The Attack and Defense of Computers

1

• The Attack and Defense of Computers
• Dr. ? ? ?

2

• Who is Managing
• the Internet today?

3
Who is Managing the Internet today?

• Core functions of the Internet are managed by a
  nonprofit organization named the Internet
  Corporation for Assigned Names and Numbers
  (ICANN http//www.icann.org ).
• Created in Oct. 1998, ICANN is assuming
  responsibility for a set of technical functions
  previously performed under U.S. government
  contract by the Internet Assigned Numbers
  Authority (IANA http//www.iana.org ) and other
  groups.
• P.S. In practice, IANA still handles much of the
  day-to-day operations, but these will eventually
  be transitioned to ICANN

4
Some of ICANNs Major Functions

• ICANN coordinates the assignment of the following
  identifiers that must be globally unique for the
  Internet to function
• Internet domain names.
• IP address numbers.
• Protocol parameters and port numbers.
• ICANN also coordinates the stable operation of
  the Internets root DNS server system.

5
Three Special ICANN Suborganizations

• Address Supporting Organization (ASO
  http//www.aso.icann.org ).
• Generic Names Supporting Organization (GNSO
  http//www.gnso.icann.org )
• Country Code Domain Name Supporting Organization
  (CCNSO http//www.ccnso.icann.org )

6
ASO

• Reviews and develops recommendations on IP
  address policy and advises the ICANN Board on
  these matters.
• Allocates IP address blocks to various Regional
  Internet Registries (RIRs).
• A RIRs responsibility is to manage, distribute,
  and register public Internet number resources
  within their respective regions.
• RIRs allocate IPs to organizations, Internet
  service providers (ISPs), or, in some cases,
  National Internet Registries (NIRS) or Local
  Internet Registries (LIRS.)
• Taiwans Case
• Taiwans ISPs get their IPs from TWNIC
• NIR of Taiwan TWNIC http//www.twnic.net.tw/ip/ip
  _01.htm
• LIRs/ISPs List of Taiwan http//www.twnic.net.tw/
  english/ip/ip_03.htm.

7
RIR

• Currently there are five Regional Registries,
  four active and one in observer status.
• APNIC ( http//www.apnic.net ) Asia-Pacific
  region.
• ARIN ( http//www.arin.net ) North and South
  America, sub-Sahara Africa regions.
• LACNIC ( http//www.lacnic.net ) Latin America
  and portions of the Caribbean
• RIPE ( http//www.ripe.net ) Europe, parts of
  Asia, Africa north of the equator, and the Middle
  East regions.
• AfriNIC ( http//www.afrinic.net, currently in
  observer status )

8
RIR Summary

• ASO allocate IP address blocks
  to ?
• the five RIRs allocate IPs to ?
• Organizations, ISPs, or NIRs, or LIRs.

9
Registry-Registrar-Registrant Model
-- Eduardo Sztokbant
10
Registry-Registrar-Registrant Model

• 3 entities involved in Internet domain name
  registration within this model
• Registrant final client, the one who wishes to
  register the domain name.
• Registry the operators that maintain the list of
  available domain names within their extension.
• Registrar interface between registry and
  registrant, may provide extra services to the
  latter one.

11
Relationship among the three Rs

• While there can be several registrars that
  provide domain registration and related services
  for a same given TLD, there's necessairly only
  ONE authoritative repository responsible for this
  TLD.

12
GNSO

• Reviews and develops recommendations on
  domain-name policy for all generic top-level
  domains (gTLDs) and advises the ICANN Board on
  these matters.
• However, GNSO is not responsible fro domain-name
  registration, but rather is responsible for the
  generic top-level domains (for example, .com,
  .net, .edu, .org, and . info), which can be found
  at http//www.iana.org/gtld/gtld.htm .
• root name servers http//www.gnso.icann.org/gtld-
  registries/

13
GNSO Summary
GNSO
TLDR for .com Verisign Global Registry Service

TLDR for .edu
TLD Registry
TLDR for .org

Registrar A MarkMointor Inc
Registrar X
Registrar
..
..
Registrant
Registrant e1
Registrant ep
Registrant a1
Registrant aq
Registrant x1
14
CCNSO

• Reviews and develops recommendations on
  domain-name policy for all country-code top-level
  domains (ccTLDs) and advises the ICANN Board on
  these matters.
• Again, ICANN does not handle domain-name
  registrations.
• The definitive list of country-code top-level
  domains can be found at http//
  www.iana.org/cctld/cctld-whois.htm
• .tw domain name is managed by TWNIC
  http//www.twnic.net.tw/dn/dn_01.htm
  http//rs.twnic.net.tw

15
CCNSO Summary
CCNSO
TLDR for .tw TWNIC

TLDR for .uk
TLD Registry
TLDR for .ca
Registrar X .com.tw, .org.tw .div.tw,.net.tw ????
Registrar A .edu.tw MOE
Registrar Y com.tw, .org.tw .div.tw,.net.tw ????
Registrar

..
..
Registrant
school s1
School sp
Registrant x1
Registrant xq
Registrant y1
16
Some Other Useful Links

• IP v4 allocation http//www.iana.org/assignments/
  ipv4-address-space .
• IP address services http//www.iana.org/ipaddress
  /ip-addresses.htm .
• Special-use IP addresses http//www.rfc-editor.or
  g/rfc/rfc3330.txt .
• Registered port numbers http//www.iana.org/assig
  nments/port-numbers
• Registered protocol http//www.iana.org/assignmen
  ts/protocol-numbers .

17

• WHOIS Servers

18
WHOIS Servers and Protocol

• Essentially, the WHOIS is a database of contact
  information about domain name registrants. It is
  accessed through the websites of registrars or
  registries, as well as through technical means by
  the registrars and registries, themselves.

19
Methods to Store WHOIS Information

• There are two ways that WHOIS information may be
  stored Thick or Thin.

20
Thick Model

• Thick model one WHOIS server stores the WHOIS
  information from all the registrars for the
  particular set of data (so that one WHOIS server
  can respond with WHOIS information on all .org
  domains, for example).

21
Thin Model

• Thin model one WHOIS server stores the name of
  the WHOIS server of a registrar that has the full
  details on the data being looked up (such as the
  .com WHOIS servers, which refer the WHOIS query
  to the registrar that the domain was registered
  from).

22
Availability of WHOIS Servers

• The WHOIS query syntax, type of permitted
  queries, available data, and the formatting of
  the results can vary widely from server to
  server.
• Many of the registrars are actively restricting
  queries to combat spammers, attackers, and
  resource overload.
• Information for .mil and .gov have been pulled
  from public view entirely due to national
  security concerns.
• Information for .edu.tw is not available in .tw
  domain registryTWNIC ( http//rs.twnic.net.tw/ .)

23
Problems with WHOIS Servers

• Privacy Registrants contact details.
• Spam.
• Internationalization.
• Lack of WHOIS server lists.

24
Domain-Related vs. IP-Related

• Domain-related items (such as osborne.com) are
  registerd separately from IP-related items (such
  as IP net-blocks).
• Therefore, we will have two different paths in
  our methodology for finding these details.

25

• Domain - Related Search

26
Domain-Related Search

• The authoritative Registry for a given TLD, e.g.
  com, contains information about which registrar
  the target entity registered its domain with.
• By querying the appropriate Registrar, the
  Registrant details for the particular domain name
  can be found.
• The above steps are referred to as the Three Rs
  of WHOIS Registry, Registrar, Registrant.

27
Exmaple for tsmc.com

• IANA Whois service
• Result Registry VeriSign Global Registry
  Services
• VeriSign Global Registry Services Whois Service
• Result Registrar NETWORK SOLUTIONS, LLC.
• NETWORK SOLUTIONS, LLC.Whois Service
• Result Registrant TSMC

keyword com
keyword tsmc.com
keyword tsmc.com
28
Exmaple for uni-president.com.tw

• IANA Whois service
• Result Registry Taiwan Network Information
  Center (TWNIC)
• Registrar Taiwan Network Information Center
  (TWNIC) Whois Service
• Result Registrant ??????????

keyword tw
keyword uni-president.com.tw
P.S. TWNIC is also the Registrar of com.tw
29
One-Stop-Shopping for WHOIS Information

• http//www.allwhois.com .
• http//www.uwhois.com .
• http//www.internic.net/whois.html .

30
TARNET-Related URLs

• http//www.moe.gov.tw/
• http//domain.edu.tw/index.html

31

• IP-Related Search

32
IP-Related Search (1)

• The WHOIS server at ICANN (IANA) does not
  currently act as an authoritative registry for
  all the RIRs as it does for the TLDs, but each
  RIR does know which IP ranges it manage. This
  allows us to simply pick any one of them to start
  our search. If we pick the wrong one, it will
  tell us which one e need to go to.

33
IP-Related Search (2)

• You are interested in the IP address
  140.115.50.80.
• Try the WHOIS search at RIR ARINs web site.
• The result shows that the IP address is managed
  by RIR APNIC.
• Then go to RIR APNICs web site to search the
  same IP address.
• Here you are.
• The above process can be followed to trace back
  any IP address in the world to its owner, or at
  least to a point of contact that may be willing
  to provide the remaining details.
• Laundered IP addresses an attacker can also
  masquerade her/his true IPs.

34
IP-Related Search (3)

• We can also find out IP ranges and BGP autonomous
  system numbers that an organization owns by
  searching the RIR WHOSI servers for the
  organizations literal name.
• E.g. go to http//whois.apnic.net and type ncu.
• TWNIC doesnt provide detailed information
  therefore no detailed information are shown.
• E.g. go to http//www.arin.net and type Google.
• Useful information
• Administrative contact
• Administrators names could be used to cheat
  gullible users to change their passwords.
• Phone and fax number
• DNS names could be used in DNS interrogation.