Hacking at Random
Hacking happens

Rick van Rein
Day Saturday - 2009-08-15
Room Monty Hall
Start time 14:00
Duration 01:00
ID 78
Event type Lecture
Language used for presentation English

Cracking Internet

The urgency of DNSSEC

This workshop will introduce the problems with DNS that jeapardise the Internet as a whole. We will begin with a general discussion, and argue that the only real solution that is ready now is DNSSEC. We will continue with more detailed discussions of the Kaminsky attack, and explain how to attack the machines that we prepared for attack during HAR2009.

We propose to present the following:

  1. A general introduction into the Kaminsky attack, aimed at newcomers and journalists.
  2. A detailed discussion of the Kaminsky attack.
  3. A detailed discussion of DNSSEC.
  4. Possibly a guided session in mounting the attack.

Aside from this, we propose to prepare a few servers available to the HAR 2009 crowd that may be freely attacked during the conference. The servers will have varying levels of defenses against the Kaminsky attack, but we expect them all to break sooner or later. We imagine these machines to be located off-site.

These presentations are a cooperative effort of:

  • SURFnet, in the person of Roland van Rijswijk
  • OpenFortress, in the person of Rick van Rein SURFnet is working to roll out DNSSEC in The Netherlands. OpenFortress provides technical facilities to SURFnet in the area. We cooperate with others such as NLnet Labs, .SE and .UK in the OpenDNSSEC.org project. We also discuss these matters with SIDN.

One of our explicit goals is to get some media focus on this issue, so everyday users become more aware that virusses are not their main problem, and start bothering their ISPs and banks about DNSSEC. This is useful because DNSSEC has a bit of a problem in that nobody starts using it because... nobody is using it yet. ISP's wait for banks to offer secure domains, banks wait for ISP's to offer domain validation.

Our reasons for plugging DNSSEC are that it is dirty, but it works. And it is the only solution for DNS' leakage that actually works.