue originally created by Whalebone and analyzed by CZ.NIC https://github.com/dns-violations/dns- violations/blob/master/2018/DVE-2018-0003.md
DNSSEC aggressive cache - issues • F5 BIG-IP balancers are used by banks, government and large service providers • Issue emerged randomly and disappeared quickly making in very hard to analyze • Error in DNSSEC implementation on F5 BIG-IP load balancers, Petr Špaček (CZ.NIC), https://en.blog.nic.cz/2019/07/10/error-in-dnssec- implementation-on-f5-big-ip-load-balancers/
DNSSEC validation failures monitoring 1. Domains with expired keys 2. Misconfigured domains (even TLDs!) 3. Attacks? ISP will always be the first one to blame 
.sk DNSSEC deployment • Overnight TLD DNSSEC deployment with some issues • 8 servers with correct configuration • 6 misconfigured with wrong proofs • Resolution randomly ended up in validation failure • Unreachable domains for end users resulting in ISP helpdesk calls • Reproduction of the issue unreliable due to majority of correctly configured servers • Fixed quickly once we called them directly • Thanks CZ.NIC and DNSViz for identification!
DNSSEC – is it worth the effort? • We estimate that DNSSEC validation failures are just 0,01% of all DNS queries in our networks • Sign, Validate and Monitor! • DNSViz does a great job at analysis: • Properly configured DNSSEC: http://dnsviz.net/d/nic.cz/dnssec/ • DNSSEC issues: http://dnsviz.net/d/szn-broken- dnssec.cz/dnssec/
Filter threats off your network Robert Šefr, CTO robert.sefr@whalebone.io @robcza https://whalebone.io

Recommended

The latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECThe latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECWhalebone, s.r.o.
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECDeploy360 Programme (Internet Society)
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4DNS Entrepreneurship Center
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Bangladesh Network Operators Group
 

Recommended

The latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECThe latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECWhalebone, s.r.o.
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECDeploy360 Programme (Internet Society)
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4DNS Entrepreneurship Center
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Bangladesh Network Operators Group
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Usevngundi
 
Running a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root ZoneRunning a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root ZoneAPNIC
 
Yeti DNS Project
Yeti DNS ProjectYeti DNS Project
Yeti DNS ProjectAPNIC
 
PLNOG 9: Adam Obszyński - DNS Caching
PLNOG 9: Adam Obszyński - DNS Caching PLNOG 9: Adam Obszyński - DNS Caching
PLNOG 9: Adam Obszyński - DNS Caching PROIDEA
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?Deploy360 Programme (Internet Society)
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020n|u - The Open Security Community
 
ION Krakow - DNSSEC Panel Introduction
ION Krakow - DNSSEC Panel IntroductionION Krakow - DNSSEC Panel Introduction
ION Krakow - DNSSEC Panel IntroductionDeploy360 Programme (Internet Society)
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA
 
Decisions behind hypervisor selection in CloudStack 4.3
Decisions behind hypervisor selection in CloudStack 4.3Decisions behind hypervisor selection in CloudStack 4.3
Decisions behind hypervisor selection in CloudStack 4.3Tim Mackey
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 
RHEL5 XEN HandOnTraining_v0.4.pdf
RHEL5 XEN HandOnTraining_v0.4.pdfRHEL5 XEN HandOnTraining_v0.4.pdf
RHEL5 XEN HandOnTraining_v0.4.pdfPaul Yang
 
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...Yankmo
 
A study of our DNS full-resolvers
A study of our DNS full-resolversA study of our DNS full-resolvers
A study of our DNS full-resolversBangladesh Network Operators Group
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache PoisoningDay 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoningvngundi
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
kelompok 3.pptx
kelompok 3.pptxkelompok 3.pptx
kelompok 3.pptxAns Sembiring
 
Dosen Pembimbing MBR.pdf
Dosen Pembimbing MBR.pdfDosen Pembimbing MBR.pdf
Dosen Pembimbing MBR.pdfAns Sembiring
 

More Related Content

Similar to Whalebone-UKNOF44security992_new_impl.pptx

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Usevngundi
 
Running a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root ZoneRunning a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root ZoneAPNIC
 
Yeti DNS Project
Yeti DNS ProjectYeti DNS Project
Yeti DNS ProjectAPNIC
 
PLNOG 9: Adam Obszyński - DNS Caching
PLNOG 9: Adam Obszyński - DNS Caching PLNOG 9: Adam Obszyński - DNS Caching
PLNOG 9: Adam Obszyński - DNS Caching PROIDEA
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA
 
Decisions behind hypervisor selection in CloudStack 4.3
Decisions behind hypervisor selection in CloudStack 4.3Decisions behind hypervisor selection in CloudStack 4.3
Decisions behind hypervisor selection in CloudStack 4.3Tim Mackey
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 
RHEL5 XEN HandOnTraining_v0.4.pdf
RHEL5 XEN HandOnTraining_v0.4.pdfRHEL5 XEN HandOnTraining_v0.4.pdf
RHEL5 XEN HandOnTraining_v0.4.pdfPaul Yang
 
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...Yankmo
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache PoisoningDay 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoningvngundi
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 

Similar to Whalebone-UKNOF44security992_new_impl.pptx (20)

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
 
Running a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root ZoneRunning a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root Zone
 
Yeti DNS Project
Yeti DNS ProjectYeti DNS Project
Yeti DNS Project
 
PLNOG 9: Adam Obszyński - DNS Caching
PLNOG 9: Adam Obszyński - DNS Caching PLNOG 9: Adam Obszyński - DNS Caching
PLNOG 9: Adam Obszyński - DNS Caching
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020
 
ION Krakow - DNSSEC Panel Introduction
ION Krakow - DNSSEC Panel IntroductionION Krakow - DNSSEC Panel Introduction
ION Krakow - DNSSEC Panel Introduction
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
 
Decisions behind hypervisor selection in CloudStack 4.3
Decisions behind hypervisor selection in CloudStack 4.3Decisions behind hypervisor selection in CloudStack 4.3
Decisions behind hypervisor selection in CloudStack 4.3
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
RHEL5 XEN HandOnTraining_v0.4.pdf
RHEL5 XEN HandOnTraining_v0.4.pdfRHEL5 XEN HandOnTraining_v0.4.pdf
RHEL5 XEN HandOnTraining_v0.4.pdf
 
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
 
A study of our DNS full-resolvers
A study of our DNS full-resolversA study of our DNS full-resolvers
A study of our DNS full-resolvers
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache PoisoningDay 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoning
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 

More from Ans Sembiring

Dosen Pembimbing MBR.pdf
Dosen Pembimbing MBR.pdfDosen Pembimbing MBR.pdf
Dosen Pembimbing MBR.pdfAns Sembiring
 
2019-F5-Line-Card.pptx
2019-F5-Line-Card.pptx2019-F5-Line-Card.pptx
2019-F5-Line-Card.pptxAns Sembiring
 

More from Ans Sembiring (6)

kelompok 3.pptx
kelompok 3.pptxkelompok 3.pptx
kelompok 3.pptx
 
Dosen Pembimbing MBR.pdf
Dosen Pembimbing MBR.pdfDosen Pembimbing MBR.pdf
Dosen Pembimbing MBR.pdf
 
dgintro (1).ppt
dgintro (1).pptdgintro (1).ppt
dgintro (1).ppt
 
sunum-1.ppt
sunum-1.pptsunum-1.ppt
sunum-1.ppt
 
Microservices.pptx
Microservices.pptxMicroservices.pptx
Microservices.pptx
 
2019-F5-Line-Card.pptx
2019-F5-Line-Card.pptx2019-F5-Line-Card.pptx
2019-F5-Line-Card.pptx
 

Recently uploaded

Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewingbigorange77
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 

Recently uploaded (20)

Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewing
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 

Whalebone-UKNOF44security992_new_impl.pptx

  • 1. The latest news in the DNS resolution
  • 2. Based on our own practical experience • Whalebone provides DNS resolution for millions of people and devices • Standard compliance, low latency and stability is a must • Added anti-malware and anomaly detection layer • Based on Knot Resolver by CZ.NIC hacker.com safety.com
  • 3. Random subdomain attacks • Also called slow drip attacks • Targeted domain is attacked through default resolvers for the botnet devices globally • Generating many queries to random (therefore non- existent) subdomains from the whole botnet will eventually take the domain down • Eating up the resolver cache and outgoing bandwidth xyz.ddostarget.com abc.ddostarget.com 123.ddostarget.com ...
  • 4. DNSSEC aggressive cache • No need to contact the authoritative server for the proof of non-existence • No need to cache responses for such non-existent subdomains • Shielding the authoritative servers (the queries are handled on the resolver) • Detailed numbers and simulations: DNSSEC aggressive cache (RFC 8198), Petr Špaček (CZ.NIC), https://ripe76.ripe.net/presentations/71-RIPE76- presentation-RFC8198.pdf
  • 5. Variant of random subdomain attack mx2.mx2.mx1.mx1.mx1.mx2.mx2.mx1.mx1.mx2.mx1.mx2.mx2.mx2.mta-sts.mx2.mx2.webmail.weaverpublishing.com. mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx1.mx2.mx1.mx2.mx2.mx2.weaverpublishing.com. mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx1.mx2.mx1.mx2.mx2.mx2.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx2.mx1.mx2.mx1.mx2.mx2.mta-sts.mx2.mx1.mx2.mx2.mx2.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx2.mx1.mta-sts.mx2.mx1.mx1.mx1.mx1.mx2.mx1.webdisk.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx2.mx1.mta-sts.mx2.mx1.mx1.mx1.mx1.mx2.mx1.webdisk.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx2.mx1.mx2.mx1.mx2.mx2.mta-sts.mx2.mx1.mx2.mx2.mx2.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx1.mta-sts.mx1.mx2.mx2.mx1.cpanel.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx1.mta-sts.mx1.mx2.mx2.mx1.cpanel.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx2.mx1.mx2.mta-sts.mx1.mx2.mx2.autodiscover.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx2.mx1.mx2.mta-sts.mx1.mx2.mx2.autodiscover.weaverpublishing.com. mx2.mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx2.mta-sts.mx2.mx1.mx1.mx1.mx2.mail.weaverpublishing.com. mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx1.mx2.mx2.mx2.mta-sts.mx1.mx2.mx2.mta-sts.mx2.mx2.weaverpublishing.com. mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx1.mx2.mail.weaverpublishing.com. mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx1.mx2.mx2.mx2.mx2.mx1.mx2.mail.weaverpublishing.com. Targeted domain: weaverpublishing.com weaverpublishing.com nameserver = ns1.weaverpublishing.com weaverpublishing.com nameserver = ns2.weaverpublishing.com
  • 6.
  • 7. DNSSEC aggressive cache - issues • F5 BIG-IP Load balancer faulty implementation of proof of non-existence • Query for non-existent record type get NSEC3 response stating that only TXT records exist -> Resolver returns NXDOMAIN for ongoing A records • Workaround and fix provided by the vendor, still not applied at many organizations • Issue originally created by Whalebone and analyzed by CZ.NIC https://github.com/dns-violations/dns- violations/blob/master/2018/DVE-2018-0003.md
  • 8. DNSSEC aggressive cache - issues • F5 BIG-IP balancers are used by banks, government and large service providers • Issue emerged randomly and disappeared quickly making in very hard to analyze • Error in DNSSEC implementation on F5 BIG-IP load balancers, Petr Špaček (CZ.NIC), https://en.blog.nic.cz/2019/07/10/error-in-dnssec- implementation-on-f5-big-ip-load-balancers/
  • 9. DNSSEC validation failures monitoring 1. Domains with expired keys 2. Misconfigured domains (even TLDs!) 3. Attacks? ISP will always be the first one to blame 
  • 10. .sk DNSSEC deployment • Overnight TLD DNSSEC deployment with some issues • 8 servers with correct configuration • 6 misconfigured with wrong proofs • Resolution randomly ended up in validation failure • Unreachable domains for end users resulting in ISP helpdesk calls • Reproduction of the issue unreliable due to majority of correctly configured servers • Fixed quickly once we called them directly • Thanks CZ.NIC and DNSViz for identification!
  • 11. DNSSEC – is it worth the effort? • We estimate that DNSSEC validation failures are just 0,01% of all DNS queries in our networks • Sign, Validate and Monitor! • DNSViz does a great job at analysis: • Properly configured DNSSEC: http://dnsviz.net/d/nic.cz/dnssec/ • DNSSEC issues: http://dnsviz.net/d/szn-broken- dnssec.cz/dnssec/
  • 12. Filter threats off your network Robert Šefr, CTO robert.sefr@whalebone.io @robcza https://whalebone.io