PPT-DNS, DNSSEC and DDOS Geoff

Huston APNIC February 2014 The E volution of Evil It used to be that they sent evil packets to their chosen victim but this exposed the attacker and limited the damage they could cause. Lutz Donnerhacke. db089309. : 1c1c 6311 ef09 d819 e029 65be bfb6 . c9cb. dig +. dnssec. 1.6.5.3.7.5.1.4.6.3.9.4.e164.arpa. . naptr. A . protocol. from better . times. An . ancient. . protocol. People were. Defense by Offense. Michael . Walfish. , . Mythili. . Vutukuru. ,. Hari. . Balakrishnan. , David . Karger. ,. Scott . Shenker. . , SIGCOMM ‘06. Presented by . Lianmu. Chen. DDoS. : Defense by Offense. Eric Osterweil. Dan Massey. Lixia Zhang. 1. Motivation: Why Use DNSSEC?. DNS cache poisoning has been a known attack against DNS since the 1990s [1]. Now there is a new variant: the . Kaminsky. attack. The Stakes Have Changed. . Have You?. November 17, 2016. Today’s Speakers. Sean Pike. Program Vice President, Security Products, IDC. Tom Bienkowski. Director, Product Marketing, Arbor Networks. Kevin Whalen. Underestimating the Impact of DDoS. Jim Benanti – Sr. Consulting Engineer, Arbor Networks. Don’t Take My Word For It. Size Still Matters. 1H16 - ATLAS has recorded:. An average of 124,000 events per week over the last 18 months.. Underestimating the Impact of DDoS. Jim Benanti – Sr. Consulting Engineer, Arbor Networks. Roadmap. DDoS Risk Landscape. DYN & . Mirai. DDoS Defense. Cost of DDoS. Your Opportunity. Q&A. Don’t Take My Word For It. Geoff . Huston & George . Michaelson. . APNICLabs. September 2012. What are the questions?. What proportion of DNS resolvers are DNSSEC-capable?. What proportion of users are using DNSSEC-. validatingDNS. Michaelson. . APNICLabs. September 2012. What are the questions?. What proportion of DNS resolvers are DNSSEC-capable?. What proportion of users are using DNSSEC-. validatingDNS. resolvers?. Where are these users?. . 2013 . 12 June. . 2013. j. ohn.crain. @icann.org. DNS Basics. DNS converts names (www.uob.com.sg) to numbers (203.116.108.5). ..to identify services such as www and e-mail. ..that identify and link customers to business and visa versa. APNIC. https://. xkcd.com. /1361/. Why?. Because everything you do on the net starts with a call to the DNS. If we could see your stream of queries in real time we could assemble a detailed profile of you and interests and activities. APNIC. https://. xkcd.com. /1361/. Why?. Because everything you do on the net starts with a call to the DNS. If we could see your stream of queries in real time we could assemble a detailed profile of you and interests and activities. Jonathan BOURGAIN . Expert . DDOS et advanced Threat chez Arbor Networks. E. tat . de l’art des architectures de protection anti-DDoS. POUVEZ VOUS REPONDRE A CES QUESTIONS?. Est-. ce. que je . connais. Chief Scientist . APNIC Labs. Why pick on the DNS?. The DNS is very . easy . to. tap . and. tamper. DNS queries are open and unencrypted. DNS payloads are not secured and tampering cannot be detected. in today’s Internet. Geoff Huston. APNIC . June 2016. What is being measured?. Clients who will perform DNSSEC validation of a domain name. Using RSA/SHA-1 as the crypto algorithm. Who will not resolve a badly-signed domain name.