3,129 research outputs found
Evaluation of Anonymized ONS Queries
Electronic Product Code (EPC) is the basis of a pervasive infrastructure for
the automatic identification of objects on supply chain applications (e.g.,
pharmaceutical or military applications). This infrastructure relies on the use
of the (1) Radio Frequency Identification (RFID) technology to tag objects in
motion and (2) distributed services providing information about objects via the
Internet. A lookup service, called the Object Name Service (ONS) and based on
the use of the Domain Name System (DNS), can be publicly accessed by EPC
applications looking for information associated with tagged objects. Privacy
issues may affect corporate infrastructures based on EPC technologies if their
lookup service is not properly protected. A possible solution to mitigate these
issues is the use of online anonymity. We present an evaluation experiment that
compares the of use of Tor (The second generation Onion Router) on a global
ONS/DNS setup, with respect to benefits, limitations, and latency.Comment: 14 page
NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities
This paper exposes a new vulnerability and introduces a corresponding attack,
the NoneXistent Name Server Attack (NXNSAttack), that disrupts and may paralyze
the DNS system, making it difficult or impossible for Internet users to access
websites, web e-mail, online video chats, or any other online resource. The
NXNSAttack generates a storm of packets between DNS resolvers and DNS
authoritative name servers. The storm is produced by the response of resolvers
to unrestricted referral response messages of authoritative name servers. The
attack is significantly more destructive than NXDomain attacks (e.g., the Mirai
attack): i) It reaches an amplification factor of more than 1620x on the number
of packets exchanged by the recursive resolver. ii) In addition to the negative
cache, the attack also saturates the 'NS' section of the resolver caches. To
mitigate the attack impact, we propose an enhancement to the recursive resolver
algorithm, MaxFetch(k), that prevents unnecessary proactive fetches. We
implemented the MaxFetch(1) mitigation enhancement on a BIND resolver and
tested it on real-world DNS query datasets. Our results show that MaxFetch(1)
degrades neither the recursive resolver throughput nor its latency. Following
the discovery of the attack, a responsible disclosure procedure was carried
out, and several DNS vendors and public providers have issued a CVE and patched
their systems
DDoS-Capable IoT Malwares: comparative analysis and Mirai Investigation
The Internet of Things (IoT) revolution has not only carried the astonishing promise to interconnect a whole generation of traditionally “dumb” devices, but also brought to the Internet the menace of billions of badly protected and easily hackable objects. Not surprisingly, this sudden flooding of fresh and insecure devices fueled older threats, such as Distributed Denial of Service (DDoS) attacks. In this paper, we first propose an updated and comprehensive taxonomy of DDoS attacks, together with a number of examples on how this classification maps to real-world attacks. Then, we outline the current situation of DDoS-enabled malwares in IoT networks, highlighting how recent data support our concerns about the growing in popularity of these malwares. Finally, we give a detailed analysis of the general framework and the operating principles of Mirai, the most disruptive DDoS-capable IoT malware seen so far
Government mandated blocking of foreign Web content
Blocking of foreign Web content by Internet access providers has been a hot
topic for the last 18 months in Germany. Since fall 2001 the state of
North-Rhine-Westphalia very actively tries to mandate such blocking. This paper
will take a technical view on the problems imposed by the blocking orders and
blocking content at access or network provider level in general. It will also
give some empirical data on the effects of the blocking orders to help in the
legal assessment of the orders.Comment: Preprint, revised 30.6.200
Internet Governance: the State of Play
The Global Forum on Internet Governance held by the UNICT Task Force in New York on 25-26 March concluded that Internet governance issues were many and complex. The Secretary-General's Working Group on Internet Governance will have to map out and navigate this complex terrain as it makes recommendations to the World Summit on an Information Society in 2005. To assist in this process, the Forum recommended, in the words of the Deputy Secretary-General of the United Nations at the closing session, that a matrix be developed "of all issues of Internet governance addressed by multilateral institutions, including gaps and concerns, to assist the Secretary-General in moving forward the agenda on these issues." This paper takes up the Deputy Secretary-General's challenge. It is an analysis of the state of play in Internet governance in different forums, with a view to showing: (1) what issues are being addressed (2) by whom, (3) what are the types of consideration that these issues receive and (4) what issues are not adequately addressed
Securing The Root: A Proposal For Distributing Signing Authority
Management of the Domain Name System (DNS) root zone file is a uniquely global policy problem. For the Internet to connect everyone, the root must be coordinated and compatible. While authority over the legacy root zone file has been contentious and divisive at times, everyone agrees that the Internet should be made more secure. A newly standardized protocol, DNS Security Extensions (DNSSEC), would make the Internet's infrastructure more secure. In order to fully implement DNSSEC, the procedures for managing the DNS root must be revised. Therein lies an opportunity. In revising the root zone management procedures, we can develop a new solution that diminishes the impact of the legacy monopoly held by the U.S. government and avoids another contentious debate over unilateral U.S. control. In this paper we describe the outlines of a new system for the management of a DNSSEC-enabled root. Our proposal distributes authority over securing the root, unlike another recently suggested method, while avoiding the risks and pitfalls of an intergovernmental power sharing scheme
DNS zones revisited
Recent research [Pap04b] suggests DNS reliability and performance is not up to the levels it should be due to misconfigurations. This paper checks the configuration of nameserver zones against additional requirements, recommendations and best-practices. It shows that almost one in four domains fails to pass one or more of these checks. During the checks an interesting correlation is established: a higher number of nameservers for a single zone usually decreases reliability and performance instead of increasing both
- …