sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS(...
Transcript of sfmap ieice 20140320 - Network Security Laboratory...DNS( s o i 9 K k W R V Ï N Q & s m k = dDNS(...
Inferring(Services(over((Encrypted(Web(Flows�
ğSoJč�V�ĶÜ:P�((EB:7:71)(2014_3�20�(
(�ĶĐ?((�Ì·PV)ƣ�Ķ ((JST(ERATO)(
ã�(1)(web( ¾ŗ���ŭƟſƠƈƂƅƅƙƍŬƂųŗM0((ıWIDE(Mawi(Project(hMp://mawi.wide.ad.jp,(samplepoint(B,(F(ŗŴƙƍũe¶�
2002/12/1�
2012/12/1�
ŭƟſƠƈƂƅ�ŗOŁŗŸƠƌżľ(Web(hMp)(ŖÉì�
P2Pľ ¾�
Webľ ¾�
Ĩ�
ã�(2)(web(č�ŗ�90�ïĤâcŜ14�%ŗAndroid(ŗč�ũ6�ę÷«ņŋÚ�ũĜ÷(
IN( OUT(
hMps(
hMp(
SSL/TLS(ŖţŎő�90ńŧőĹŦHTTPč�(HTTPS)ŗ,:ľĥĹ(IJŽƠźƕƛƈƂƅƞƠųŢŰƟƙŭƟżƅƜƠŻÑŗ(ƊƠŽƇƛŕoJũċ7�ŇŦūƏƚŵƠźƘƟŗL.�
ĩ�
ŭƟſƠƈƂƅƅƙƍŬƂų÷«(ŗÀ½œþģ�
• À½ƥĦƅƙƍŬƂų"ûŗx~(– )j[Ăx~ƥ^Hŗ�©�Ŗ�ũƍŬƛſƠ[ĂœŇŧřţĹĽ(
• 2Ŗ(HTTP(ŒŘÔDľaŇŀŦ(
– Ġòŗx~ƥŔŗţĺŕūƏƚŵƠźƘƟŖ[ŇŦò¥ľĥĹŗĽƧ(Ķ→ūƠŲƃųƁƕŗ�øơŲƕƂźƖŗúßŢWAN(�đ0ÑƢ(ıĹňŧšŅŎŁťœņŋÛ÷ľĸŧř1%(
• þģƥĦ�UūƏƝƠƁŗě¸ũ��(– ƒƠƅ¹9ŒŘoJĔľ\ŕŇŀŦ(– ŸƠƉŗIPūƆƜżŒŘ�1%ơ�żƙŭƆƢ(– DPI(ŗě¸:(SSL/TLS((¶�Ŗ(HTTP(ƐƂƀľ5¯ŒĿŕĹ(
Ī�
ŸƠƉŗIPūƆƜżŒŘ�1%ŕ��• ČeĿũúXņőĹŕĹŵƠżľUF(• ñ�ŗ(FQDN(ľŚœŏŗIPūƆƜżŒ�ŨŧőĹŦŵƠż(((ƑżƃŬƟŴŢCDN(Ñ)(
ī�
�ÅÎŗŷƠƛ�
• ŭƟſƠƈƂƅƅƙƍŬƂųũµsņőĹŦWebūƏƚŵƠźƘƟơƦŸƠƌżƢũx~ŇŦ(– °Ŗ�90(Web(č�ũ[ĂœŇŦ(– 100%(ŗÕbũÀ{ŇšŗŒŘŕĹ(• 3´½ŖCĞĶIJĶŅŎŁťœņŋÛ÷ŗx~(
Ĭ�
DNS(ųůƚũ¶ĹŋūƏƝƠƁ�č�ŗĘRŖ�ÏŎőĦųƙŭūƟƅĽŤDNS(ŗ<+ö¦ľ»µŇŦŗŒƣŊŗoJũ¶ĹŧřƑżƅ<(FQDN)ŘŨĽŦ(
ųƙŭūƟƅ(C1�
DNSŸƠƉ�
HTTPSŸƠƉ(S1�
61.213.146.4((akamai)(NTT:COM�
10.1.2.3�
61.213.146.4:443(IJ(10.1.2.3:31587((=(www.apple.com((APPLE)�
www.apple.com?(IJ(61.213.146.4(from(10.1.2.3(
ĭ�
�UÅÎ:(DN(Hunter�• Bermudez(et(al.,(“DNS(to(the(Rescue:(Discerning(Content(and(
Services(in(a(Tangled(Web”,(ACM(IMC(2012Ķ�
ıEġŘ�ùÿ�ţťe¶� Į�
�UÅÎœ}�u§ŗ£Ć�
%�÷«[m� Û÷½|X�
DN(Hunter� ij� ĵĶ(óŋšŗľŇŜő)�}�u§� Ĵ� ĴĶ(óőŕĹšŗš|X)�
ƋƂƅņŕĽŎŋK:ŖļĹőšď4ŗõ«ũšœŖ(Û÷½Ŗ|XŇŦ¬ľ�ôŕūŭƄŬū�
į�
}�u§ŗ ���
�
(1)(DNS(ųůƚoJũVà�
(2)(FQDNũ|X�
(3)(éķŕƋƖƠƚżƃŬƂų(FQDN(!((ŸƠƌż<|X(�)(mail.google.com(!(Google(mail�
FQDN�
}��dŗ�ò((1):(VàĦ�
• ŸƠƉIPūƆƜż:(s(• ųƙŭūƟƅIPūƆƜż:(c(• �*:(t((È2�œŇŦ)(• DNS(A(ƜŶƠƆ(query(ŖļłŦ(FQDN:(N(œņŋœĿ((ĶĶ{s,c,t}(!(N(ĶĶ{s,c}(!(N(ĶĶ{s}(!(N(ŗŇŜőũĎpē&Ŗ¼ĕ(ıQuery(response(Œñ�(A(ƜŶƠƆũiŋŤ(ĶĶĶĶĶĶŇŜő¼ĕ�
ųƙŭūƟƅ(c�
DNSŸƠƉ�
HTTPSŸƠƉ(s�
�*(t’�
�*(t�
Query(=(N(Answer(=(s�
Ĩħ�
}��dŗ�ò((2):(|X�• |Xŗ[ĂœŕŦ(HTTPS(ƍƝƠŗ({s,(c,(t’}(ũy$(
• ŭŴŹųƅƓƂƁ(– {s,(c,(t’}(Ŗ[ŇŦ(N(ũ$-(
• �ęňŤņ�×(– Exact(match(ľQ�ņŋK:ƣ{s,(c,(t’}(ŗ(t’(ũªŤņྍ�×((t’(=(t’,(t’:1,(t’:2,(…,(t’:m)(• DNS(ųůƚľ(HTTP(č�ĘRŖ�ÏŎő»µŇŦŵƠżľĸŦ(
• Û÷½|X((MAP)(– �ùĹňŧšQ�ņŋK:ƣ{s,c}(ĸŦĹŘ({s}(ŗŞũ�Ŏő]šŤņĹFQDN(ũÛ÷½Ŗ|Xơ�PhƲ|XƢ�
ĨĨ�
�PhƲ|X((MAP)�●{s,(c}(ŗųůƚŖ[ŇŦmÒ(N={n1,(n2,(…,}(ŗ"ƣ]šŤņĹFQDNũ�ùŗţĺŖ|X((((ĸŦĦFQDN(Ŗ[ņő((s,(c)(ŗÙŞ:Ũʼnľ($³ŇŦƲ(
ĸŦĦFQDN(ŗ$³Ģb(ŸƠƌżŗ�¤b�
Ĩĩ�ıĶ�PhƲŗ÷ÓŖŘĹŁŏĽŗƉƚůƠźƘƟľáĻŤŧŦ�
●{s,(c}(ŗųůƚŖ[ŇŦmÒľŕĹK:Řųůƚũ({s}(œņő;�Ŗ|X(((
}��dŗ�ò((3):(ŸƠƌż|X�
• FQDN(ũgsŇŦ�T&ŗ°kŖšœŐĿƣŸƠƌżũ|X(
• Public(suffix(ũy$(– www.ieice.org(ŗ(public(suffix(=(ieice.org((
• ¡ťŗ�T&Ŗ[ņő°k½ŕ�T&ŗ�ũ'X(– mail,(blog,(planorm,(ad,(Ñ(
ĨĪ�
näý�YĤ�• Ö2,000ŗÐ�ľč�ũņőĹŦAÝũ÷«(• �90ńŧőĹŕĹ(HTTP(č�ũ(¶(– Request(header(ĽŤÂŗ(FQDN(ũy$8ä(– HTTP(ƚųůżƅ�:(30084(– �ę(=(Ö4000È(
• DNSųůƚ(– �ù(HTTP(č�ŗ�ę^ũ>ş46000È(– Ö10�ųůƚ(
• �AŗYĤý�ŒŘ|XÚ�ũ��ŗţĺŖK:%łũŇŦ(– |XFQDNœÂŗFQDN(ľW �ç((OK)(– Public(suffix(ľ�ç((SIM)(– Ŋŧ�N((NG)( Ĩī�
ƊƙƔſ(m(œ�×Õb�
ĨĬ�
0%(10%(20%(30%(40%(50%(60%(70%(80%(90%(100%(
0( 1( 10( 60( 300( 3600(
frac%o
n�
m�
sim(MAP)(sim(qme_shis)(sim(exact)(ok(MAP)(ok(qme_shis)(ok(exact)(
m(ŖZŤňOK(Ř(90%ƣSIM(ľ(5%(ËbŗÕb(m(=(0((�ęňŤņ�×ŕņ)ŒšÕbŘèĹ((MAPŗ|XÚ�ľ�)(m(ũLŢŇœ�ęňŤņ�×ŗ|XÚ�ľ�œŕŦľÚ�Ř;��
ı(x(ąŘÝgŒŘŕĹŃœŖ¨q�
ƊƙƔſ(m(œ�×Ŷżƅ�
Ĩĭ�
0(
5(
10(
15(
20(
25(
0( 1( 10( 60( 300( 3600(
total+loo
kup+%m
e+(sec)�
m�
m(ŗL.œœšŖ�×ŶżƅľĥŝŦ(
ı(x(ąŘÝgŒŘŕĹŃœŖ¨q�
ůƙƠŗ3B�• õ«ƄƠſ�Ą(– õ«�ę"Ŗõ«ņŋweb(ŸƠƉŗ(IP(ūƆƜżũ>şDNSųůƚľ»µņŕĹK:Ř|XŗņţĺľŕĹ(
• ;�*Ŗ»µŇŦ({s,c,t}(ŗſƏƛ(– ³FŘ(t(ũÈ2�ŖŝŦŠőĹŦľƣšĺ\ņØĽĹ�ę%öäľlò(
ĶĶ�)(googleads.g.doubleclick.net(œ((ĶĶĶĶpagead2.googlesyndicaqon.com(ľ;�ŗ({s,c,t}(ũzŏ(
– ŔōŤš(CNAME(=(pagead46.l.doubleclick.net(
ĨĮ�
ŝœŠœ�hŗþģ�
• ď4ŗ(DNS(ųůƚũ5¯ņő�90(Web(č�ŗŸƠƌżũ|XŇŦu§ũ}�(
• ÕbŘW �çľ(90%ƣpublic(suffix(�çľ5%Ëb(• MAP(ũ�ĺŃœŒ�×ŶżƅũÃÞ8ä(
• þģ((1)(Õb=�(– ė�ęƄƠſŗ6ťĉŞƣ�ę%öäƣƋƖƠƚżƃŬƂųŗĘ»(
• þģ((2)(żŵƠƙƌƚƃŬŗÆÏ(– åPŕč�ƝŴśŗ[m(– ď4ƄƠſŗêÍ(
Ĩį�
ĀĈ�
• �ÅÎŗ�ĒŘJSPSÇÅăơ25880020ƣ�îĶ�Đ?Ƣŗ/sũ7łŋšŗŒŇƤ(
• �ÅÎŖĚņőāÿĹŋŌĹŋNTTƈƂƅƞƠųI¿wíÅÎtŗÄ��`ÅÎ@ƣ�ëÅÎ@ƣ�·ÅÎ@ŖrĀņŝŇƤ�
Ĩİ�
SSL/TLS(ŗ(¶�• SSL/TLS(Œ�90ńŧŋ(Web(č�ŖĚņőŘ!ĘĖü��ŖùćńŧŋĦCommonName((URL(ŗ(FQDN(œ�ç)(ŗ(¶ľ8äŒĸŦľƣFQDN(ŗx~ŖŘ�1%(
– DN:Hunter(ÿ�((ACM(IMC(2012)(Œŗ%�Ú�(• CN(=(FQDN(:(18%(• ƞŭƛƆűƠƆü��:(19%(• ŝŎŋŁºŕŦü��(?):(40%(• ü��ņ:(23%(
ĩħ�
)j�9œƄƠſ�9ŗ%ĝ�
ĩĩ�
ER�
ER�
ER�
DNS(ƜžƛƉ(
Û:((}�u§)�
DNS(()j�9)�
CR(�
GW�
Flow÷«ƄƠſ((ƄƠſ�9)�
3´½Ŗųůƚũõ«ŒĿŕĹŵƠż�
• ƎƙŮŹŗ(DNS(ŲƕƂźƖ�äŢƗƠŹůƟƆŗƛƠſŖYðńŧŋ(DNS(ŲƕƂźƖŸƠƉŖţťƣõ«G¬Œ(DNS(ųůƚľõ«ŒĿŕĹ(
• ÊŖIP(ūƆƜżÁvōŗŵƠżľĸŦ(• Ð�ŗIPūƆƜż#,főŢĊ4�
ĩĪ�