MONT H C HAPT E R W E E K 1 W E E K 2 W E E K 3 W E E K 4 ...
sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS(...
Transcript of sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS(...
![Page 1: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/1.jpg)
Inferring(Services(over((Encrypted(Web(Flows�
ğSoJč�V�ĶÜ:P�((EB:7:71)(2014_3�20�(
(�ĶĐ?((�Ì·PV)ƣ�Ķ ((JST(ERATO)(
![Page 2: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/2.jpg)
ã�(1)(web( ¾ŗ���ŭƟſƠƈƂƅƅƙƍŬƂųŗM0((ıWIDE(Mawi(Project(hMp://mawi.wide.ad.jp,(samplepoint(B,(F(ŗŴƙƍũe¶�
2002/12/1�
2012/12/1�
ŭƟſƠƈƂƅ�ŗOŁŗŸƠƌżľ(Web(hMp)(ŖÉì�
P2Pľ ¾�
Webľ ¾�
Ĩ�
![Page 3: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/3.jpg)
ã�(2)(web(č�ŗ�90�ïĤâcŜ14�%ŗAndroid(ŗč�ũ6�ę÷«ņŋÚ�ũĜ÷(
IN( OUT(
hMps(
hMp(
SSL/TLS(ŖţŎő�90ńŧőĹŦHTTPč�(HTTPS)ŗ,:ľĥĹ(IJŽƠźƕƛƈƂƅƞƠųŢŰƟƙŭƟżƅƜƠŻÑŗ(ƊƠŽƇƛŕoJũċ7�ŇŦūƏƚŵƠźƘƟŗL.�
ĩ�
![Page 4: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/4.jpg)
ŭƟſƠƈƂƅƅƙƍŬƂų÷«(ŗÀ½œþģ�
• À½ƥĦƅƙƍŬƂų"ûŗx~(– )j[Ăx~ƥ^Hŗ�©�Ŗ�ũƍŬƛſƠ[ĂœŇŧřţĹĽ(
• 2Ŗ(HTTP(ŒŘÔDľaŇŀŦ(
– Ġòŗx~ƥŔŗţĺŕūƏƚŵƠźƘƟŖ[ŇŦò¥ľĥĹŗĽƧ(Ķ→ūƠŲƃųƁƕŗ�øơŲƕƂźƖŗúßŢWAN(�đ0ÑƢ(ıĹňŧšŅŎŁťœņŋÛ÷ľĸŧř1%(
• þģƥĦ�UūƏƝƠƁŗě¸ũ��(– ƒƠƅ¹9ŒŘoJĔľ\ŕŇŀŦ(– ŸƠƉŗIPūƆƜżŒŘ�1%ơ�żƙŭƆƢ(– DPI(ŗě¸:(SSL/TLS((¶�Ŗ(HTTP(ƐƂƀľ5¯ŒĿŕĹ(
Ī�
![Page 5: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/5.jpg)
ŸƠƉŗIPūƆƜżŒŘ�1%ŕ��• ČeĿũúXņőĹŕĹŵƠżľUF(• ñ�ŗ(FQDN(ľŚœŏŗIPūƆƜżŒ�ŨŧőĹŦŵƠż(((ƑżƃŬƟŴŢCDN(Ñ)(
ī�
![Page 6: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/6.jpg)
�ÅÎŗŷƠƛ�
• ŭƟſƠƈƂƅƅƙƍŬƂųũµsņőĹŦWebūƏƚŵƠźƘƟơƦŸƠƌżƢũx~ŇŦ(– °Ŗ�90(Web(č�ũ[ĂœŇŦ(– 100%(ŗÕbũÀ{ŇšŗŒŘŕĹ(• 3´½ŖCĞĶIJĶŅŎŁťœņŋÛ÷ŗx~(
Ĭ�
![Page 7: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/7.jpg)
DNS(ųůƚũ¶ĹŋūƏƝƠƁ�č�ŗĘRŖ�ÏŎőĦųƙŭūƟƅĽŤDNS(ŗ<+ö¦ľ»µŇŦŗŒƣŊŗoJũ¶ĹŧřƑżƅ<(FQDN)ŘŨĽŦ(
ųƙŭūƟƅ(C1�
DNSŸƠƉ�
HTTPSŸƠƉ(S1�
61.213.146.4((akamai)(NTT:COM�
10.1.2.3�
61.213.146.4:443(IJ(10.1.2.3:31587((=(www.apple.com((APPLE)�
www.apple.com?(IJ(61.213.146.4(from(10.1.2.3(
ĭ�
![Page 8: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/8.jpg)
�UÅÎ:(DN(Hunter�• Bermudez(et(al.,(“DNS(to(the(Rescue:(Discerning(Content(and(
Services(in(a(Tangled(Web”,(ACM(IMC(2012Ķ�
ıEġŘ�ùÿ�ţťe¶� Į�
![Page 9: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/9.jpg)
�UÅÎœ}�u§ŗ£Ć�
%�÷«[m� Û÷½|X�
DN(Hunter� ij� ĵĶ(óŋšŗľŇŜő)�}�u§� Ĵ� ĴĶ(óőŕĹšŗš|X)�
ƋƂƅņŕĽŎŋK:ŖļĹőšď4ŗõ«ũšœŖ(Û÷½Ŗ|XŇŦ¬ľ�ôŕūŭƄŬū�
į�
![Page 10: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/10.jpg)
}�u§ŗ ���
�
(1)(DNS(ųůƚoJũVà�
(2)(FQDNũ|X�
(3)(éķŕƋƖƠƚżƃŬƂų(FQDN(!((ŸƠƌż<|X(�)(mail.google.com(!(Google(mail�
FQDN�
![Page 11: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/11.jpg)
}��dŗ�ò((1):(VàĦ�
• ŸƠƉIPūƆƜż:(s(• ųƙŭūƟƅIPūƆƜż:(c(• �*:(t((È2�œŇŦ)(• DNS(A(ƜŶƠƆ(query(ŖļłŦ(FQDN:(N(œņŋœĿ((ĶĶ{s,c,t}(!(N(ĶĶ{s,c}(!(N(ĶĶ{s}(!(N(ŗŇŜőũĎpē&Ŗ¼ĕ(ıQuery(response(Œñ�(A(ƜŶƠƆũiŋŤ(ĶĶĶĶĶĶŇŜő¼ĕ�
ųƙŭūƟƅ(c�
DNSŸƠƉ�
HTTPSŸƠƉ(s�
�*(t’�
�*(t�
Query(=(N(Answer(=(s�
Ĩħ�
![Page 12: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/12.jpg)
}��dŗ�ò((2):(|X�• |Xŗ[ĂœŕŦ(HTTPS(ƍƝƠŗ({s,(c,(t’}(ũy$(
• ŭŴŹųƅƓƂƁ(– {s,(c,(t’}(Ŗ[ŇŦ(N(ũ$-(
• �ęňŤņ�×(– Exact(match(ľQ�ņŋK:ƣ{s,(c,(t’}(ŗ(t’(ũªŤņྍ�×((t’(=(t’,(t’:1,(t’:2,(…,(t’:m)(• DNS(ųůƚľ(HTTP(č�ĘRŖ�ÏŎő»µŇŦŵƠżľĸŦ(
• Û÷½|X((MAP)(– �ùĹňŧšQ�ņŋK:ƣ{s,c}(ĸŦĹŘ({s}(ŗŞũ�Ŏő]šŤņĹFQDN(ũÛ÷½Ŗ|Xơ�PhƲ|XƢ�
ĨĨ�
![Page 13: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/13.jpg)
�PhƲ|X((MAP)�●{s,(c}(ŗųůƚŖ[ŇŦmÒ(N={n1,(n2,(…,}(ŗ"ƣ]šŤņĹFQDNũ�ùŗţĺŖ|X((((ĸŦĦFQDN(Ŗ[ņő((s,(c)(ŗÙŞ:Ũʼnľ($³ŇŦƲ(
ĸŦĦFQDN(ŗ$³Ģb(ŸƠƌżŗ�¤b�
Ĩĩ�ıĶ�PhƲŗ÷ÓŖŘĹŁŏĽŗƉƚůƠźƘƟľáĻŤŧŦ�
●{s,(c}(ŗųůƚŖ[ŇŦmÒľŕĹK:Řųůƚũ({s}(œņő;�Ŗ|X(((
![Page 14: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/14.jpg)
}��dŗ�ò((3):(ŸƠƌż|X�
• FQDN(ũgsŇŦ�T&ŗ°kŖšœŐĿƣŸƠƌżũ|X(
• Public(suffix(ũy$(– www.ieice.org(ŗ(public(suffix(=(ieice.org((
• ¡ťŗ�T&Ŗ[ņő°k½ŕ�T&ŗ�ũ'X(– mail,(blog,(planorm,(ad,(Ñ(
ĨĪ�
![Page 15: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/15.jpg)
näý�YĤ�• Ö2,000ŗÐ�ľč�ũņőĹŦAÝũ÷«(• �90ńŧőĹŕĹ(HTTP(č�ũ(¶(– Request(header(ĽŤÂŗ(FQDN(ũy$8ä(– HTTP(ƚųůżƅ�:(30084(– �ę(=(Ö4000È(
• DNSųůƚ(– �ù(HTTP(č�ŗ�ę^ũ>ş46000È(– Ö10�ųůƚ(
• �AŗYĤý�ŒŘ|XÚ�ũ��ŗţĺŖK:%łũŇŦ(– |XFQDNœÂŗFQDN(ľW �ç((OK)(– Public(suffix(ľ�ç((SIM)(– Ŋŧ�N((NG)( Ĩī�
![Page 16: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/16.jpg)
ƊƙƔſ(m(œ�×Õb�
ĨĬ�
0%(10%(20%(30%(40%(50%(60%(70%(80%(90%(100%(
0( 1( 10( 60( 300( 3600(
frac%o
n�
m�
sim(MAP)(sim(qme_shis)(sim(exact)(ok(MAP)(ok(qme_shis)(ok(exact)(
m(ŖZŤňOK(Ř(90%ƣSIM(ľ(5%(ËbŗÕb(m(=(0((�ęňŤņ�×ŕņ)ŒšÕbŘèĹ((MAPŗ|XÚ�ľ�)(m(ũLŢŇœ�ęňŤņ�×ŗ|XÚ�ľ�œŕŦľÚ�Ř;��
ı(x(ąŘÝgŒŘŕĹŃœŖ¨q�
![Page 17: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/17.jpg)
ƊƙƔſ(m(œ�×Ŷżƅ�
Ĩĭ�
0(
5(
10(
15(
20(
25(
0( 1( 10( 60( 300( 3600(
total+loo
kup+%m
e+(sec)�
m�
m(ŗL.œœšŖ�×ŶżƅľĥŝŦ(
ı(x(ąŘÝgŒŘŕĹŃœŖ¨q�
![Page 18: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/18.jpg)
ůƙƠŗ3B�• õ«ƄƠſ�Ą(– õ«�ę"Ŗõ«ņŋweb(ŸƠƉŗ(IP(ūƆƜżũ>şDNSųůƚľ»µņŕĹK:Ř|XŗņţĺľŕĹ(
• ;�*Ŗ»µŇŦ({s,c,t}(ŗſƏƛ(– ³FŘ(t(ũÈ2�ŖŝŦŠőĹŦľƣšĺ\ņØĽĹ�ę%öäľlò(
ĶĶ�)(googleads.g.doubleclick.net(œ((ĶĶĶĶpagead2.googlesyndicaqon.com(ľ;�ŗ({s,c,t}(ũzŏ(
– ŔōŤš(CNAME(=(pagead46.l.doubleclick.net(
ĨĮ�
![Page 19: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/19.jpg)
ŝœŠœ�hŗþģ�
• ď4ŗ(DNS(ųůƚũ5¯ņő�90(Web(č�ŗŸƠƌżũ|XŇŦu§ũ}�(
• ÕbŘW �çľ(90%ƣpublic(suffix(�çľ5%Ëb(• MAP(ũ�ĺŃœŒ�×ŶżƅũÃÞ8ä(
• þģ((1)(Õb=�(– ė�ęƄƠſŗ6ťĉŞƣ�ę%öäƣƋƖƠƚżƃŬƂųŗĘ»(
• þģ((2)(żŵƠƙƌƚƃŬŗÆÏ(– åPŕč�ƝŴśŗ[m(– ď4ƄƠſŗêÍ(
Ĩį�
![Page 20: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/20.jpg)
ĀĈ�
• �ÅÎŗ�ĒŘJSPSÇÅăơ25880020ƣ�îĶ�Đ?Ƣŗ/sũ7łŋšŗŒŇƤ(
• �ÅÎŖĚņőāÿĹŋŌĹŋNTTƈƂƅƞƠųI¿wíÅÎtŗÄ��`ÅÎ@ƣ�ëÅÎ@ƣ�·ÅÎ@ŖrĀņŝŇƤ�
Ĩİ�
![Page 21: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/21.jpg)
SSL/TLS(ŗ(¶�• SSL/TLS(Œ�90ńŧŋ(Web(č�ŖĚņőŘ!ĘĖü��ŖùćńŧŋĦCommonName((URL(ŗ(FQDN(œ�ç)(ŗ(¶ľ8äŒĸŦľƣFQDN(ŗx~ŖŘ�1%(
– DN:Hunter(ÿ�((ACM(IMC(2012)(Œŗ%�Ú�(• CN(=(FQDN(:(18%(• ƞŭƛƆűƠƆü��:(19%(• ŝŎŋŁºŕŦü��(?):(40%(• ü��ņ:(23%(
ĩħ�
![Page 22: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/22.jpg)
)j�9œƄƠſ�9ŗ%ĝ�
ĩĩ�
ER�
ER�
ER�
DNS(ƜžƛƉ(
Û:((}�u§)�
DNS(()j�9)�
CR(�
GW�
Flow÷«ƄƠſ((ƄƠſ�9)�
![Page 23: sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS( W»µ G f W R £ J WoJ i 9 g Y |](https://reader034.fdocuments.in/reader034/viewer/2022042415/5f2fe45944a981496b4028c7/html5/thumbnails/23.jpg)
3´½Ŗųůƚũõ«ŒĿŕĹŵƠż�
• ƎƙŮŹŗ(DNS(ŲƕƂźƖ�äŢƗƠŹůƟƆŗƛƠſŖYðńŧŋ(DNS(ŲƕƂźƖŸƠƉŖţťƣõ«G¬Œ(DNS(ųůƚľõ«ŒĿŕĹ(
• ÊŖIP(ūƆƜżÁvōŗŵƠżľĸŦ(• Ð�ŗIPūƆƜż#,főŢĊ4�
ĩĪ�