Threats

1 Roy

1.1 Botnets

1.2 Cache poisoning

1.2.1 Kaminsky

1.2.2 Kaspureff

1.3 Spoofing

1.4 M+M

1.5 Fast Flux

1.6 Operational errors

1.7 Supporting infrastructure

1.8 Hackers

1.9 Homogeneity

1.10 Content provisioning exposure

1.11 DNSSEC private key exposure

1.12 Question from the group: "What is the perspective of threat description?"

1.13 Picture

1.13.1

2 Katrina

2.1

2.2 1) Compromised credentials (Phishing, Key logger, a.o.)

2.3 2) Compromised credentials, DDOS

2.4 3) DDOS

2.5 4) Spoofing, poisoning

2.6 ALL) MIM (Man in the middle)

2.7 Picture

2.7.1

3 ???

3.1 Poor design (hardware and software)

3.2 Natural disasters

3.3 Bad players

3.3.1 Organized crime

3.3.2 Geo-political groups

3.3.3 Rogue elements

3.4 Nation states

3.5 Implementation errors (hardware and software)

3.6 Operational errors

3.7 Scalability issues

3.8 Rapid change

3.9 Informality of some processes

3.10 Inadequate funding (for infrastructure, training, etc.)

3.11 Lack of visibility and understanding by decision-makers

3.12 Picture

3.12.1

4 Olivier

4.1 Physical

4.1.1 Terrorism

4.1.2 Facility security

4.2 Single point of failure

4.2.1 Topology

4.2.2 Service providers

4.2.3 Software

4.2.4 Hardware

4.2.5 Geo location

4.2.6 Infrastructure (electricity, fiber, etc.)

4.3 Targeted attack

4.3.1 DDOS

4.3.2 Hacking/penetration

4.3.3 Data poisoning (MITM, Cache)

4.4 Alternate DNS roots

4.5 DNS blocking

4.6 Political

4.6.1 State-sponsored

4.6.2 Hacktivism

4.7 Picture

4.7.1

5 Threats

5.1 Threats on the underlying infrastructure. May include:

5.1.1 TLD and registrar failure

5.1.2 Disasters

5.1.3 Authority or authentication compromise

5.1.4 Government interventions

5.1.5 (FY12)

5.2 Direct Attacks

5.2.1 Cache poisoning attacks

5.2.2 Recursive vs authoritative nameserver attacks

5.2.3 DDOS attacks

5.2.4 DOS

5.2.5 IDN attacks (lookalike characters etc. for standard exploitation techniques)

5.2.6 Reflection attacks

5.3 Indirect attacks

5.3.1 Email/spam

5.3.1.1 IPv6 -- Spammers hopping from IP to IP -- causing huge numbers of lookups -- volume related threats (perhaps unintentional) -- also may break normal DNS caching (whicha assumes repeated requests for the same thing)

5.3.1.2 Issues around reverse DNS for SMTP servers

5.4 Vulnerabilities

5.4.1 Bugs

5.4.2 Vulnerability of DNS software, OS, etc.

5.4.3 Split DNS

5.5 External events (non Internet protocol events?)

5.5.1 Acts of war/terror

5.5.2 Natural disaster

5.5.3 Physical disasters

5.6 Possible hierarchies

5.6.1 Layers

5.6.1.1 Threats that leverage the DNS

5.6.1.2 Threats against the underlying infrastructure

5.6.2 Temporal

5.6.2.1 Attacks on the protocol layer below the DNS

5.6.3 Needs to border DNS

5.6.3.1 so the several recent papers by eff, zhang and others on isp monitizing synthetic return/content modification

5.6.3.2 No single authoritative DNS (eg alternate root-servers) , lack of DNS response integrity

5.6.3.3 alternate root, strings appearing in other configurations not supported in the global root

5.6.3.4 Possible extensions of carrier-grade NAT

6 Action-items

6.1 Clarifications

6.1.1 Mark

6.1.1.1 Leverage the DNS and unique identifiers (such as botnets, denial of service attacks, social engineering attacks) for fraud, malicious conduct or route-hijacking attacks