Embed Size (px)
DESCRIPTION
In the webinar hear what was new on: - Amplification DDoS Attacks – Defenses for Vulnerable Protocols - news from DNS-OARC meeting (DNS measurements, open resolver stats) -Strengthening the Internet Against Pervasive Monitoring -What Went Wrong With IPv6? -RIPE IPv6 Analyser -IPv6 troubleshooting procedures for helpdesks -Using DDoS to Trace the Source of a DDoS Attack -Measuring DNSSEC from the End User Perspective -Google DNS Hijacking in Turkey -The Rise and Fall of BIND 10 -Knot DNS Update – DNSSEC and beyond -Bundy-DNS – the new life of BIND 10
Citation preview
©!Men!&!Mice!!http://menandmice,com!
RIPE!68!Report
28.!May!2014
©!Men!&!Mice!!http://menandmice,com!
RIPE!Meeting
•A!RIPE!Meeting!is!a!five-day!event!where!Internet!Service!Providers!(ISPs),!network!operators!and!other!interested!parties!from!all!over!the!world!gather.
•Meeting!website:!https://ripe68.ripe.net/
©!Men!&!Mice!!http://menandmice,com!
Agenda
•RIPE!68!(and!DNS-OARC)!in!Warsaw!
•DNS!/!DNSSEC!/!DANE
•DHCP
•IPv6
All!mentioned!slides!and!videos!will!be!linked!on!the!webpage!to!this!webinar
©!Men!&!Mice!!http://menandmice,com!
DNS-OARC
Domain!Name!System!Operations!Analysis!and!Research!Center
©!Men!&!Mice!!http://menandmice,com!
IETF!work!on!DNS!privacy
• RFC!7258!-!'Pervasive!Monitoring!is!an!Attack'
• IETF!reviews!existing!protocols!for!privacy!issues
• current!DNS!has!privacy!issues!(passive!monitoring!at!resolvers!and!(root-)servers)
• Possible!solutions!discussed!in!an!IETF!mailing!list
• QNAME!minimization
• DNS!encryption:!DNScurve,!DNScrypt,!"confidential!DNS",!"DNS!over!TLS!over!TCP",!"DNS!over!DTLS"
Stéphane!Bortzmeyer
©!Men!&!Mice!!http://menandmice,com!
T-DNS!(DNS!over!TLS!over!TCP)
• why!DNS!over!TCP:privacy,!DDoS,!UDP!limits
• backward!compatibleSTARTTLS-like!approach
• memory!cost!of!encrypted!connections:!
• 20!GB!on!a!busy!cache,!
• 80!GB!at!a!root-server
• 19-33%!slower!than!UDP!(without!encryption)
• TCP!connection!speedup!possible!with!to!connection!reuse,!pipelining!out-of-order!processing
John!Heidemann
©!Men!&!Mice!!http://menandmice,com!
Zeroing!in!on!Zero!Days
• information!(statistics)!on!recent!DDoS!attacks!(January!-!April!2014)
• attacks!with!random!looking!names!on!(mostly)Chinese!domains
• attackers!use!open!CPE!resolvers!to!launch!attacks,!creating!peaks!of!traffic!for!ISP!resolvers
Bruce!van!Nice
©!Men!&!Mice!!http://menandmice,com!
Anycast!on!a!shoe!string
• how!to!run!a!low-cost!DNS!anycast!network!(less!than!<!US$!1000!yr)
• using!VPS!(virtual!private!server)
• or!small!boxes!like!RaspberryPi
• possible,!but!you!need!to!know!BGP
Nat!Morris
©!Men!&!Mice!!http://menandmice,com!
dnstap
• metadata!logging!framework!for!DNS!query/response!data
• better!data!than!"querylog"
• less!performance!impact!on!DNS!server!operation
• patch!sets!for!Unbound!and!KNOT
• http://dnstap.info/!
Robert!Edmons
©!Men!&!Mice!!http://menandmice,com!
Performance!impact!of!contained!and!virtualized!environments!in!Authoritative!DNS!Servers
• measurements!of!DNS!deployments!in!virtual!machines
• bridged!NICs!vs.!sr-iov/virtio
• HyperThread!(HT)!vs!real!cores
• container!VMs!(LXC)!create!less!overhead!than!!“full”!VMs!
• tested!recent!versions!of!Knot,!NSD,!BIND!9
• BIND!9!performs!better!on!Haswell,!Knot/NSD!better!on!!Ivy!BridgeCPU
Joao!Damas
©!Men!&!Mice!!http://menandmice,com!
Zonemaster
•new!DNS!data!check!engine,!based!on!“DNS-Check”!(.se)!and!“Zonecheck”!(.fr)
•!(will!be)!written!in!Perl,!BSD-style!License
•!Specification!and!requirement!documents!done
•!https://github.com/dotse/zonemaster!
Patrik!Wallstrom
©!Men!&!Mice!!http://menandmice,com!
Open!Source!Working!Group
RIPE!68!Warsaw
©!Men!&!Mice!!http://menandmice,com!
Knot!DNS!update• Knot!=!authoritative!DNS!server!from!cz.nic!(Open!
Source)
• DNSSEC!automatic!signing
• modules!that!hook!into!the!query/answer!chain!(GeoIP,!"views",!High!Availability!for!backend!servers!...)
• Synthesized!Resource!Records,!fall!back!if!records!are!not!found!in!the!zone!file
• DNSSEC!Key!&!Signing!Policy
• Online!Signing
• PKCS#11!support!(HSM)
• switch!from!OpenSSL!to!GnuTLS!(software!diversity)
Ondřej!Surý
©!Men!&!Mice!!http://menandmice,com!
The!Decline!and!Fall!of!BIND!10
• the!story!of!the!BIND!10!work!at!ISC
• post-mortem!analysis!of!“what!went!wrong”!on!a!failed!project
• lessons!for!open!source!and!closed!source!projects
• BIND!10!has!two!children:
• KEA!DHCP!(ISC)
• Bundy-DNS
Shane!Kerr
©!Men!&!Mice!!http://menandmice,com!
Kea!-!a!modern!DHCP!engine• current!ISC!DHCP!code!is!getting!
old
• Kea!is!the!new!ISC!DHCP!server,!originally!part!of!the!BIND!10!project
• now!stand-alone
• SQL-Database!backend
• BIND!10!framework!is!being!removed!(Python!dependencies)
Tomek!Mrugalski
©!Men!&!Mice!!http://menandmice,com!
DANE!+!SMTP
•watch!out!for!the!June!2014!Men!&!Mice!webinar!
©!Men!&!Mice!!http://menandmice,com!
getdnsapi
• getdnsapi!-!DNS!resolver!library!for!applications
• DNSSEC!and!related!technologies!(DANE,!SRV-Records!...
Willem!Toorop
• new!Applications!using!getdnsapi:
• Gajim!XMPP!client
• DNSSEC!“name-and-shame”!website
• DANE!doctor!website
• verify’EM!Thunderbird!plugin!(DKIM!check)
©!Men!&!Mice!!http://menandmice,com!
IPv6!Working!Group!(and!Plenary!sessions!on!IPv6)
RIPE!68!Warsaw
©!Men!&!Mice!!http://menandmice,com!
Painting!by!numbers
•graphical!IPv6!address!planning
•every!square!represents!bits!in!an!IPv6!address
• easy!to!see!aggregate-able!subnet!allocations
Helge!Holz
©!Men!&!Mice!!http://menandmice,com!
Painting!by!numbers!(demo)
pre-release code!
©!Men!&!Mice!!http://menandmice,com!
IPv6!Troubleshooting!for!Helpdesks
Jan!Zorz
• website!to!test!IPv6!connectivity
• document!to!support!remote!troubleshooting!of!connection!issues
• intended!for!the!ISP!support!helpdesk!(but!could!be!useful!for!others)
http://isp.test-ipv6.com
©!Men!&!Mice!!http://menandmice,com!
Security!in!an!IPv6!World:!Myth!&!Reality
Chris!Grundemann
• overview!of!IPv6!security!misconceptions
• mainly!by!people!not!running!IPv6
©!Men!&!Mice!!http://menandmice,com!
What!went!wrong!with!IPv6?
Dave!Wilson
• connecting!IPv6!deployment!speed!with!the!“Innovators!Dilemma”
• and!the!1980ies!harddrive!market
•mobile!apps!(APIs)!will!drive!IPv6!adoption
•no!user!visible!IPv6
©!Men!&!Mice!!http://menandmice,com!
what!else?
RIPE!68!Warsaw
©!Men!&!Mice!!http://menandmice,com!
bettercrypto.org
•collaborative!work!on!crypto!best!practices
• ciphers,!keystrength,!key-rollovers
•for!various!products
• Apache,!nginx,!postfix,!exim,!dovecot,!OpenSSH,!IPSec,!PGP,!Jabber/XMPP,!Oracle,!MySQL!...!
L.!Aaron!Kaplan
©!Men!&!Mice!!http://menandmice,com!
cryptech.is
• current!hardware!security!module!(HSM)!vendors!might!not!be!trustworthy
• free,!documented!and!verifiable!HSM!design!(not!the!hardware)
• FPGA!based
• work!on!free,!assured!toolchain
• diverse!design!team
• open!and!transparent!process
Randy!Bush
©!Men!&!Mice!!http://menandmice,com!
Q/A
?Slides,!Links,!Recording!and!Errata!will!be!posted!@
https://www.menandmice.com/resources/educational-resources/webinars/
