DOCSLIB.ORG

Methodology for DNS Cache Poisoning Vulnerability Analysis Of

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Methodology for DNS Cache Poisoning Vulnerability Analysis Of 1 INFOCOMMUNICATIONS1> REPLACE THIS LINE JOURNAL WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLECLICK HERE TO EDIT) < > REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATIONMethodology NUMBER (DOUBLECLICK for DNS Cache PoisoningHERE TO EDIT)Vulnerability < Analysis of DNS64 Implementations Methodology for DNS Cache Poisoning INFOCOMMUNICATIONS JOURNAL 6 Methodology for DNS Cache Poisoning MethodologyVulnerability for AnalysisDNS Cache of DNS64 Poisoning So the conclusion for a real noisy environment is that the [8] W. D. Zhong, C. Chen, H. Yang and P. Du, “Performance Analysis of Vulnerability Analysis of DNS64 longer the codes the better the Gold code sets are, but under a Angle Diversity Multi-Element Receiver in Indoor Multi-Cell Visible Light Communication Systems”, International Conference on VulnerabilityImplementations Analysis of DNS64 certain code length the performance of Gold codes and OOCs Transparent Optical Networks (ICTON), 2017. may be similar. Implementations [9] S. Shawky, M.A. El-Shimy, Z. A. El-Sahn, M. R. M. Rizk and M. H. Implementations Aly, “Improved VLC-based Indoor Positioning System Using a G. Lencse, and Y. Kadobayashi, VII. CONCLUSION Regression Approach with Conventional RSS Techniques”, International Wireless Communications and Mobile Computing G.G. Lencse, Lencse, and and Y. Y. Kadobayashi, Kadobayashi ,Member, IEEE In this paper the VLC related CDM problems are Conference (IWCMC), pp. 904-909, June 2017. discussed, focusing on the asynchronous mode CDM which is more suitable for a simple VLC system. The description of the [10] S. Yang, E. Jeong, D. Kim, H. Kim, Y. Son, and S. Han, “Indoor years or even decades. On the one hand, IPv6 transition three-dimensional location estimation based on LED visible light most common code set types, the unipolar OOCs and bipolar yearstechnologies or even aredecades. important On solutionsthe one hand,for several IPv6 transdifferentition communication”, Electronics Letters, vol. 49, no. 1, pp. 54–56, technologiesproblems, which are ariseimportant from solutionsthe incompatibility for several of IdiPv4fferent and PN codes, showed the benefits, disadvantages and January 2013. possibilities of these codes. Obtaining information about a problems,IPv6: they whichcan enable arise communicationfrom the incompatibility in various scenof IPv4arios and[2]. [11] S. Jung, C. Choi, S. Heo, S. Lee, and C. Park, “Received Signal CDM channel quality is not as easy as measuring RSS on a IPv6:However, they oncan the enable other communication hand, they also involvein various a hig scenh numberarios [2]. of Strength Ratio Based Optical Wireless Indoor Localization Using single RF signal. It was showed that the most common quality Light Emitting Diodes for Illumination”, IEEE International However,security issueson the other[3]. Wehand, have they alsosurveyed involve 26 a higIPv6h numbertransition of Conference on Consumer Electronics (ICCE), pp. 63–64, January securitytechnologies, issues and [3]. prioritized We have them surveyed in order to26 be IPv6 able totrans analyzeition indicator measure, the crest factor, may be misleading in some 2013. technologies,the security vulnerabilities and prioritized of them the mostin order important to be able ones to analyzefirst [2]. cases. A possible solution is proposed for this problem, introducing two novel advanced quality indicator (AQI) [12] M. Mukherjee, "Wireless Communication – Moving from RF to theDNS64 security [4] vulnerabilitiesand stateful NAT of the [5] most were important classified ones as first having [2]. measures. Computing these new measures along with the crest Optical," International Conference on Computing for Sustainable DNS64utmost importance,[4] and stateful because NAT they [5] weretogether classified provide as th heaving only Global Development (INDIACom), pp. 788-795, 2016. factor gives a better approximation to the CDM channel utmostsolution importance, for a communication because theyscenario, together which provide is very importantthe only quality. With AQI1 the noise immunity of a CDM [13] S. De Lausnay, L. De Strycker, J-P. Goemaere, N. Stevens, B. solutionnow because for a communicationof the exhaustion scenario, of the public which IPv4 is ver ady dressimportant pool, transmission using Gold codes and OOCs are compared, in Nauwelaers, “Optical CDMA Codes for an Indoor Localization nownamely, because they of enable the exhaustion IPv6only of clientsthe public to IPv4communicat addresse pool, with System using VLC”, 3rd International Workshop on Optical Wireless function of the code length. These AQIs, for example, may Communications (IWOW), pp. 50–54, September 2014. namely,IPv4only they servers. enable IPv6only clients to communicate with improve the precision of a channel quality based VLC CDM IPv4onlyWe have servers. also developed a methodology for the identification [14] R. Gold, “Optimal Binary Sequences for Spread Spectrum indoor positioning system, and allows more reliable practical ofWe potential have also security developed issues a methodology of different for theIPv6 identi tranficationsition Multiplexing”, IEEE Transactions on Information Theory, vol. 13, comparison between various code sets. no. 4, pp. 619–621, October 1967. oftechnologies potential [6].security Ref. [3]issues follows of the different STRIDE IPv6appro ach,tran sitionwhich technologiesis a general software [6]. Ref. security [3] follows solution the STRIDE and it uses appro the ach,DFD which (Data ACKNOWLEDGMENT isFlow a general Diagram) software model security of the solution systems and to facilitate it uses the th DFDe discovery (Data The authors would like to thank Dr. Kari Kärkkäinen from Flowof various Diagram) threats. model We of havethe systems found tothis facilitate approach the usediscoveryful and the University of Oulu, Finland for the freely downloadable Gábor Szabó was born in Győr, Hungary, ofamended various the threats. method We in [6],have where found we this have approach also shown use fulthat and it is bipolar pseudo-noise code bank, which was a great help for 1990. He received his M. Sc. degree from amendednecessary the to methodexamine in the[6], mostwhere important we have alsoimplementat shown thations it isof the CDM simulations. the Budapest University of Technology and necessarythe given to IPv6 examine transition the most technologies, important implementatwhether theionsy areof Economics in 2015. His research interests thesusceptible given IPv6to the transitionvarious threats technologies, that were discovwhetherered the byy using are REFERENCES include optoelectronics and visible light susceptiblethe STRIDE to theapproach. various Wethreats have that pointed were discov out thatered DNS64 by using is communication. thetheoretically STRIDE susceptibleapproach. We to have pointed out that [7], DNS64 and now is [1] B. M. Masini, A. Bazzi and A. Zanella, "Vehicular Visible Light theoreticallythe important susceptible practical to question is, whether [7],its anddifferent now Networks with Full Duplex Communications," IEEE International theimplementations important practical are actually question susceptible is, whether to itsDNS di fferentcache Conference on Models and Technologies for Intelligent Transportation Systems (MT-ITS), pp. 98-103, 2017. implementationspoisoning or not. are actually susceptible to DNS cache Eszter Udvary was born in Budapest, [2] S. Randel, F. Breyer, S. C. Lee, and J. W. Walewski, “Advanced Hungary. She received her Ph. D. degree in I. INTRODUCTION poisoningThe purpose or not. of this paper is to develop a simple and efficient Modulation Schemes for Short-Range Optical Communications”, 2009 from Budapest University of I. INTRODUCTION methodologyThe purpose for of DNSthis paper cache is poisoning to develop vulnerability a simple an danalysis efficient of IEEE Journal of Selected Topics in Quantum Electronics, vol. 16, no. EVERAL [1] were developed methodologyDNS64 implementations. for DNS cache This poisoning paper is vulnerability based on our a nalysisworkshop of 5, pp. 1280–1289, 2010. Technology and Economics. Her research SEVERAL to support the transition from IPv4 to [1]IPv6, were which developed we are interests include microwave circuits, fiber DNS64paper [8], implementations. in which we Thishave paperpresented is based our on testbed our w orkshopand our [3] A. Street, P. Stavrinou, D. O’brien, and D. Edwards, “Indoor optical Scurrently to support faced the with, transition and which from is IPv4 expected to IPv6, to lastwhich for weseveral are papermethod [8], for in Transaction which we haveID prediction presented attackour testbed as well a ndas ourour wireless systems – a review”, Optical and Quantum Electronics, vol. optics and optoelectronics. currently faced with, and which is expected to last for several 29, no. 3, pp. 349–378, 1997. methodresults forfor someTransaction specific ID DNS64 prediction implementations. attack as well No asw ourwe Submitted: December 28, 2017. This work was supported by the resultsgive a morefor some detailed specific introduction DNS64 toimplementations. cache poisoning Noincludingw we [4] T. Komine and M. Nakagawa, “Integrated system of white LED International Exchange Program of the National Institute of Information and visible-light communication
Load more

Recommended publications
  • Ispconfig 3 Manual]
    [ISPConfig 3 Manual] ISPConfig 3 Manual Version 1.0 for ISPConfig 3.0.3 Author: Falko Timme <[email protected]> Last edited 09/30/2010 1 The ISPConfig 3 manual is protected by copyright. No part of the manual may be reproduced, adapted, translated, or made available to a third party in any form by any process (electronic or otherwise) without the written specific consent of projektfarm GmbH. You may keep backup copies of the manual in digital or printed form for your personal use. All rights reserved. This copy was issued to: Thomas CARTER - [email protected] - Date: 2010-11-20 [ISPConfig 3 Manual] ISPConfig 3 is an open source hosting control panel for Linux and is capable of managing multiple servers from one control panel. ISPConfig 3 is licensed under BSD license. Managed Services and Features • Manage one or more servers from one control panel (multiserver management) • Different permission levels (administrators, resellers and clients) + email user level provided by a roundcube plugin for ISPConfig • Httpd (virtual hosts, domain- and IP-based) • FTP, SFTP, SCP • WebDAV • DNS (A, AAAA, ALIAS, CNAME, HINFO, MX, NS, PTR, RP, SRV, TXT records) • POP3, IMAP • Email autoresponder • Server-based mail filtering • Advanced email spamfilter and antivirus filter • MySQL client-databases • Webalizer and/or AWStats statistics • Harddisk quota • Mail quota • Traffic limits and statistics • IP addresses 2 The ISPConfig 3 manual is protected by copyright. No part of the manual may be reproduced, adapted, translated, or made available to a third party in any form by any process (electronic or otherwise) without the written specific consent of projektfarm GmbH.
    [Show full text]
  • To the Members of the Senate Judiciary Committee: We, The
    To the members of the Senate Judiciary Committee: We, the undersigned, have played various parts in building a network called the Internet. We wrote and debugged the software; we defined the standards and protocols that talk over that network. Many of us invented parts of it. We're just a little proud of the social and economic benefits that our project, the Internet, has brought with it. We are writing to oppose the Committee's proposed new Internet censorship and copyright bill. If enacted, this legislation will risk fragmenting the Internet's global domain name system (DNS ), create an environment of tremendous fear and uncertainty for technological innovation, and seriously harm the credibility of the United States in its role as a steward of key Internet infrastructure. In exchange for this, the bill will introduce censorship that will simultaneously be circumvented by deliberate infringers while hampering innocent parties' ability to communicate. All censorship schemes impact speech beyond the category they were intended to restrict, but this bill will be particularly egregious in that regard because it causes entire domains to vanish from the Web, not just infringing pages or files. Worse, an incredible range of useful, law-abiding sites can be blacklisted under this bill. These problems will be enough to ensure that alternative name-lookup infrastructures will come into widespread use, outside the control of US service providers but easily used by American citizens. Errors and divergences will appear between these new services and the current global DNS, and contradictory addresses will confuse browsers and frustrate the people using them.
    [Show full text]
  • Domain Name Server Comparison
    DomainNameServerComparison: BIND8vs.BIND9vs.djbdnsvs.??? BradKnowles SeniorConsultantforSnow,BV [email protected] http://www.shub-internet.org/brad/papers/dnscomparison/ Entirecontentscopyright©2003byBradKnowles,allrightsreserved Overview • Meta Information • TLD Survey Results • Software – Installation – Features – Performance • Conclusions 2003-01-28 Copyright©2003byBradKnowles 2 MetaInformation • Hardware Used • Software Used • Methodology 2003-01-28 Copyright©2003byBradKnowles 3 HardwareUsed • TLD Survey – OS: BSD/OS 4.2 – CPU: Pentium III – RAM: 512MB real, 1.0GB virtual 2003-01-28 Copyright©2003byBradKnowles 4 HardwareUsed • Performance Testing – Compaq Armada 4131T Laptop • OS: FreeBSD 4.6.2-RELEASE • CPU: Pentium 133 • RAM: 48MB real, 384MB virtual • NICs: Asanté FriendlyNET AL1011 “Prism2” 802.11b WiFi PC Card & Linksys EtherFast 10/100 PC Card (PCM100) • HD: 10GB IBM Travelstar 20GN – 4200 RPM – 12ms avg. seek 2003-01-28 Copyright©2003byBradKnowles 5 HardwareUsed: PerformanceTesting Image copyright © 2001 Sunset Computer Services, Inc. All Rights Reserved. 2003-01-28 Copyright©2003byBradKnowles 6 SoftwareUsed • ISC – BIND 8.3.3-REL – BIND 9.2.2rc1 • djbdns 1.05 – daemontools 0.76 – ucpsi-tcp 0.88 – tinydns-bent 1.1 • nsd 1.02b1 • Nominum – ANS (Authoritative Name Server) 2.0.1-1eval – CNS (Caching Name Server) 1.1.0b1 • PowerDNS 2.9.4 2003-01-28 Copyright©2003byBradKnowles 7 SomeSoftwareConsidered • QuickDNS (authoritative) – See <http://www.menandmice.com/2000/2600_isp_dns_solution.html> • Aimed at small-to-medium size businesses,
    [Show full text]
  • Sirdom. Sistema Para La Gestión Del Servicio De Resolución De Nombres De Dominios
    Revista de investigación Editada por Área de Innovación y Desarrollo, S.L. Envío: 27-01-2013 Aceptación: 30-01-2013 Publicación: 19-02-2013 SIRDOM. SISTEMA PARA LA GESTIÓN DEL SERVICIO DE RESOLUCIÓN DE NOMBRES DE DOMINIOS SIRDOM. MANAGEMENT SYSTEM FOR THE RESOLUTION NAMES DOMAINS SERVICE. Yoedusvany Hernández Mendoza1 Yordanis Arencibia López2 Yankier Crespo González3 1. Máster, Ingeniero Informático. Profesor del Departamento de Redes, UNICA. 2. Máster, Ingeniero Informático. Profesor del Departamento de Redes, UNICA. 3. Máster, Ingeniero Informático. Profesor del Departamento de Redes, UNICA. RESUMEN Este artículo presenta un estudio del comportamiento del servicio DNS, su funcionamiento, herramientas y por último se propone un sistema informático que permite configurar y gestionar dicho servicio a través de una serie de prestaciones y facilidades que las aplicaciones actuales no posibilitan. Este sistema permitirá gestionar el servicio de resolución de nombres de dominio sobre BIND en su versión 9. ABSTRACT This paper presents a study of the behavior of DNS, its operating principle, tools and finally proposes a computer system to configure and manage this service through a number of benefits and facilities that do not allow current applications. This system will manage the service of domain name resolution on BIND version 9. PALABRAS CLAVE Bind, DNS, dominio, resolución, sistema. KEYWORDS Bind, DNS, domain, resolution, system. SIRDOM. SISTEMA PARA LA GESTIÓN DEL SERVICIO DE RESOLUCIÓN DE NOMBRES DE DOMINIOS DE NOMBRES DE RESOLUCIÓN DE SERVICIO DEL GESTIÓN LA PARA SISTEMA SIRDOM. 2 INTRODUCCIÓN Las diferentes instituciones y organizaciones, siendo los centros educacionales unos de los principales, han tenido que cambiar sus esquemas tradicionales para adaptarse a la actual era de la información.
    [Show full text]
  • Powerdns Offerings ­ Version Current As of November 2012 ● Remotely Pollable Statistics for Real Time Graphing ● High Performance ● SNMP Statistics Bridge (Read Only)
    Products, Features & Services PowerDNS PowerDNS, founded in the late 1990s, is a premier supplier of DNS software, services and support. Deployed throughout the world with some of the most demanding users of DNS, we pride ourselves on quality software and the very best support available. PowerDNS customers include leading telecommunications service providers, large scale integrators, content distribution networks, cable networks / multi service operators and Fortune 500 software companies. In various important markets, like Scandinavia, Germany and The Netherlands, PowerDNS is the number one supplier of nameserver software. PowerDNS is based in The Netherlands, Europe and is privately held. Products Authoritative Server The PowerDNS Authoritative Server is the only solution that enables authoritative DNS service from all major databases, including but not limited to MySQL, PostgreSQL, SQLite3, Oracle, Sybase, Microsoft SQL Server, LDAP and plain text files. DNS answers can also be fully scripted using a variety of (scripting) languages like for example Lua, Java, Perl, Python, Ruby, C and C++. Such scripting can be used for dynamic redirection, (spam)filtering or real time intervention. In addition, the PowerDNS Authoritative Server is the leading DNSSEC implementation, hosting the majority of all DNSSEC domains worldwide. The Authoritative Server hosts at least 30% of all domain names in Europe, and around 90% of all DNSSEC domains in Europe. Recursor The PowerDNS Recursor is a high­end, high­performance resolving name server which powers the DNS resolution of at least a hundred million subscribers. Utilizing multiple processors and supporting the same powerful scripting ability of the Authoritative Server, the Recursor delivers top performance while retaining the flexibility modern DNS deployments require.
    [Show full text]
  • Självständigt Arbete På Grundnivå
    Självständigt arbete på grundnivå Independent degree project - first cycle Datateknik Computer Engineering Master's thesis Hantering av nätverkscache i DNS Two ye Hans Lindqvist i MITTUNIVERSITETET Avdelningen för informationssystem och -teknologi (IST) Examinator: Ulf Jennehag, [email protected] Handledare: Johannes Lindén, [email protected] Författare: Hans Lindqvist, [email protected] Utbildningsprogram: Datateknik, 180 hp Huvudområde: Datateknik Termin, år: VT, 2019 ii Hantering av nätverkscache i DNS Hans Lindqvist 2019-06-13 Sammanfattning Domännamnsystemet, DNS, utgör en fundamental del av användbarheten för Internet, men dess cachefunktion utmanas av adressers ökande storlek, antal och automatisering. Parallellt råder begränsad minneskapacitet hos vissa enheter i Internets utkant mot Internet of Things. Studien har tittat närmare på nutida behov av namnuppslagning och har då betraktat hur DNS påverkats av IPv6- adressutbredning, mobila enheter, innehållsleveransnätverk och webbläsarfunktioner. Undersökningen har i två fritt tillgängliga serverprogramvaror för DNS-uppslag sökt efter den optimala hanteringen av cache hos begränsade enheter i, eller på gränsen till, Sakernas Internet. Med hjälp av tillgången till öppen källkod för programmen, Unbound och PowerDNS Recursor, har dess respektive strukturer tolkats för att uppskatta och jämföra minnesbehov. Därefter har en simulering gjorts i en laborativ miljö med fiktiva DNS-data av verklighetstrogen karaktär för att mäta den faktiska förbrukningen av minne på DNS-serverns process. Vid simuleringen undveks att individuellt anpassa programmens inställningar, att blanda in data för DNSSEC, samt att införa minnesbegränsningar i testmiljön. Undersökningen av källkod beräknade att Unbound var mer optimalt för posttyperna A+AAAA medan PowerDNS Recursor var effektivare för posttypen PTR. För båda posttyperna som helhet visade mätningarna i simuleringen att Unbound kunde lagra DNS-data tätare än PowerDNS Recursor.
    [Show full text]
  • Build Securely a DNS Sinkhole Step-By-Step Powered by Slackware Linux
    Guy Bruneau – [email protected] Twitter : @GuyBruneau Build Securely a DNS Sinkhole Step-by-Step Powered by Slackware Linux By Guy Bruneau, GSE Version 2.1 – 23 October 2016 1. DNS Sinkhole Overview............................................................................................. 2 1.1 Installation, Configuration and Partitioning the Drive ......................................... 2 1.1.1 DNS Sinkhole Server Installation ................................................................. 2 1.1.2 Install the Software ....................................................................................... 3 1.2 Sinkhole Configuration ........................................................................................ 4 1.2.1 Configure Bind as DNS Sinkhole ................................................................. 4 1.2.2 Testing the Bind Service ............................................................................... 6 1.3 PowerDNS DNS Sinkhole Setup ......................................................................... 6 1.3.1 PowerDNS Forwarding Configuration ......................................................... 7 1.3.2 Testing the PowerDNS Service .................................................................... 7 2. DNS Sinkhole Web Interface ...................................................................................... 8 2.1 Configure Local Sinkhole Address(es) ................................................................ 8 2.2 Populating Site Exclusion List ..........................................................................
    [Show full text]
  • XML Prague 2019
    XML Prague 2019 Conference Proceedings University of Economics, Prague Prague, Czech Republic February 7–9, 2019 XML Prague 2019 – Conference Proceedings Copyright © 2019 Jiří Kosek ISBN 978-80-906259-6-9 (pdf) ISBN 978-80-906259-7-6 (ePub) Table of Contents General Information ..................................................................................................... vii Sponsors .......................................................................................................................... ix Preface .............................................................................................................................. xi Task Abstraction for XPath Derived Languages – Debbie Lockett and Adam Retter ........................................................................................ 1 A novel approach to XSLT-based Schematron validation – David Maus .............. 57 Authoring DSLs in Spreadsheets Using XML Technologies – Alan Painter ......... 67 How to configure an editor – Martin Middel ........................................................... 103 Discover the Power of SQF – Octavian Nadolu and Nico Kutscherauer .................. 117 Tagdiff: a diffing tool for highlighting differences in text-oriented XML – Cyril Briquet .................................................................................................................. 143 Merge and Graft: Two Twins That Need To Grow Apart – Robin La Fontaine and Nigel Whitaker ........................................................................
    [Show full text]
  • Using Dns to Protect Clients from Malicious Domains
    Institute for Development and Research in Banking Technology A Project Report on USING DNS TO PROTECT CLIENTS FROM MALICIOUS DOMAINS Submitted by M.L.V.L Akhil Vishnu 3rd year B.Tech, Computer Science and Engineering Indian Institute of Technology (ISM) Dhanbad. Guide Dr. V. Radha Assistant professor IDRBT, Hyderabad. 1 | P a g e ACKNOWLEDGEMENT I would like to express my gratitude to the Institute for Development and Research in Banking Technology (IDRBT) under the guidance of Dr. V. Radha, Assistant Professor, IDRBT, Hyderabad. I would not hesitate to add that this short stint in IDRBT has added a different facet to my life as this is a unique organization being a combination of academics, research, technology, communication service, crucial application etc. and at the same time performing roles as an arm of regulation, spread of technology, and facilitator for implementing technology in banking and non-banking system. I am extremely grateful to Dr. V.Radha for her advice, innovative suggestions and supervision. I thank her for introducing me to different aspects of “CYBER SECURITY AND DOMAIN NAME SYSTEMS”. I am thankful for IDRBT for providing such an amazing platform to work on real application oriented research. I would like to give special thanks to Mrs. Varsha Srivastava, Administrative Executive, IDRBT, Hyderabad for providing resource and motivation in carrying out this project. Finally, I thank one and all who made this project successful either directly or indirectly. M.L.V.L Akhil Vishnu 3rd year B.Tech, Computer Science and Engineering, Indian Institute of Technology (ISM) Dhanbad. 2 | P a g e CERTIFICATE This is to certify that Mr.
    [Show full text]
  • Powerdns Manual
    PowerDNS manual PowerDNS BV [email protected] PowerDNS manual by Published v2.9.19 $Date: 2005-10-29 17:45:03 +0200 (Sat, 29 Oct 2005) $ It is a book about a Spanish guy called Manual. You should read it. -- Dilbert Table of Contents 1. The PowerDNS dynamic nameserver ..................................................................................................1 1.1. Function & design of PDNS .......................................................................................................1 1.2. About this document ...................................................................................................................1 1.3. Release notes...............................................................................................................................1 1.3.1. Version 2.9.19.................................................................................................................2 1.3.2. Version 2.9.18.................................................................................................................4 1.3.3. Version 2.9.17.................................................................................................................7 1.3.4. Version 2.9.16.................................................................................................................8 1.3.5. Version 2.9.15.................................................................................................................9 1.3.6. Version 2.9.14...............................................................................................................10
    [Show full text]
  • Creating a Patch and Vulnerability Management Program
    Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-40 Version 2.0 Title: Creating a Patch and Vulnerability Management Program Publication Date(s): November 2005 Withdrawal Date: July 2013 Withdrawal Note: SP 800-40 is superseded by the publication of SP 800-40 Revision 3 (July 2013). Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-40 Revision 3 Title: Guide to Enterprise Patch Management Technologies Author(s): Murugiah Souppaya, Karen Scarfone Publication Date(s): July 2013 URL/DOI: http://dx.doi.org/10.6028/NIST.SP.800-40r3 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Lab) Latest revision of the SP 800-40 Revision 3 (as of June 19, 2015) attached publication: Related information: http://csrc.nist.gov/ Withdrawal SP 800-40 Version 2 provides basic guidance on establishing patch announcement (link): management programs, and guidance to organizations with legacy needs. Date updated: June Ϯϯ, 2015 Special Publication 800-40 Version 2.0 Creating a Patch and Vulnerability Management Program Recommendations of the National Institute of Standards and Technology (NIST) Peter Mell Tiffany Bergeron David Henning NIST Special Publication 800-40 Creating a Patch and Vulnerability Version 2.0 Management Program Recommendations of the National Institute of Standards and Technology Peter Mell Tiffany Bergeron David Henning C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 November 2005 U.S.
    [Show full text]
  • Improving Robustness of DNS to Software Vulnerabilities
    " ! " # $ " fail-stop failures, where a system stops when it encounters The ability to forward packets on the Internet is highly in- an error, Byzantine errors include the more arbitrary class tertwined with the availability and robustness of the Do- of faults where a system can violate protocol. For exam- main Name System (DNS) infrastructure. Unfortunately, ple, software errors in DNS implementations lead to bogus the DNS suffers from a wide variety of problems arising queries [27] and vulnerabilities, which can be exploited by from implementation errors, including vulnerabilities, bogus attackers to gain access to and control DNS servers. These queries, and proneness to attack. In this work, we present a problems are particularly serious for DNS – while the root preliminary design and early prototype implementation of a of the DNS hierarchy is highly physically redundant to avoid system that leverages diversified replication to increase toler- hardware failures, it is not software redundant, and hence ance of DNS to implementation errors. Our design leverages multiple servers can be taken down with the same attack. software diversity by running multiple redundant copies of For example, while there are 13 geographically distributed software in parallel, and leverages data diversity by send- DNS root clusters, each comprised of hundreds of servers, ing redundant requests to multiple servers. Using traces of they only run two distinct DNS software implementations: DNS queries, we demonstrate our design can keep up with BIND and NSD (see [8] and references therein). While co- the loads of a large university’s DNS traffic, while improving ordinated attacks to DoS these servers are hard, the fact resilience of DNS.
    [Show full text]