the current state of dns resolvers and rpki protection
play

The Current State of DNS Resolvers and RPKI Protection By Erik - PowerPoint PPT Presentation

Dec 10, 2023 •166 likes •457 views

The Current State of DNS Resolvers and RPKI Protection By Erik Dekker and Marius Brouwer 1 Motivation Why is this research important? 2 Motivation BGP is old First RFC was published in 1989 (RFC 1105) BGP was developed in times

  1. The Current State of DNS Resolvers and RPKI Protection By Erik Dekker and Marius Brouwer 1

  2. Motivation š Why is this research important? 2

  3. Motivation š BGP is old š First RFC was published in 1989 (RFC 1105) š BGP was developed in times when security problems were less prevalent š And is vulnerable for certain attacks š For example, BGP is prone to IP Prefix Hijacks 3

  4. BGP IP Prefix Hijack 8.0.0.0/24 AS1 AS2 AS3 AS4 B AS5 1.0.0.0/24 A 8.0.0.0/24 AS666 C 4

  5. Resource Public Key Infrastructure š RPKI comes to the rescue! š Documented in RFC 6480 š But also in RFC 6481,6482, 6483, 6484, 6485, 6486, 6487, 6488, 6489, 6490, 6491, 6492, and 6493 5

  6. How does RPKI work? š RIRs assign IP prefixes to network operators š For example RIPE assigns prefixes to SURFnet š RPKI allows network operators to sign their assigned IP prefixes š To prove that they have the right to originate this prefix š The RIRs host the Trust Anchors š This results in a Route Origin Authorization (ROA) record š Which contains the AS number, Prefix(es) and optionally prefix length š Routers can validate ROA records (Route Origin Validation) š ROV == RPKI filtering 6

  7. BGP IP Prefix Hijack with RPKI ROV ROA valid 8.0.0.0/24 AS3 AS4 AS1 AS2 B AS5 1.0.0.0/24 A 8.0.0.0/24 AS666 C 7 Invalid

  8. DNS š What does this have to do with DNS resolvers? 8

  9. BGP IP Prefix Hijack ROV ROA valid DNS Server 8.0.0.0/24 AS3 AS4 AS1 AS2 B 9.0.0.0/24 Resolver D AS5 1.0.0.0/24 DNS Server A 8.0.0.0/24 AS666 C 9.0.0.1 9 Invalid

  10. Example š Amazon Route 53 BGP Hijack š All traffic directed to MyEtherWallet was hijacked 10

  11. Research question š Main question: “What is the state of RPKI filtering on DNS resolvers?” š š Sub questions: š How does the length of the AS path between resolver and authoritative DNS server influence the level of RPKI protection? š How does anycast influence the protection of DNS resolvers? 11

  12. Scope š No DNSSEC š No IPv6 12

  13. Method – test setup š RIPE Atlas Probes š Can send DNS queries to their resolvers š Who query our authoritative DNS servers š Beacon š TCPdump of all the queries š Made a BGP dump 13

  14. Method – experiment 2. $id.invalid.valid4.rootcanary.net 1. A record Valid 2. A record 3. $id.invalid4.rootcanary.net 3. Synthesized CNAME 4. A record 1. $id.invalid.valid4.rootcanary.net 5. Answer 4. $id.invalid4.rootcanary.net 6. Answer 6. $id.invalid4.rootcanary.net 5. $id.invalid4.rootcanary.net Invalid 14

  15. Results 15

  16. Coverage RPKI Probe Results – Number of Probes 10000 2500 5000 7500 2020 − 01 − 23 2020 − 01 − 24 2020 − 01 − 25 2020 − 01 − 26 2020 − 01 − 27 2020 − 01 − 28 Date 2020 − 01 − 29 2020 − 01 − 30 2020 − 01 − 31 Status Probe Protection Fully Partially Unprotected Total Probes 2020 − 02 − 01 2020 − 02 − 02 16 2020 − 02 − 03

  17. Coverage RPKI Resolver Probe/ Results – Probe/Resolver Pairs 10000 15000 5000 2020 − 01 − 23 2020 − 01 − 24 2020 − 01 − 25 2020 − 01 − 26 2020 − 01 − 27 2020 − 01 − 28 Date 2020 − 01 − 29 2020 − 01 − 30 2020 − 01 − 31 RPKI Status 2020 − 02 − 01 Protected Unprotected Total 2020 − 02 − 02 17 2020 − 02 − 03

  18. Results – Top 10 AS 5000 RPKI Status Protected Unprotected 4000 Queries 3000 2000 1000 0 15169 13335 36692 12322 8881 7922 6830 3320 3215 42 18 AS

  19. Results – Top 19 AS highest filtering ASes 4000 RPKI Status Protected Unprotected 3000 Queries 2000 1000 0 13335 12322 13030 12392 15943 3265 7018 7132 8473 2119 2860 4739 3301 6939 1741 1241 1759 4802 553 19 AS

  20. Results – Influence of Cloudflare anycast Cloudflare Prefixes 120 160 40 80 2020 − 01 − 23 2020 − 01 − 24 2020 − 01 − 25 2020 − 01 − 26 2020 − 01 − 27 2020 − 01 − 28 Date 2020 − 01 − 29 2020 − 01 − 30 2020 − 01 − 31 RPKI Status 2020 − 02 − 01 Protected Unprotected Total 2020 − 02 − 02 2020 − 02 − 03 20

  21. Results – Influence of AS path length 1.00 0.75 Query Ratio RPKI Status 0.50 Unprotected Protected 0.25 0.00 21 2 3 4 5 6 7 8 9 10 11 AS Path Length

  22. Results – Influence of AS path length 200,000 Queries 100,000 0 22 2 3 4 5 6 7 8 9 10 11 AS Path Length

  23. Results – Influence of AS path length 1.00 0.75 200,000 Query Ratio Queries RPKI Status 0.50 Unprotected Protected 100,000 0.25 0 0.00 2 3 4 5 6 7 8 9 10 11 2 3 4 5 6 7 8 9 10 11 23 AS Path Length AS Path Length

  24. Conclusions Main Research Question: “ What is the state of RPKI filtering on DNS resolvers? ” • How does the length of the AS path between resolver and authoritative DNS server influence the level of RPKI protection? •How does anycast influence the protection of DNS resolvers? 24

  25. Discussion RPKI query coverage ≠ RPKI protected clients • Atlas probe AS could still be hijacked. • Small amount of ASes are fully protected • Expectation: Longer AS path more RPKI protection • Based on reverse path • Influence of anycast DNS relatively high and growing • Population of experiment is western oriented and geek biased • 25

  26. Future Work Take DNS forwarders into account in future research • Make use of another query generator other than RIPE Atlas for a different population • Place more beacons in different regions/AS • Focus on specific open DNS resolvers e.g. Cloudflare and Verisign Public DNS • Longitudinal study of ongoing data capture • Analyze which DNS resolvers are aided by filtering along the path. • 26

  27. Acknowledgements 27

  28. Questions? 28

Recommend

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay)

A study of RPKI deployment and discussion for improvement RPKI is Coming of Age Taejoong (Tijay) Chung (https://tijay.github.io) Assistant Professor Rochester Institute of Technology 1 Outlines RPKI deployment and invalid route origins

583 views • 43 slides
DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS

DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS

DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS resolvers abstract complexity and offer the possibility of improved performance and better scalability . Why are they harmful? 3 Resolvers Are Vulnerable

618 views • 34 slides
CURRENT STATE OF WINE PROTECTION DURING STORAGE AND TRANSPORT Thomas Atkin Sonoma State

CURRENT STATE OF WINE PROTECTION DURING STORAGE AND TRANSPORT Thomas Atkin Sonoma State

1 CURRENT STATE OF WINE PROTECTION DURING STORAGE AND TRANSPORT Thomas Atkin Sonoma State University Susan Cholette San Francisco State University 3 rd Annual International Workshop on Food Supply Chain San Francisco, CA November 5,2014 2

547 views • 21 slides
Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing

Protecting Routing w ith RPKI Mark Kosters, ARIN CTO @ TeamARIN Agenda Operational routing RPKI Statistics challenges IRR Status Do we have a Research solution? Opportunities Using ARINs RPKI components @

889 views • 51 slides
Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1

Some Available RPKI Tools Benno Overeinder Carlos Martinez Cagnazzo SIDR IETF87 @Berlin 1 Thursday, August 1, 13 RPKI Tools The authors believe the information already contained in the RPKI has value in itself, even for operators not

305 views • 11 slides
AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot

SECURING THE INTERNET VALIDATING ROUTING WITH RPKI AARON MURRIHY aaron.murrihy@reannz.co.nz 1 Apricot 2020 RPKI Feb 20 ABOUT US 2 Apricot 2020 RPKI Feb 20 ABOUT REANNZ New Zealands NREN Engineering team of 7

662 views • 54 slides
From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny

From the Consent of the Routed: Improving the Transparency of the RPKI. Ethan Heilman Danny Cooper Leonid Reyzin Sharon Goldberg Boston University Aug 2014 Overview Motivation: The RPKI* (2011 to present) secures interdomain routing,

660 views • 27 slides
Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania

Overcoming Legal Barriers to RPKI Adoption Christopher S. Yoo University of Pennsylvania December 10, 2019 Research supported by NSF EAGER Award #1748362 Global RPKI Deployment ASes Validating Routes 5%, 5 3%, 3 9%, 8 12%, 11 71%, 65

216 views • 8 slides
RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) RPKI and Routing

422 views • 31 slides
RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI

RPKI A quick configuration intro Massimiliano Stucchi | 19th January 2016 | UKNOF33 RPKI Overview Massimiliano Stucchi - RIPE NCC | 19th January 2016 | UKNOF33 2 Simply put 3 parts - Create certificates - Install/run validator -

562 views • 17 slides
Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer

Applied Networking Research Workshop 2020 acm sigcomm Limiting the Power of RPKI Authorities Kris Shrishak Haya Shulman TU Darmstadt and Fraunhofer SIT Motivation - Resource Public Key Infrastructure (RPKI) secures the interdomain routing

586 views • 39 slides
Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0 Project: New RPKI system DNSSEC v2.0 Project: New DNSSEC signer IETF activities: Identity and join key WGs and RGs African Internet Resources

308 views • 13 slides
CS371m - Mobile Computing Content Providers And Content Resolvers Content Providers One of

CS371m - Mobile Computing Content Providers And Content Resolvers Content Providers One of

CS371m - Mobile Computing Content Providers And Content Resolvers Content Providers One of the four primary application components: activities content providers / content resolvers services broadcast receivers 2 Android

728 views • 50 slides
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client Side: Stub resolvers

429 views • 30 slides
A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts

A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts

A Few Months In The Life Of An RPKI Validator http://rpki.net/ A Few Months In The Life Of An RPKI Introduction Validator Performance Graphs Object Counts Connection Counts Objects/Connection Seconds/Object Rob Austein

663 views • 32 slides
Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study. IETF 89 LONDRES MARCH 2014 Fabin Meja Why and who? BGP origin validation based on RPKI is in early stages of deployment. It is necessary to

314 views • 13 slides
Probing for Open DNS Resolvers John Kristoff jtk@depaul.edu Midwest Security Workshop jtk

Probing for Open DNS Resolvers John Kristoff jtk@depaul.edu Midwest Security Workshop jtk

Probing for Open DNS Resolvers John Kristoff jtk@depaul.edu Midwest Security Workshop jtk (jtk@depaul.edu) DNS Probing September 30, 2006 1 / 9 Open Resolvers Recursive - open access to a full resolver Forwarder - proxy access to a

371 views • 9 slides
Collateral Protection for Collateral Protection for Financial Assets: Current Legal Trends Best

Collateral Protection for Collateral Protection for Financial Assets: Current Legal Trends Best

Presenting a live 90 minute webinar with interactive Q&A Collateral Protection for Collateral Protection for Financial Assets: Current Legal Trends Best Practices for Protecting Collateral in a Post Lehman and MF Global World TUES DAY,

545 views • 30 slides
Looking at DNS traces: What do we know about resolvers? lafur Gu mundsson Shinkuro

Looking at DNS traces: What do we know about resolvers? lafur Gu mundsson Shinkuro

Looking at DNS traces: What do we know about resolvers? lafur Gu mundsson Shinkuro Ogud@shinkuro.com Motivation: Open Questions What is the market share for resolver X What can we deduct from traces to a subset of authorative

623 views • 19 slides
Shrug Daemon Doing DNS the Hard Way Since 2015

Shrug Daemon Doing DNS the Hard Way Since 2015

Shrug Daemon Doing DNS the Hard Way Since 2015 https://en.wikipedia.org/wiki/Ayn_Rand#/media/File:Objectivist1.jpg Problem Statement RIPE Atlas probes have 2 DNS resolvers: Resolver local to probe RIPE Atlas central resolvers

713 views • 6 slides
DNS Rex Do you need an aggressive benchmark? Alex Rousskov The Measurement Factory DNS Rex At a

DNS Rex Do you need an aggressive benchmark? Alex Rousskov The Measurement Factory DNS Rex At a

DNS Rex Do you need an aggressive benchmark? Alex Rousskov The Measurement Factory DNS Rex At a Glance A performance test tool for DNS resolvers. Born 2009 A.D. (Cenozoic Era). Designed to intimidate powerful resolvers. Could

713 views • 22 slides
MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston

MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston

MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston University Outline Background How does BGP work? How does RPKI work? What is the maxLength? How maxLength causes problems

741 views • 34 slides
Finite State Machine (FSM) Consists of: CLK State register S S Next Current

Finite State Machine (FSM) Consists of: CLK State register S S Next Current

Finite State Machine (FSM) Consists of: CLK State register S S Next Current Stores current state State State Loads next state at clock edge Combinational logic Computes the next state Computes the outputs Next

477 views • 25 slides
Finite State Machine (FSM) Consists of: CLK State register S S Next Current

Finite State Machine (FSM) Consists of: CLK State register S S Next Current

Finite State Machine (FSM) Consists of: CLK State register S S Next Current Stores current state State State Loads next state at clock edge Combinational logic Computes the next state Computes the outputs Next

412 views • 26 slides

More recommend