Colloquium Details
Ghost Domain Names: Revoked Yet Still Resolvable
| Author: | Haixin Duan Tsinghua University, China |
|---|---|
| Date: | November 22, 2011 |
| Time: | 15:30 |
| Location: | 220 Deschutes |
| Host: | Jun Li |
Abstract
Dr. Duan will give a brief overview of the research on IPv6 by his department in Tsinghua University and his research on network security by his team, CCERT. And then, he will introduce their recent finding about a DNS vulnerability,Ghost Domain Name, which was completed together with professor Jun Li of University of Oregon.
Ghost Domain Name is a domain name revoked by its registrar but still resolvable. Attackers often use domain names for various malicious purposes such as phishing, botnet, and malware propagation. An obvious strategy for preventing these activities is deleting the malicious domain from the top level DNS servers. However, we found that this is insufficient. We demonstrate a vulnerability affecting the large majority of popular DNS implementations which allows a malicious domain name to stay resolvable long after it has been removed from the top level servers. Our experiments with 19,045 open DNS resolvers show that even one week after a domain name has been revoked and its TTL expired, more than 70% of the resolvers will still resolve it. Finally, we discuss several strategies to prevent this attack.
Haixin Duan is a professor in Network Research Center of Tsinghua University in China, and now a visiting research scholar in International Computer Science Institute in UC Berkeley. He got his Ph.D on computer ccience in Tsinghua University, and focused his research and teaching on network security. He set up CCERT, the first computer emergency response team in mainland China, and initiated the COST(Campus Operating and Security Technologies) forum for security professional in campus networks.