copyright IOActive, Inc. 2006, all rights
2008 and the new (old) nature of
Director of Penetration Testing
What a year!
Significant flaw found in DNS
– You might have heard about it
Pretty extensive simultaneous patching operation ensued
– Linux / ISC
– All released patches on July 8th
Expected patch rate: 50% of servers after a year
Achieved patch rate: ~66% after a few months
– Patch rate is higher in terms of actual users protected – not perfect, but
Do we need more?
I have never been a DNSSEC supporter.
I’ve been researching DNS for many years, and
I’ve been – at best – neutral about the technology.
– I just didn’t think it mattered, and the
engineering effort never seemed to be going
• What changed?
– Software engineering realities became too
obvious to ignore.
• DNS is the only real way to scale across organizational
• Because DNS is insecure, its insecurity infects everything
that uses it.
• Because DNS is insecure, security technology refuses to
– Security technology appears thus to have trouble scaling
• DNS is thus the common cause of security issues, and our
inability to scalably fix them. Therefore, we need DNSSEC.
– But is anyone actually out there, exploiting DNS, so that
they can exploit all the things built on DNS?
Acute to Chronic
• We expected 50% patch rate after a year
• We got 66% patch rate after a month
– Higher, if you consider exposure by user
• The Internet survived
– It always survives, so that shouldn’t be too surprising
• But things aren’t perfect either
– There’s still a decent chunk of the network that can be
– Is anyone actually doing it?
• David Dagon, Manos Antonakakis, and Luo ‘Daniel’
Xiapu from Georgia Tech have been monitoring the
Attacks In The Real World
Attacks are happening.
It is difficult to detect poisoning attacks
– The evidence is written in disapp