Maciej Korczynski - Internet-wide Measurements for Cybersecurity: The Case of DNS Zone Poisoning

Organisé par : 
Grenoble Alpes Cybersecurity Institute
Intervenant : 
Maciej Korczynski - LIG
Équipes : 


Information and Registration here

Current communication networks are increasingly becoming pervasive, complex, and ever-evolving due to factors like enormous growth in the number of network users, continuous appearance of network applications, increasing amount of data transferred, and diversity of user behavior. Therefore, there is a great need for comprehensive Internet-wide measurements for cybersecurity. Critical facts about the Internet security, such as “Which domain registries are abused by the cybercriminals the most?” or "Which Internet Service Providers do not deploy source IP address filtering, facilitating massive DDoS attacks?" remain poorly quantified. 
In this talk, we will discuss a number of examples of measurement studies of the domain name space. In particular, we will explore an attack against configuration files of poorly maintained name servers allowing, for example, domain hijacking. We refer to this type of attack as to "zone poisoning". The attack is as simple as sending a single RFC compliant DNS dynamic update packet to a misconfigured server. In the simplest version of an attack, a miscreant could replace an existing A or MX DNS resource record in a zone file of a server and point the domain name to an IP address under control of an attacker. We will present the global measurement study of the vulnerability. To assess the potential impact of non-secure dynamic updates, we scanned 290 million domains worldwide and found that among the vulnerable domains are governments, banks and health care providers, demonstrating that the threat impacts important services. 
We have also issued notifications for website owners, DNS service providers, and network operators, suffering from non-secure DNS dynamic updates to assess which mechanisms are more effective at remediating the vulnerability. After the introduction of the General Data Protection Regulation (GDPR) some registration information is, however, no longer displayed in the public WHOIS data. Therefore, we also assessed the effectiveness of alternative communication channels and issued notifications to national CERTs. 
Via our study of the zone poisoning attack and subsequent notifications to affected parties and respective intermediaries, we aimed to improve the security of the global DNS ecosystem and test alternative methods to contact affected parties after the introduction of the GDPR regulation.