Upload
neustar-inc
View
723
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Edward Lewis, Director, Member of Technical Staff at Neustar presented at the DNS Technology and Security Day”, held on Wednesday, July 27th 2011, in the “Park Saloon” of the Bogota Royal Hotel at Bogota, COLOMBIA. The context of these slides morphed into "cooperation" of internet elements, featuring government and industry relationships. During security events, when you can't determine friend or foe by looking through a wire, you need to already know who your true friends are.
Citation preview
What We are LearningAbout DNS Security
DNSSEC and Much More
7/27/2011
1
Edward Lewis
Director, Member of Technical Staff
© Neustar Inc. / Proprietary and Confidential
Joseph is unhappy about my talk
8/1/2011
© Neustar Inc. / Proprietary and Confidential2
» This is the first day since
my son was born that I
have not been home
» He's 6 1/2 months old
» When I told him I'd be
away July 27, he had
this frown
» Still, it is an honor to be
invited to speak here
today
» This talk is dedicated to
little Joe
Agenda
»The significance of DNSSEC
»What you should be doing about DDoS
»What you need to do
8/1/2011
© Neustar Inc. / Proprietary and Confidential3
In the Wake of DNSSEC
» The protocol and code has been strengthened
» We've improved the state of operations
» Cooperation has become very important
8/1/2011
© Neustar Inc. / Proprietary and Confidential4
Briefly, What is DNSSEC?
»DNSSEC is an add-on to the DNS protocol
»It adds information to DNS answers that provide
proof that the data is genuine» DNSSEC is like automobile safety belts for DNS
»The greatest benefit is preventing ISP caches from
accepting forged answers, misdirecting customers
8/1/2011
© Neustar Inc. / Proprietary and Confidential5
Protocol Strengthening
» The DNS protocol, as specified, is a very weak
base to secure
» One of the benefits of DNSSEC is that is made us
take a critical look at the protocol
8/1/2011
© Neustar Inc. / Proprietary and Confidential6
DNSSEC
Why securing DNS is so hard
»DNS goals are» global scale, fast response, high availability
»It's a crowd, not one person
8/1/2011
© Neustar Inc. / Proprietary and Confidential7
...and...
»The original specifications are informal, incomplete» Leading to a wide range of interpretations
» And thus a wide range of different implementations
» Rely on the memories of the "old guys"
8/1/2011
© Neustar Inc. / Proprietary and Confidential8
»Security throughout the DNS» Data Loading (EPP & WhoIs-related too)
» Data Replication (zone transfers)
» Queries and Responses (e.g., DNSSEC, TSIG, wild card)
»New code, new code everywhere
»And new ways to operate
Updates to DNS
8/1/2011
© Neustar Inc. / Proprietary and Confidential9
What DNSSEC got right
»DNSSEC is a technical success
»DNSSEC was designed with adoption by transition
in mind» This is what IPv6 lacks
»But adoption by slow transition is not easy and
requires patience, it's a good plan and a lot of
execution» Slow adoption is a beneficial thing, a feature, really!
»And the path to DNSSEC's completion can teach
us much about security improvements
8/1/2011
© Neustar Inc. / Proprietary and Confidential10
Strengthening Cooperation
»When teaching the ISO seven layer protocol
model I came across this in an old textbook» There are times when it is necessary to handle an error in
the layer above the one you are designing
»Translating this into DNS and security events» During times of attack, out-of-band coordination must
have already been established
8/1/2011
© Neustar Inc. / Proprietary and Confidential11
Coordinate?
»Who?: Anyone that teams in a defense» Government and Private Industry
» Competitors
» Across borders and oceans
»When?» Strategic and tactical
» Frequently, openly
» During exercises, events
»Where?» Conferences, workshops
» In-person meetings at offices
» And don't forget - happy hours!
8/1/2011
© Neustar Inc. / Proprietary and Confidential12
Government - Industry cooperation
»Government and Industry relationship is important
»Government learns from experts in industry
»Government always maintains legal authority
»Government provides leadership in mandates and
funding
»Industry provides innovation and takes the risk
8/1/2011
© Neustar Inc. / Proprietary and Confidential13
DDoS
»You can be a target of a DDoS» Solutions include capacity, reserves, and traffic scrubbing
»You can be used to launch a DDoS» Open recursive servers can reflect and amplify an attack
»(You could also be the attacker...;))
8/1/2011
© Neustar Inc. / Proprietary and Confidential14
Anti-DDOS
»Expertise is needed to defend against these
attacks» Target owners, ISPs and other security entities have this
»This is why cooperation, set up ahead of time, is
critical
»If you need to "click here" ... it is too late for you!
8/1/2011
© Neustar Inc. / Proprietary and Confidential15
Failure to set up cooperation
»There are two possible outcomes
»"Fail closed" and not respond adequately» Examples are one person having a password and being
on vacation when the attack happens
»"Fail open" and be open to be fooled (social
engineered) by an attacker» Examples are attackers causing a diversion and then
acting as "first responders"/emergency workers to monitor
damage and adjust attacks
8/1/2011
© Neustar Inc. / Proprietary and Confidential16
Securing the DNS system
»The DNS is spread amongst many elements» Registries, registrars, web hosters, dns operators
» ISPs, open/remote recursive servers
» Policy elements, law enforcement
»Each element can self-secure, but end-to-end
security is also needed
»This is one final push to form cooperative groups!
8/1/2011
© Neustar Inc. / Proprietary and Confidential17
Better DNS & cooperation is not enough
»Attacks will happen
»Defenses will not stop all damage» If a defense stops all attacks, it is probably too tight!
»This makes logging or tracing activity an important
element
8/1/2011
© Neustar Inc. / Proprietary and Confidential18
What do we learn from logging events
»The information left behind by an attack is valuable
»We learn the techniques
»We learn the level of sophistication
»We learn the weaknesses of the attack
»We learn how the attackers are learning
»We learn who the attackers are
»We might even be able to convict and punish them
8/1/2011
© Neustar Inc. / Proprietary and Confidential19
A stronger system
»DNS is becoming a stronger system
»We know it takes more than a good protocol,
because "good" depends on the way you measure
»We know it takes world-wide cooperation and in-
depth cooperation to run a network that opens
communication without letting it be overrun with
abuse
»We want citizens to have access to government
services to help their lives, not gangs like
ANONYMOUS to disrupt lives
8/1/2011
© Neustar Inc. / Proprietary and Confidential20
What You Need to Do to Prepare
»Learn about DNSSEC» It's like getting used to
seatbelts
» It's not scary but it takes work
»And begin to get to know
others in the Industry &
Government» Help defend the network
8/1/2011
© Neustar Inc. / Proprietary and Confidential21
Thank you!
22