Actions against DNS security issues which .JP faced - APNIC · – BIND, NSD, Unbound, PowerDNS •...
Transcript of Actions against DNS security issues which .JP faced - APNIC · – BIND, NSD, Unbound, PowerDNS •...
Actions against DNS security issues which .JP faced
8th September 2015APNIC 40 LT Session
Yoshiro YONEYA <[email protected]>
Copyright © 2015 Japan Registry Services Co., Ltd. 1
Basic actions
• In general, JPRS (.JP Registry) publishes following documents (in Japanese language) to the public when we faced security issues– Security advisory– Technical report
• Examples of security issues– DNS software vulnerability– DNS operational vulnerability– Domain name hijacking by unauthorized
manipulation of registered dataCopyright © 2015 Japan Registry Services Co., Ltd. 2
Example 1:DNS software vulnerability
• Major targets– BIND, NSD, Unbound, PowerDNS
• Actions are (almost) routine– Prepare security advisory in Japanese
language when we receive ASN or security advisory from vendor
– Publish the advisory synchronized with vendor’s disclosure as much as possible
• JPRS Web, Operator groups’ ML, IT media– Publish technical report afterwards describing
details and countermeasuresCopyright © 2015 Japan Registry Services Co., Ltd. 3
Copyright © 2015 Japan Registry Services Co., Ltd. 4
Security advisory(on JPRS Web)
Technical report(JPRS Topics and Columns)
Example 2: DNS operational vulnerability
• Major targets– Attacks to DNS servers
• Open resolvers (DNS reflection attacks)• Non source port randomized (SPR) resolvers (cache
poisoning attacks)
• Actions are (basically) routine, but extended case by case– Usually, prepare and publish security advisory
and technical report in Japanese as well– In addition, explanations at public / private fora
• JANOG meetings, DNS fora, JPRS private seminars• Articles to IT/Academic journals
Copyright © 2015 Japan Registry Services Co., Ltd. 5
Limitations we found and toward improvement
• Public outreach coverage– Especially, non-IT media, H/W vendors,
enterprises, end users• Accumulation and sharing of best
practices– Especially, how ISPs and registrars approach
and persuade customers
… so we started individual negotiation and collaboration with relevant organizations
Copyright © 2015 Japan Registry Services Co., Ltd. 6
Example of individual negotiation and collaboration (1/2)
• Cache poisoning attacks regarding node re-delegation (2014)– Poison injection to “empty non-terminals”– .JP structure has many “empty non-terminals”– Details can be found at
<http://www.iepg.org/2014-07-20-ietf90/201407-poisoning.pdf>
– Non negligible number (~10%) of resolvers may be affected (#8)
Copyright © 2015 Japan Registry Services Co., Ltd. 7
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%Ap
r-20
06Ju
l-200
6O
ct-2
006
Jan-
2007
Apr-
2007
Jul-2
007
Oct
-200
7Ja
n-20
08Ap
r-20
08Ju
l-200
8O
ct-2
008
Jan-
2009
Apr-
2009
Jul-2
009
Oct
-200
9Ja
n-20
10Ap
r-20
10Ju
l-201
0O
ct-2
010
Jan-
2011
Apr-
2011
Jul-2
011
Oct
-201
1Ja
n-20
12Ap
r-20
12Ju
l-201
2O
ct-2
012
Jan-
2013
Apr-
2013
Jul-2
013
Oct
-201
3Ja
n-20
14Ap
r-20
14Ju
l-201
4O
ct-2
014
Jan-
2015
Apr-
2015
Jul-2
015
Ratio
of I
P ad
dres
ses
RandomLimitedStatic
Copyright © 2015 Japan Registry Services Co., Ltd. 8
LimitedPorts are changedbut in predictablerange
StaticPorts are fixed in a few static numbers
Observed by JPRS. Source port numbers by each IP address that sends more than 10 queries per day from query log of some JP DNS servers.
Transition of source port randomization status(Apr-2006 to Aug-2015)
~10%
15-Apr-2014Publication of
security advisory
Feb-2014 to Apr-2014Contact to S/W
vendors, CERT, ISPs
Example of individual negotiation and collaboration (2/2)
• Actions we took / are still taking– Contact DNS software vendors for asking about
effective countermeasures– Contact domestic CERT organizations for information
sharing and deciding each other’s actions– Contact major domestic ISPs for information sharing
and soliciting direct alert to their customers– Provide vulnerable resolvers’ information to our
registrars periodically (per month) and soliciting direct alert as well
– Interview to several registrars for their successful practices
• Observed stalemate situation in some registrars (#10)
Copyright © 2015 Japan Registry Services Co., Ltd. 9
Copyright © 2015 Japan Registry Services Co., Ltd. 10
0.4
0.5
0.6
0.7
0.8
0.9
1
1.1
Situation of decrease of fixed source port IP addresses(*)(as of 17-Aug-2015)
15-Apr-2014(Publication of security advisory)
(*) X axis is a plot of ratio between "Base IP addresses seen in the week of 6-Apr-2014" and "Base IP addresses seen in other week", here "Base IP addresses" are IP addresses exist in Japan and amount of queries within top 50% among fixed source port IP addresses observed on the week of 6-Apr-2014
Stalled? Stalled?
For better public outreach• Establishing confidential communication path for
DNS security issues with domestic CERT organizations– For generalization of node re-delegation case– For wider outreach to media, vendors and end users
• Unification of terminology and mutual reference of explanations for helping understanding of multi-level readers
– And this formation is now utilizing for sharing information such as random subdomain attacks and domain name hijacking cases
• Accumulating best practices– For encouraging passive ISPs/registrars– For improving effect of direct alerts
Copyright © 2015 Japan Registry Services Co., Ltd. 11
Ongoing Work
• Our actions are still underway, and need further improvement– To overcome difficulties of the last reach– To have rational balancing point between cost
and effect
Copyright © 2015 Japan Registry Services Co., Ltd. 12