The Closed Resolver Project: Measuring the Deployment of Source Address Validation of Inbound Traffic

Source Address Validation (SAV) is a standard aimed at discarding packets with spoofed source IP addresses. The absence of SAV for outgoing traffic has been known as a root cause of Distributed Denial-of-Service (DDoS) attacks and received widespread attention. While less obvious, the absence of inbound filtering enables an attacker to appear as an internal host of a network and may reveal valuable information about the network infrastructure. Inbound IP spoofing may amplify other attack vectors such as DNS cache poisoning or the recently discovered NXNSAttack. In this paper, we present the preliminary results of the Closed Resolver Project that aims at mitigating the problem of inbound IP spoofing. We perform the first Internet-wide active measurement study to enumerate networks that filter or do not filter incoming packets by their source address, for both the IPv4 and IPv6 address spaces. To achieve this, we identify closed and open DNS resolvers that accept spoofed requests coming from the outside of their network. The proposed method provides the most complete picture of inbound SAV deployment by network providers. Our measurements cover over 55 % IPv4 and 27 % IPv6 Autonomous Systems (AS) and reveal that the great majority of them are fully or partially vulnerable to inbound spoofing. By identifying dual-stacked DNS resolvers, we additionally show that inbound filtering is less often deployed for IPv6 than it is for IPv4. Overall, we discover 13.9 K IPv6 open resolvers that can be exploited for amplification DDoS attacks - 13 times more than previous work. Furthermore, we enumerate uncover 4.25 M IPv4 and 103 K IPv6 vulnerable closed resolvers that could only be detected thanks to our spoofing technique, and that pose a significant threat when combined with the NXNSAttack.Comment: arXiv admin note: substantial text overlap with arXiv:2002.0044

Buenas prácticas para el despliegue seguro del servicio de correo electrónico

Email is currently one of the services most affected by the security problems that proliferate on both the Internet and in local networks or intranet. Specialists in telematic services have the great challenge of providing an email service that guarantees its stability and availability, as well as minimizing the risks of identity theft, unwanted emails, and so-called spam emails. The objective of this research is to carry out an analysis of the main security problems that proliferate in this service and to describe a set of good practices for a secure configuration and deployment of the email service, which, in turn, contributes to reducing the security problems associated with this service and consequently achieving greater user satisfaction.Actualmente el correo electrónico es uno de los servicios más afectados por los problemas de seguridad que proliferan en la Red, tanto en internet como en redes locales o intranet. Los especialistas en servicios telemáticos de las organizaciones tienen el gran reto de proveer un servicio de correo electrónico que garantice su estabilidad, su disponibilidad y que minimice los riesgos de la suplantación de identidad, los correos no deseados y los llamados correos spam. El objetivo de la presente investigación es realizar un análisis de los principales problemas de seguridad que proliferan en este servicio y describir un conjunto de buenas prácticas para una configuración y un despliegue seguros del servicio de correo electrónico. De esta manera se contribuirá a disminuir los problemas de seguridad asociados a este servicio y por consiguiente una mayor satisfacción de los usuarios

Characterizing Vulnerability of DNS AXFR Transfers with Global-Scale Scanning

International audienc