High Quality
Open the downloaded document, and select print from the file menu (PDF reader required).
copyright IOActive, Inc. 2006, all rightsreserved.
DNS2008 and the new (old) nature of critical infrastructureDan KaminskyDirector of Penetration TestingIOActive, Inc.
What a year!
•Significant flaw found in DNS –You might have heard about it•Pretty extensive simultaneous patching operation ensued –Microsoft –Linux / ISC –Sun –Cisco –All released patches on July 8
th
•Expected patch rate: 50% of servers after a year •Achieved patch rate: ~66% after a few months –Patch rate is higher in terms of actual users protected – not perfect, buthigher •Do we need more? –Yes.
History
•I have never been a DNSSEC supporter.•I’ve been researching DNS for many years, andI’ve been – at best – neutral about the technology. –I just didn’t think it mattered, and theengineering effort never seemed to be goingwell.•What changed? –Software engineering realities became tooobvious to ignore.
Sections
« prev | next »- What a year!
- History
- The Hypothesis
- Acute to Chronic
- Attacks In The Real World
- Attacks are happening
- The Flaw (1999 Edition)
- The Flaw (2008 Edition)
- A Question Of Trust
- These Imply A Series Of Attacks
- And Just To Remind…
- To Be Clear
- Behind Enemy Lines
- What You Get
- The Rub
- 1) Find victim site
- 5) Hijack to admin
- 6) Find Admin’s Name
- 7) Forget Admin’s Password
- 11) Post PHP
- 12) Uh oh
- What Just Happened?
- Passwords Scale
- Why DNS Works [0]
- Federation Is Hard
- Everyone Federates With DNS
- Everyone federates with DNS
- But There’s A Problem
- …and look:
- Put Another Way…
- So what’s it going to take?
- A Few Thoughts on DNSSEC
- Why We Need The Root Signed
- Where Things Are Going
- A Possible Solution?
- The Other Side Of The Coin
- Automate, Automate, Automate
- Appliances?
- DNSCurve?
- DNSCurve [1]
- DNSCurve [2]
- DNSCurve and Performance
- The Big Problem
- Nonetheless
- Conclusions
- One More Thing…
Add a Comment