2016-《网络安全学术研究点滴心得》

网络安全学术研究点滴心得段海新提纲 • • • • • 几项研究概要如何选题写作的思路漏洞披露和道德总结近年来重点研究成果介绍 1. 2012: 发现DNS协议漏洞幽灵域名（Ghost Domain），NDSS’12 2. 2014: 指出HTTPS in CDN的安全问题，并提出改进方案, Oakland’14 3. 2015: HTTPS中Cookie注入的现实影响 Usenix Security15 4. 2016: 转发循环攻击可严重消耗CDN资源, NDSS 2016 杰出论文奖 1.DNS协议设计漏洞：删不掉的幽灵域名（Ghost Domain, NDSS 2012）  攻击者注册并控制一个恶意网站，并使世界各地的解析服务器缓存它的地址记录  即使上级域删除了这一子域名，攻击者仍然可以使该域名相关的记录在Cache中永不过期  该域名即使被删掉却仍然存活，不受控制幽灵域名：Ghost Domain The Communications Security, Reliability and Interoperability Council III Working Group [#4] [SEPTEMBER, 2012] 幽灵域名对工业界和学术界的影响 1) BCP 38/RFC 2827 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing 35 2) BCP 84/RFC 3704 Ingress Filtering for Multihomed Networks36 3) BCP 140/RFC 5358 Preventing Use of Recursive Nameservers in Reflector Attacks 37 4) SAC 004 – Securing the Edge 38 5) SAC 008 – DNS Distributed Denial of Service (DDoS) Attacks 39 The primary recommendations from all of these documents boil down to these two points:  论文发表在网络安全顶级学术会议NDSS 2012  美国国家漏洞库收录，10个DNS 软件厂商为自己的软件发布补丁  美国联邦通讯局（FCC）安全工作组将Ghost domain写入2012 年安全最佳实践（Best Practice）报告美国联邦通信局 FCC工作组报告 1) Do not allow open recursive DNS servers if possible. 2) Employ ingress filtering on your network to defeat IP spoofing. 5.4.1.1 Recommendations 1) ISPs should implement BCPs and recommendations for securing an ISP’s recursive DNS infrastructure against Reflective DNS Amplification DDoS attacks that are enumerated in the following documents: a. BCP 38/RFC 2827 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing b. BCP 84/RFC 3704 Ingress Filtering for Multihomed Networks c. BCP 140/RFC 5358 Preventing Use of Recursive Nameservers in Reflector Attacks d. SAC 004 – Securing the Edge e. SAC 008 - DNS Distributed Denial of Service (DDoS) Attacks [September, 2012] 5.4.2 Ghost Domains WORKING GROUP 4 Network Security Best Practices FINAL Report – DNS Best Practices In February 2012, a new, quite effective technique for maintaining a suspended domain that has been removed from its TLD zone was discovered. Such an attack has been given the moniker of a “ghost domain”. 40 An attacker can easily set up a legitimate domain (e.g. hacker.com) and control the domain’s authoritative name server. The attacker will then submit DNS queries for www.hacker.com through several recursive name servers (which their botnets can query successfully from any ISP or network they reside), forcing the DNS servers to resolve www.hacker.com and cache the results, including nameserver information for that domain, and the IP address (controlled by the attacker) for the nameservers. Once hacker.com is identified as a malicious domain, remediation action will occur that will lead to the top-level domain registry (for .com in this example) removing hacker.com from their zone file. However, the recursive name servers will not query the top-level domain authoritative server (and subsequently remove hacker.com from their own records) until their cached TTLs for hacker.com and its authoritative nameservers expire. Consequently, by querying each targeted recursive name server regularly for new hostnames under hacker.com, those recursive nameservers will query the cached authority nameservers for the domain, which remains cached. The attacker will refresh the 35 http://tools.ietf.org/html/bcp38 http://tools.ietf.org/html/bcp84 http://tools.ietf.org/html/bcp140 38 http://www.icann.org/en/groups/ssac/documents/sac-004-en.pdf 39 http://www.icann.org/en/groups/ssac/dns-ddos-advisory-31mar06-en.pdf 40 http://www.isc.org/files/imce/ghostdomain_camera.pdf Page [42] of [55] 36 37 清华段海新教授的论文Ghost Domain 被翻译成日文在日本互联网届产生重要影响 2015年2月，段海新教授访问日本时，译者送我的签名拷贝 2. HTTPS在CDN中的漏洞 (HTTPS in CDN, Oakland 2014) User 前端通信中授权认证问题 CDN CDN后端通信不安全易受中间人攻击 Website • 首次提出HTTPS在CDN中授权认证问题 • 发现CDN厂商及热门网站均存在安全隐患： – CDN到源站易受攻击，类似NSA窃听Google的技术 – 前端认证的授权问题导致私钥泄露、授权无法撤销等 – 提出了基于DANE的解决方案 HTTPS-in-CDN论文对工业界的影响 • 主流 CDN 厂商 (Akamai 、 CloudFlare 、 Amazon等)积极反馈，例如CloudFlare根据我们的论文推出Strict SSL，Keyless SSL • 受论文影响，IETF的CDN互联工作组（CDNI）开始讨论CDN及CDNI互联的网络环境中加密流量的授权问题 3. 在HTTPS中注入Cookie可导致严重攻击（Cookie Integrity: Usenix Security 2015） Browser Set-Cookie: UID=Alice; Secure Bank.com HTTPS Only Cookies UID=Alice UID=Mallory 中间人可以通过劫持不加密的HTTP 向HTTPS中注入Cookie，并使之长期驻留在浏览器，实现窃听隐私、账号入侵、支付劫持等攻击受影响的网站、有问题的浏览器 Cookie Integrity 对工业界的影响 • Google 启动了一个项目，根据我们的论文修改Chro