Spelling suggestions: "subject:"60sec"" "subject:"50sec""
11 |
DNSSEC online webová mapa / DNSSEC Online Web MapScherfel, Peter January 2011 (has links)
This master's thesis is focusedurity extension DNSSEC of DNS system. It will go trough the basics of securing DNS by DNSSEC and possibilities of collecting information about the state of DNSSEC in present. Its main goal is to design application, which will be monito- ring security state of TLD and SLD domains. Implemented system is gathering information from public Whois database. Gathered information are transformed to geographical coor- dinates by Google Maps API. All gathered information are stored in database and placed on geographical map of the world by Google Maps Api.
|
12 |
Striking at the Root: A Categorization of DNS ClientsDean, Tyler 29 July 2024 (has links) (PDF)
The Domain Name System (DNS) root servers have provided a useful look into the DNS and internet ecosystems for decades. We present a categorization of clients querying DNS root servers. Using two clustering algorithms on DNS traffic sampled in 2020, we can predict the structure and volume of queries originating from different types of clients. Previous research has used unsupervised techniques to better understand DNS traffic patterns, but none have, to our knowledge, considered clients beyond those driven by queries from end users. By performing clustering on IP addresses rather than on individual queries, we are able to examine the full breadth of DNS client categories. We also consider the overall deployment of recommended DNS security mechanisms, including 0x20 encoding, DNSSEC, IP-ID randomization, and QNAME minimization. We find that many of our measurements coincide with previous assessments of root server data. Our client-based approach reveals at least one group that suffers from a low rate of DNSSEC and source port randomization deployment.
|
13 |
DNS prestanda / DNS performanceBentahar, Younes January 2013 (has links)
Use of computers and computer networks is nowadays a part of everyday life. You do not use them only at home when you sit at you computer, but you can use them all the time everywhere. This can involve everything from surf to any website when you are at home, to checking your email on your mobile when you are on your way to work. Most people do not think about how it really works when they try to access a web page by typing the address into their browser, but something that most people probably notice is how long it can sometimes take to access a web page. All items which are directly connected to the IP network have a unique IP address that is used to make it possible to communicate. The IP address is either a period separated sequence of digits representing 32 bits or a colon separated sequence of digits representing 128 bits, depending on whether the address is an IPv4 or IPv6 address. Such numeric sequences are often difficult for us humans to remember therefore, the domain name system (DNS) was constructed. DNS makes it possible for us to write addresses in a textual format to access an item stored in a device connected to the network. DNS can be seen as a directory for the network and can be compared to a telephone directory, where if you know the name of a person can find his or her phone number. This thesis will describe how the various address translations are done by using DNS. It will also examine how much impact DNS has on the experienced delay from the time you type a web page address in the address bar of your browser to the actual time you reach the website. A survey of DNS performance will be presented to investigate how much delay can be reduced by using one of Sweden's two most well-known public DNS servers (Google Public DNS and OpenDNS) instead of the normal default DNS server provided by one's Internet service provider (ISP). The survey will also show how the DNS lookup waiting time changes at different times of day and different days of the week. The purpose of this work is to provide a basic explanation of what DNS is and increase the understanding of how an everyday user in a simple way can make their network usage more effective by getting their DNS lookups to occur faster. The conclusion from this thesis is that the alternative DNS server, Google Public DNS has the fastest DNS lookup time for this particular computer which the measurement was carried on. But this tells us nothing about whether the case for any other network users because the observed DNS performance has a large extent dependent on the ISP you are connected to, and what place you are at. / Dator- och nätverksanvändandet är idag en del av vardagen. Användandet sker inte enbart när man sitter hemma, utan det kan ske hela tiden och överallt. Det kan handla om allt från att surfa in på någon webbsida när man är hemma, till att kolla sin e-post i mobilen när man är på väg till jobbet. De flesta funderar inte på hur det egentligen går till när man försöker ansluta till en webbsida genom att skriva in adressen i webbläsaren. Däremot något som de flesta nog lagt märke till är hur lång tid det ibland kan ta att komma åt någon webbsida. Alla objekt som är direkt uppkopplade till IP-nätverket, har en unik IP-adress som används för att kunna kommunicera med varandra. IP-adressen är antingen en punktskild sifferföljd som består av 32 bitar eller en semikolonskild sifferföljd som består av 128 bitar, beroende på om det är IPv4 eller IPv6. Denna sifferföljd är ofta svår för oss människor att komma ihåg och av den orsaken konstruerades domännamnsystemet (DNS) som tillåter oss att genom adresser i textformat komma åt det sökta objektet på nätverket. DNS kan ses som ett uppslagsverk för nätverket och kan liknas vid en telefonkatalog, där om man vet namnet på en person kan hitta dennes telefonnummer. I detta examensarbete kommer det att beskrivas hur olika adressöversättningar sker med hjälp av DNS. Det kommer även utredas hur stor påverkan DNS har på den upplevda fördröjningen från det att man skrivit in webbsidans adress i adressfältet i webbläsaren tills det att man faktiskt kommer fram till webbsidan. En undersökning av DNS prestandan kommer att presenteras som utreder hur mycket tid man kan tjäna på att använda någon av Sveriges två mest kända alternativa DNS-servrar (Google Public DNS och OpenDNS) istället för den normalt förinställda DNS-servern som fås av ens internetleverantör (ISP). Undersökningen kommer även visa hur DNS uppslagningarnas väntetid förändras vid olika tidpunkter på dygnet samt vid olika veckodagar. Syftet med detta arbete är att ge en grundläggande förklaring av vad DNS är för något samt att öka förståelsen för hur en vardaglig nätverksanvändare på ett enkelt sätt kan effektivisera sitt nätverksanvändande genom att få sina DNS uppslagningar att gå fortare. Slutsatsen från denna avhandling är att den alternativa DNS-servern Google Public DNS har snabbast DNS uppslagningstid för just denna dator som mätningarna genomförts på. Men detta säger oss ingenting om huruvida fallet är för andra nätverksanvändare eftersom den observerade DNS prestandan är till stor grad beroende av den ISP man är ansluten till samt vilken plats man befinner sig på.
|
14 |
DNSSEC en säkerhetsförbättring av DNS : en studie om Svenska kommuners syn på DNSSECTelling, Henric, Gunnarsson, Anders January 2010 (has links)
Syftet med uppsatsen är att undersöka varför få svenska kommunerna valt att installera DNSSEC på sina domäner. DNS är en av de viktigaste protokollen på Internet och behövs för att sammanlänka IP-adresser med mer lättförståeliga adresser för oss människor. DNS skapades utan att tänka på säkerheten, för att kunna göra DNS säkrare utvecklades ett säkerhetstillägg till DNS detta fick namnet DNSSEC.Vi har använt oss av litteraturstudie, experiment och intervjuer för att skapa en djupare kunskap och förståelse om hur DNS och DNSSEC fungerar samt besvara varför få kommuner har valt att installera DNSSEC.Under vår litteraturstudie läste vi om flera sårbarheter i DNS och hur dessa kan utnyttjas för att utsätta en organisation för attacker såsom cacheförgiftning och MITM. Vi testade dessa sårbarheter och bekräftade det. Efter installationen av DNSSEC kunde inte angreppen längre genomföras i vår testmiljö.Under intervjuerna kom vi fram till att den vanligaste orsaken att kommuner inte väljer att installera DNSSEC är okunskap om tillvägagångsättet för en installation och att de tycker deras nuvarande DNS fungerar bra, det blir då ingen prioriterad fråga. Kommunerna som installerat DNSSEC är nöjda med sin installation och bara en kommun har upplevt problem vid införandet.För att vi ska kunna fortsätta utveckla Internet är en kontroll av säkerheten en nödvändighet och då är DNSSEC en vägvisare. Kommunerna borde föregå med gott exempel och vara bland de första som inför DNSSEC så besökarna till deras hemsidor kan känna sig säkra att informationen på deras sidor är korrekt. / The purpose of this paper is to investigate why few Swedish municipalities have chosen to install DNSSEC on their domains. DNS is one of the most important protocols on the Internet and used to link IP-addresses to understandable addresses for users. DNS was created without thinking about security, to make DNS more secure a security extension was developed to DNS, named DNSSEC.We have used literature review, experiments and interviews to create a deeper knowledge and understanding about DNS and DNSSEC, how it works and why few municipalities have chosen to install DNSSEC.In the literature we read about several vulnerabilities in DNS and it can easily be exposed to attacks such as cache poisoning and MITM. We tested these vulnerabilities and confirmed them. After installation of DNSSEC we could not expose our implemented DNS anymore in our test environment.During the interviews, we concluded that the most common reason why municipalities do not choose to install DNSSEC is ignorance of an installation and they think that their current DNS works well and it does not become a priority. The municipalities that have installed DNSSEC are satisfied with its installation and only one municipality has experienced difficulties during the implementation.In order for us to continue developing the Internet a control of security is a necessity and DNSSEC is a good example. Local authorities should lead by good example and be among the first to implement DNSSEC, so users of their websites can be assured that the information on their pages is accurate.
|
15 |
Proposition de nouveaux mécanismes de protection contre l'usurpation d'identité pour les fournisseurs de services Internet / Proposal for new protections against identity theft for ISPsBiri, Aroua 25 February 2011 (has links)
De plus en plus d’organisations sont informatisées et plus une organisation est grande, plus elle peut être la cible d’attaques via Internet. On note également que les internautes utilisent de plus en plus Internet pour faire des achats sur des sites de commerce électronique, pour se connecter à l’administration en ligne, pour voter de manière électronique, etc. Par ailleurs, certains d’entre eux ont de plus en plus d'équipements électroniques qui peuvent être raccordés à Internet et ce dans divers sites (domicile, voiture, lieu de travail, etc.). Ces équipements forment ce qu’on appelle un réseau personnel qui permet la mise en place de nouvelles applications centrées sur l’internaute. Les fournisseurs de services Internet peuvent ainsi étoffer leurs offres de services en présentant une offre de sécurisation de ce genre de réseau. Selon le rapport du cabinet « Arbor Networks » intitulé « Worldwide Infrastructure Security Report », les menaces identifiées comme les plus sévères sont relatives aux attaques de déni de service distribué. Ce type d’attaque a pour but de rendre indisponible un service en empêchant les utilisateurs légitimes de l'utiliser. Il utilise la technique de l’usurpation d’identité qui consiste en la création de paquets (de type IP, ARP, etc.) avec une adresse source forgée et ce dans le but d’usurper un système informatique ou d’usurper l’identité de l’émetteur. La technique de l’usurpation d’identité permet ainsi de rendre un service indisponible, d’écouter, de corrompre, de bloquer le trafic des internautes ou de nuire au bon fonctionnement des protocoles de routage et des réseaux personnels des clients. De plus, la technique de l’usurpation d’identité est également utilisée pour des activités interdites par la loi « Hadopi » en rigueur en France comme le téléchargement illégal. De ce fait, les fournisseurs de services Internet se doivent de prémunir leurs clients des attaques basées sur la technique de l’usurpation d’identité. Ces dits fournisseurs comptent sur les protocoles de routage qu’ils déroulent pour participer au bon acheminement des données de leurs clients. Cependant, le protocole intra-domaine OSPF et le protocole inter-domaine BGP sont vulnérables aux attaques utilisant la technique de l’usurpation d’identité qui peuvent conduire à l’acheminement des paquets vers des destinataires non légitimes ou au déni de service. Nous proposons donc deux mécanismes dédiés respectivement au protocole intra-domaine OSPF et au protocole inter-domaine BGP. D’une part, afin de protéger les routeurs OSPF contre les attaques utilisant la technique d’usurpation d’identité, nous avons préconisé le stockage de l’identité et du matériel cryptographique dans un coffre-fort électronique que sont les cartes à puce. Les cartes déroulent ensuite un algorithme de dérivation de clés avec les cartes des routeurs voisins ainsi qu’avec celle du routeur désigné. Les clés dérivées entre les cartes à puce servent à signer les messages OSPF et à authentifier le niveau MAC. Nous avons décrit par la suite la plateforme du démonstrateur et les scénarios de tests adoptés pour évaluer les performances de notre prototype et les comparer avec ceux du logiciel Quagga sur la base de trois critères : le temps requis pour traiter une annonce d'état de liens, le temps de convergence ainsi que le temps de re-calcul d’une table de routage après un changement. Ces temps augmentent peu avec l’introduction de la carte à puce implémentant les fonctions de sécurité proposées. Ainsi, cette solution permet de renforcer la sécurité du protocole OSPF avec un impact raisonnable sur les performances. D’autre part, afin de protéger les routeurs BGP contre les attaques utilisant la technique d’usurpation d’identité, nous avons préconisé la « clustérisation » des domaines Internet et la sécurisation des liens entre les clusters ainsi qu’au sein de chacun d’eux grâce aux paradigmes de « web of trust » et de la cryptographie sans certificats […] / More and more organizations are computerized and more an organization is great, plus it can be the target of Internet attacks. Moreover, some of them have a growing number of electronic equipments that can be connected to the Internet from various locations (home, car, workplace, etc.). These devices form a so-called personal area network that allows the development of new applications centered on users. The ISPs can then expand their service offerings by providing a secure supply of such networks. According to the report of the firm “Arbor Networks”, entitled "Worldwide Infrastructure Security Report ", the most severe threats are related to distributed denial of service. This type of attack aims to make available a service by preventing legitimate users from using it. It uses the technique of identity theft that involves the creation of packages (like IP, ARP, etc.) with a forged source address and that in order to usurp the Identity of the issuer or of the computer system. Thus, the technique of identity theft allows to render a service unavailable, to listen, to corrupt, to block traffic from Internet users or to undermine the legitimate operation of routing protocols and personal networks. Moreover, the technique of identity theft is also used for prohibited activities by "HADOPI" law in France and related to illegal downloading issues. Thus, the ISPs have a duty to protect their customers from attacks based on the technique of identity theft. The mechanisms of protection against spoofing attacks for access networks are crucial for customer adoption of new applications offered by Internet service providers. This part of the doctoral thesis is part of the European project “MAGNET Beyond" whose vision is to put into practice the concept of personal networks, with the ultimate objective to design, develop, prototype and validate the concept. In the context of user equipment’s access to the network of an Internet services provider from a public place, we proposed a cross-layer protocol based on the principles of information theory. This protocol fixes the security hole not addressed by other proposals that is the attack of identity theft that occurs at the beginning of communication and thus protects users against the middle man attacks. We proposed that the person who wants to have secure access to the Internet must be on a specific circle has been called "RED POINT" so that the attacker is not able to be on the same circle at the same time. The proposed cross-layer protocol can be divided into three phases: the phase of checking the position of the user, the extraction phase of the shared secret of the physical layer and the phase of the derivation of the shared key at the MAC layer. We subsequently validated our solution through a formal tool AVISPA and presented the results of its implementation. In a private context, communication between devices convey users' personal data which may be confidential, so we must prevent equipment not belonging to the legitimate user to access its network. Thus, we proposed two mechanisms of protection against attacks based on spoofing so that illegitimate equipment is unable to impersonate legitimate equipment. The first phase will be dedicated to personal networks and the second will be dedicated to the particular case of medical networks. Regarding the mechanism dedicated to personal networks, we have proposed the use of a protocol based on out-of-band channel in order to provide certificates to user equipments. We derive bilateral key for personal network’s equipments of the same site and between equipments at remote sites. Concerning the particular case of medical networks, we proposed to cover their deployment phases and their operational phases. This proposal was submitted to the IEEE 802.15.6 working group that conducts research for the standardization of medical networks […]
|
16 |
Nasazení DNSSEC na klientské straně / Client side DNSSEC deploymentNekuža, Karel January 2018 (has links)
Diplomová práce se zabývá problémem přístupu koncového uživatele k odpovědím ověřeným pomocí protokolu DNSSEC. Práce posuzuje možnosti nasazení a nastavování resolveru za účelem zlepšení bezpečnosti pro koncové uživatele. V práci je navrhnuto řešení problému pro operační systém Fedora Workstation. Navrhnuté řešení je realizováno a porovnáno s již existujícím řesením.
|
17 |
Automatické ověřování softwarových balíků za pomocí DNS / Automatic verification of software packages with help of DNSSehnoutka, Martin January 2018 (has links)
Tato diplomová práce se zabývá problémem bezpečné distribuce software. Je navrženo zlepšení s pomocí doménového systému, který je použit pro uložení verifikačních klíčů, potřebných pro ověření integrity balíků stáhnutých pomocí správce balíků. Navíc je navržena rozšířená verze, které se zabývá zabezpečením metadat repositářů. Obě verze jsou implementovány v jazyce Python a integrovány do správce balíků dnf. Tato implementace je otestována ve virtuálním prostředí, diskutována a zhodnocena z hlediska způsobené zátěže.
|
18 |
Library and Tools for Server-Side DNSSEC Implementation / Library and Tools for Server-Side DNSSEC ImplementationVčelák, Jan January 2014 (has links)
Tato práce se zabývá analýzou současných open source řešení pro zabezpečení DNS zón pomocí technologie DNSSEC. Na základě provedené rešerše je navržena a implementována nová knihovna pro použití na autoritativních DNS serverech. Cílem knihovny je zachovat výhody stávajících řešení a vyřešit jejich nedostatky. Součástí návrhu je i sada nástrojů pro správu politiky a klíčů. Funkčnost vytvořené knihovny je ukázána na jejím použití v serveru Knot DNS.
|
19 |
Email attacks : Investigation about the vulnerability of the Swedish organizations against email threats.Kour, Jawdat, Ahmed, Hasan January 2020 (has links)
Email is an essential form of communication for organizations. Nevertheless, with so much popularity came many challenges. These emails usually carry sensitive data that might cause significant harm if they get compromised. Besides, spam and phishing emails that continually reach the employees’ inbox masquerading as a trusted entity due to the lack of authentication mechanisms are also considered a significant threat for organizations today. Such threats are phishing using email domain forgery attack, redirecting emails to a mail server that is under the attacker’s control, and connection eavesdropping. The research aimed to investigate the vulnerability of approximately 2000 organizations within Sweden against those attacks. Toward that end, the quantity and quality of the following email security mechanisms SPF, DKIM, DMARC, STARTTLS, DNSSEC, and DANE were examined through a case study. Also, the adoption of these mechanisms was investigated, whether it varies based on different factors such as organization size, sector, and location. The research findings indicated that the average adoption rate by the tested organizations was approximately 50%. Furthermore, the result demonstrated that there were no differences in the adopted mechanisms based on the studied factors that the results were quite similar among the tested groups. It concluded that there is a lack of protection mechanisms, which made the majority of the tested organizations vulnerable to different types of email attacks.
|
20 |
Minimal Trusted Computing Base for Critical Infrastructure ProtectionVelagapalli, Arun 17 August 2013 (has links)
Critical infrastructures like oil & gas, power grids, water treatment facilities, domain name system (DNS) etc., are attractive targets for attackers — both due to the potential impact of attacks on such systems, and due to the enormous attack surface exposed by such systems. Unwarranted functionality in the form of accidental bugs or maliciously inserted hidden functionality in any component of a system could potentially be exploited by attackers to launch attacks on the system. As it is far from practical to root out undesired functionality in every component of a complex system, it is essential to develop security measures for protecting CI systems that rely only on the integrity of a small number of carefully constructed components, identified as the trusted computing base (TCB) for the system. The broad aim of this dissertation is to characterize elements of the TCB for critical infrastructure systems, and outline strategies to leverage the TCB to secure CI systems. A unified provider-middleman-consumer (PMC) view of systems was adopted to characterize systems as being constituted by providers of data, untrusted middlemen, and consumers of data. As the goal of proposed approach is to eliminate the need to trust most components of a system to be secured, most components of the system are considered to fall under the category of “untrusted middlemen.” From this perspective, the TCB for the system is a minimal set of trusted functionality required to verify that the tasks performed by the middle-men will not result in violation of the desired assurances. Specific systems that were investigated in this dissertation work to characterize the minimal TCB included the domain name system (DNS), dynamic DNS, and Supervisory Control and Data Acquisition (SCADA) systems that monitor/control various CI systems. For such systems, this dissertation provides a comprehensive functional specification of the TCB, and outlines security protocols that leverage the trust in TCB functionality to realize the desired assurances regarding the system.
|
Page generated in 0.0331 seconds