[DNSOP] Research of real-life abuse of dangling DNS records
Haya Shulman <haya.shulman@gmail.com> Thu, 04 April 2024 08:11 UTC
Return-Path: <haya.shulman@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95A29C14F5E0 for <dnsop@ietfa.amsl.com>; Thu, 4 Apr 2024 01:11:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fJ4paSoKvIN1 for <dnsop@ietfa.amsl.com>; Thu, 4 Apr 2024 01:11:39 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 464FCC14F5EB for <dnsop@ietf.org>; Thu, 4 Apr 2024 01:11:39 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id ffacd0b85a97d-34356f794a5so621204f8f.1 for <dnsop@ietf.org>; Thu, 04 Apr 2024 01:11:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712218297; x=1712823097; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=6o3xAZtYWfnweQ4onEPB8kknYf8SbnPEGBs0xaH8vXc=; b=KvFnaJ50IHe9KytCWYeN3ivcBv9dNLWdmCKtDEJ7DytcDGyM5Ssub3tcqd8iaiv93K mlxCm5WrelDq6QfgiFvlhGVTyoEybRlq7q/CBCJx4oP1D9SYZeTXrZlzFyUVEOKjtqSj HrvH4nZKj2jeMu4b3WQvt8AWTUJr/4uFwYXrHROcN01zwgb8m2lglqHmU6mwRW2IkIbr CM09usS2RmQXJlPbz524Gt4GS/RVEe7QjnUo9SgLer42DO2gZn40xG4Y+6ovrefGN1rw HTCkL3OWv9U3Hb0S4sQJxKySfzKcocbPsOBh1uF1i4456L+PiTeJhbn36/BI53dUQsn5 gFGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712218297; x=1712823097; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=6o3xAZtYWfnweQ4onEPB8kknYf8SbnPEGBs0xaH8vXc=; b=nwAREA2Lk2cgQopNIYXbylE7o4jITEWTaKnIROjrhN8eslUuq6yqatAcQoiGdaY32H XKDakFnBjU9Vb4kYGihJC2jSYLruVgpbLflQJ14Xxe4I2c4OkFsASjCLH4f+88tOsN3R hsJ8C387u4kplitPjIlX/xIKtbXTW0H2IAd3bQ6wDFyZGTatM23WYvgoUqEJTZHAJjSW fyQ1hxYI6XTHHQbGTMwvjIbtzr6uk2av9LTM2eloGc4ZC5c/s2XtiNE1USLHuBoGecdG 884oG2R1q7SWFSYCoftzRWsfyI7liyRbyk/O8/zAnMQIiE7GgnIKM8cl053m0xR7dA4q XYnA==
X-Gm-Message-State: AOJu0Yy5j9oQ/+83FJJP+2W0ye7lyReGL514dPPySn7Ees8T1fsvvdu5 SlBUMoCYTGHxHQ8Op90wu9KqzFtgsHVsmP2u2lXYDR+JWrwa8mrauIO+ltKLSQbK4mR9J4VqwBD lPfRjofqvnn8Ti4wt5mPkGPpA2loq46S5cJY=
X-Google-Smtp-Source: AGHT+IGkN22ugD3Ahj3Aw3wxtgwryH5ywCDhOf0EqvpO873cakrNU/i7YV+58Sz2i02ej/Fsd9ZlySai5KvztMaRAPI=
X-Received: by 2002:adf:f789:0:b0:341:c673:f1e8 with SMTP id q9-20020adff789000000b00341c673f1e8mr1476406wrp.9.1712218296765; Thu, 04 Apr 2024 01:11:36 -0700 (PDT)
MIME-Version: 1.0
References: <CAKaJYMCB=U8kKdo2Rq6zyjm3Pp4KUAeORDmUo_jFmJMoke++ew@mail.gmail.com> <CAKaJYMCFL4iTwNpp1Ghq+w7GfQ_TY6ynVY9VaGGmKwYbV0_4Pw@mail.gmail.com>
In-Reply-To: <CAKaJYMCFL4iTwNpp1Ghq+w7GfQ_TY6ynVY9VaGGmKwYbV0_4Pw@mail.gmail.com>
From: Haya Shulman <haya.shulman@gmail.com>
Date: Thu, 04 Apr 2024 10:11:00 +0200
Message-ID: <CAKaJYMC05A_J1EHNGsAhkmFpVVontVYuSLSe+fppNVK38GLMZw@mail.gmail.com>
To: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005b585e061540e399"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/En1SoYQdjfCRGIu-i31WWq8VTF4>
Subject: [DNSOP] Research of real-life abuse of dangling DNS records
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 08:11:43 -0000
Dear DNS experts, In a research which we concluded in June 2023 we performed longitudinal measurements (2020 - 2023) and analysis of abuse of dandling DNS records. We characterize the abuse and the attackers' infrastructure with recommendations for countermeasures. The research will be presented at Usenix NSDI on 18 April 2024: https://www.usenix.org/conference/nsdi24/presentation/friess A summary of the research can be found here: https://blog.apnic.net/2024/04/04/abuse-of-dangling-dns-records-on-cloud-platforms/ The technical report is here: https://arxiv.org/abs/2403.19368 We appreciate your feedback on our research. Best, Haya Schulmann -- Prof. Dr. Haya Schulmann Goethe-Universität Frankfurt ATHENE >
- [DNSOP] Evaluation of NSEC3-encloser attack Haya Shulman
- [DNSOP] Research of real-life abuse of dangling D… Haya Shulman