OARC Fall 2013 Workshop (Phoenix)

5 Oct 2013, 09:00 → 6 Oct 2013, 19:55 America/Phoenix

Komatke E/F (Wild Horse Pass Resort)

Keith Mitchell (DNS-OARC)

DNS-OARC is pleased to announce that its 2013 Fall Workshop and Member AGM will take place in Phoenix, Arizona, USA on the 5th and 6th October, and is sponsored by:

Gold Sponsor

 

Silver Sponsor

 

This will be held in co-operation with the subsequent NANOG59 meeting, and we are grateful to and ICANN for their support of our workshop.

OARC Workshop meetings are open to OARC members, presenters, and to all other parties interested in DNS operations and research, subject to available space. NANOG and ARIN attendees are particularly welcome this time around.

We are seeking sponsors for this meeting and potential social events - if your organization is interested in sponsorship, please see our Sponsor Benefits or e-mail sponsor@dns-oarc.net for more information.

Meeting registration is free, with priority given to OARC Members, Speakers and Sponsors in the event of limited space.

notes oarc-2013-keysigning.asc oarc-2013-keysigning.txt

Video

• 01-08_ditl_crunching_icann_gtld_collision_study.new.mp4
• 01-10_regional_affinity_applied_gtld_strings.new.mp4
• 01-11_possible_methodology_evaluating_new_tld_delegations_risk.new.mp4
• 01-12_dnsviz_monitoring_analysis_visualization.new.mp4
• 01-13_dns_workbench_update.new.mp4
• 01-14_introducing_hedgehog.new.mp4
• 02-02_analysis_ditl_root_data_comparison_jp_data.new.mp4
• 02-03_open_resolver_view_ny_times_very_bad_day.new.mp4
• 02-04_blocking_dns_messages_dangerous.new.mp4
• 02-05_herzberg-shulman_ip_ragmentation_attack.new.mp4
• 02-06_question_dns_protocols.new.mp4
• 02-07_needles_in_quadrillion-straw_haystack.new.mp4
• 02-08_dns-useful_tool_or_just_hammer.new.mp4
• 02-09_internet_systems_consortiums_ceo.new.mp4

Saturday, 5 October

09:00 → 12:30 OARC AGM and Member-only Session

https://www.dns-oarc.net/files/workshop-201310/agm-agenda.html

Convener: Mr Keith Mitchell (DNS-OARC)

Agenda https://www.dns-oarc.net/files/workshop-201310/agm-agenda.html

10:00 OARC President's Report

Progress update on the OARC Development Plan.

Speaker: Mr Keith Mitchell (DNS-OARC)

Slides OARC-AGM-report_13.odp OARC-AGM-report_13.pdf

10:45 Treasurer's Report

11:10 Morning Coffee Break

11:30 Chairman's Report

Speaker: Ondrej Filip (NIC.CZ)

11:45 Member Resolutions

12:10 Board Elections

09:30 → 10:00 Registration

12:30 → 14:00 Lunch

13:30 → 14:00 PGP Signing Session

Speaker: Peter Losher (ISC)

14:00 → 15:30 High Risk Strings Collisions

14:00 DITL crunching for ICANN's gTLD collision study

The DITL data sets for 2012 and 2013 were analysed this summer to get quantitative data on how often queries for new gTLDs appeared at the root servers. Processing this data in the time available presented a number of challenges. Here's an overview of what was done, how it was done and the initial findings. Some of these identify potential subjects for further study and these are explained too.

Speaker: Jim Reid (RTFM LLP)

Slides Reid-Crunching.key Reid-Crunching.pdf

14:20 Abusing Resources to Process 7.5TB of PCAP Data

The publication of the Interisle report on "Name Collisions in the DNS" created significant challenges for anybody wishing to respond to the study itself or to analysis possible mitigation strategies. A donation of additional hardware was made to facilitate the analysis of the data used in the Interisle report by DNS-OARC members. Extracting and analyzing the data from DITL data sets is an involved exercise and is a major bottleneck in any study. The newly donated hardware made it possible to pre-process the 2012 and 2013 datasets. This, in turn, allowed for multiple studies and repeated analysis by the contributing teams in a much more efficient manner.

Speaker: Roy Hooper (Demand Media)

Slides DNS-OARC-Abusing-Resources.pdf DNS-OARC-Abusing-Resources.pptx

14:45 Regional Affinity for Applied for gTLD Strings

Using new generic Top Level Domains (gTLDs) to add semantics to the DNS root is a semantic enhancement to the Internet's oldest namespace. However, it is because DNS is such a trusted resource that prudence is warranted in any major change. To this end, we have conducted a preliminary study of potential implications of the introduction of new gTLDs. This presentation will focus on specific patterns in the A+J root DNS queries that highlight certain regional affinities for specific gTLDs that have applied for delegation. Studying these regional affinities has given us insights into possible systemic dependencies that may be prompting namespace collisions for applied-for gTLD strings. This presentation will take an in-depth look at a set of data that Verisign collected and analyzed from the root for the applied-for strings. We will use this data as a basis for explaining a methodology, used in the paper "New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis", for determining that any one of the applied for strings is more likely to be relevant in a particular region.

Speaker: Andrew Simpson (Verisign)

Slides gTLD_Regional_Affinity.pdf

15:10 A possible methodology for evaluating new TLD delegations for risk

In the current round of expansion of the root zone, a number of applications appear to conflict with private name spaces that are actually in use on the Internet. This talk presents an overview of a procedure that allows evaluation of when it is "safe" to delegate a name, given that risk of conflict. The procedure begins with the assumption that the Interisle report to ICANN ("Name Collision in the DNS") reveals roughly three categories of potential conflicts: those of no substantial risk, those of considerable risk, and those of extreme risk. Using that assumption, the procedure offers a way to measure the point at which candidate labels can move to the category of "no substantial risk". For a given candidate label, the procedure requires delegation of the candidate to specially-instrumented name servers that will respond only to queries consistent with the procedure. Advertisements are to be placed on the Internet that include a URI with a host part inside the candidate namespace. As a control, another URI with a host part inside a normally-delegated namespace is also included in the advertisement. By comparing the frequency of queries inside the candidate namespace to the frequency of queries inside the normal delegation, it is possible to determine whether queries inside the candidate namespace has reached the level of noise. At that point, the candidate label can move to the category of "no substantial risk".

Speaker: Andrew Sullivan (Dyn)

Slides Sullivan-Test_delegations.pdf Sullivan-Test_delegations.pptx

15:30 → 16:00 Afternoon coffee break

16:00 → 16:20 DNSViz - Monitoring, Analysis, and Visualization

DNSViz was developed for the purpose of analyzing, reporting, monitoring, and visualizing DNS zones, particularly for DNSSEC. It has primarily been used for analysis and troubleshooting of DNSSEC deployment. Although it is several years old, it is still undergoing changes to incorporate additional enhancements in the way of functionality, stability, and historical archival. We describe the current state of the DNSViz platform and architecture and community involvement in its future.

Speaker: Dr Casey Deccio (Sandia National Laboratories)

Slides 2013-10-05-dnsviz-oarc.pdf

16:20 → 16:40 DNS workbench update

SIDNLabs has a DNS workbench (http://workbench.sidnlabs.nl/) open to the world to test DNS cornercases or bugs on a variety of nameserver software. This talk will give an update on new features, software and results of the DNS workbench, and invites other DNS experts to supply us with feedback on features they would like to be able to test on the SIDNLabs DNS workbench.

Speaker: Mr Antoin Verschuren (SIDN)

Slides Verschuren-SIDN_workbench.pdf Verschuren-SIDN_workbench.pptx

16:40 → 17:00 Introducing Hedgehog

Hedgehog is a replacement for DSC, developed for ICANN by Sinodun Internet Technologies Ltd. It's development was motivated by a need to match the growing deployment of the L root nameserver. ICANN intends to release Hedgehog under a free software license.

Speaker: Mr Dave Knight (ICANN)

Slides dknight-oarc-hedgehog.pdf

Sunday, 6 October

09:30 → 09:55 OARC Systems Update

As part of the OARC Development Plan, Q2 and Q3 of 2013 have seen significant rationalization, upgrade and development of OARC's Systems and Services. This presentation in conjunction with the OARC Infrastructure Plan details the changes and improvements made to date and planned for the future.

Speaker: Mr William Sotomayor (DNS-OARC)

Slides Sotomayor-Systems_update.pdf

09:55 → 10:20 Analysis of DITL root data and comparison with jp data

The number and characteristics of full resolvers are presumed in analyzing DITL data and JP packet capture data. This report presents number of IP addresses which send root DNSKEY queries, EDNS0 queries, DO queries, non-existing name queries, JP queries, updates, and others. Then, it compares root data and JP data.

Speaker: Mr Kazunori Fujiwara (Japan Registry Services Co., Ltd)

Slides oarc-fujiwara-20131006.pdf

10:20 → 10:45 Morning coffee break

10:45 → 11:10 An Open Resolver view of the New York Times Very Bad Day

The New York Times suffered a high-profile attack to its domain name via a compromised DNS registrar. Within 6 hours of the attack we initiated an "open resolver scan" of the IPv4 Internet, asking for the address nytimes.com. The results highlight the difficulties faced by organizations trying to purge incorrect data from DNS caches around the Internet.

Speaker: Duane Wessels (Verisign)

Slides OARC-nytimes-openres.pdf

11:10 → 11:55 Blocking DNS Messages is Dangerous

Internet entities are regularly affected by Distributed Denial of Service (DDoS) on various scales. Several methods can be leveraged to perform such attacks, but the most recent incidents were caused by throughput amplification via DNS servers. Improving the overall security of the French segment of the Internet is one of the missions of ANSSI (the French Network and Information Security Agency), which has led us to perform an analysis of the various DDoS mitigation techniques available to DNS operators. This research work shows that some of the most popular anti-DDoS strategies, currently deployed by prominent actors of the DNS community, could, under certain circumstances, make DNS cache poisoning attacks much easier, most often resulting in successful attacks taking less than a day.

Speaker: Mr Florian Maury (ANSSI/FNISA)

Slides slides.pdf

11:55 → 12:15 Herzberg/Shulman IP Fragmentation Attack

Amir Herzberg & Haya Shulman has presented a new DNS vulnerability based on IP fragmentation. This presentation will dive into the practical aspects of implementing working PoC as done by CZ.NIC Labs and other parties.

Speaker: Mr Ondrej Sury (CZ.NIC)

Slides IP-fragmentation-attack-on-DNS.key IP-fragmentation-attack-on-DNS.pdf

12:15 → 14:00 Lunch

On your own

14:00 → 14:20 A Question of DNS Protocols

There has been some recent interest in the use of TCP for DNS queries as a means of mitigating some of the issues with DNS reflection attacks. However, it is not clear how many clients use DNS resolvers that are capable of asking queries using TCP. This presentation reports on a large scale exercise of presenting clients with DNS names whose resolution generated a truncated UDP response from the authoritative name server, and measuring the number of clients who were capable of performing the query using TCP. The presentation also looks at the performance issues this raises in terms of time to resolve a name, as measured in this experiment.

Speaker: Mr Geoff Huston (APNIC)

Slides 2013-10-05-dns-protocol.pdf

14:20 → 14:40 Needles in a Quadrillion-Straw Haystack

We describe the construction of Nominum's system for large-scale analysis of DNS security data, some of the challenges involved in building that system, and some interesting things that we've found in the data. Particular points of interest include malware command-and-control detection and classification, detection of vulnerabilities and bugs in widespread DNS implementations, and a mysterious global pattern of unusual machine-generated queries.

Speaker: Sam Bretheim (Nominum)

Slides Bretheim-Haystack.pdf

14:40 → 15:10 Afternoon coffee break

15:10 → 15:45 DNS: Useful tool or just a hammer?

The DNS has become a piece of the critical infrastructure of the internet; without it most users would be unable to do anything. However, both the scale of use and how it's being used (and abused) were not things imagined when the DNS was originally designed. This tutorial will go over various threats to your servers, how to mitigate these threats, information on how the DNS is being abused in DDOS attacks and how you can help to not be part of the problem.

Speaker: Paul Ebersman (Infoblox)

Slides Ebersman-DNS_hammer.pdf