research-article

Internet Kill Switches Demystified

Authors:

Benjamin Rothenberger,

Daniele E. Asoni,

Adrian PerrigAuthors Info & Claims

EuroSec'17: Proceedings of the 10th European Workshop on Systems Security

Article No.: 5, Pages 1 - 6

https://doi.org/10.1145/3065913.3065922

Published: 23 April 2017 Publication History

Abstract

Internet kill switches are possible in today's Internet, but to date have been locally-scoped and self-inflicted. As more networks move towards centralized key architectures such as DNSSEC and BGPsec, adversarial kill switches become more powerful. We analyze the feasibility of and mechanisms for executing kill switches on remote DNSSEC- or BGPsec-enabled networks, finding that kill switches must be considered in the design of next generation Internet protocols. We also describe recovery procedures and properties intended to evaluate kill switch events, finding that recovering from a compromised key may take up to 48 hours.

References

[1]

A. Alsaid and C. J. Mitchell. Revised Selected Papers of EuroPKI 2005, pages 227--239. Springer, 2005.

[2]

APNIC. Use of dnssec validation for world. http://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=1&r=1&w=7&g=0.

[3]

R. Arends et al. DNS Security Introduction and Requirements. RFC 4033 (Proposed Standard), 2005.

[4]

ARIN. ARIN CPS for resource certification. https://www.arin.net/resources/rpki/cps.pdf, 2012.

[5]

S. Ariyapperuma and C. J. Mitchell. Security vulnerabilities in DNS and DNSSEC. In ARES, 2007.

Digital Library

[6]

R. Bush. Origin Validation Operation Based on the Resource Public Key Infrastructure (RPKI). RFC 7115 (Best Current Practice), 2014.

[7]

D. Conrad. Ksk rollover operations begin. https://www.icann.org/news/blog/ksk-rollover-operations-begin, 2016.

[8]

D. Cooper, E. Heilman, K. Brogle, L. Reyzin, and S. Goldberg. On the risk of misbehaving RPKI authorities. In ACM HotNets, 2013.

Digital Library

[9]

A. Dainotti et al. Analysis of country-wide internet outages caused by censorship. In ACM SIGCOMM, 2011.

Digital Library

[10]

S. Farrell and H. Tschofenig. Pervasive Monitoring Is an Attack. RFC 7258 (Best Current Practice), 2014.

[11]

S. Goldberg. Why is it taking so long to secure internet routing? Communications of the ACM, 57(10):56--63, 2014.

Digital Library

[12]

G. Greenwald. No place to hide: Edward Snowden, the NSA, and the US surveillance state. Macmillan, 2014.

Digital Library

[13]

P. Gutmann. PKI: It's Not Dead, Just Resting. IEEE Computer, 35(8):41--49, 2002.

Digital Library

[14]

ICANN. TLD DNSSEC report. http://stats.research.icann.org/dns/tld_report/.

[15]

ICANN. Trusted community representatives -- proposed approach to root key management. http://www.root-dnssec.org/wp-content/uploads/2010/04/ICANN-TCR-Proposal-20100408.pdf, 2010.

[16]

S. Kent and A. Chi. Threat Model for BGP Path Security. RFC 7132 (Informational), 2014.

[17]

B. Laurie. Certificate Transparency. ACM Queue, 12(8), 2014.

Digital Library

[18]

M. Lepinski and S. Kent. An Infrastructure to Support Secure Internet Routing. RFC 6480 (Informational), 2012.

[19]

Q. Li, Y.-C. Hu, and X. Zhang. Even rockets cannot make pigs fly sustainably: Can BGP be secured with BGPsec? In NDSS Workshop on Security of Emerging Networking Technologies (SENT), 2014.

[20]

W. Lian, E. Rescorla, H. Shacham, and S. Savage. Measuring the Practical Impact of DNSSEC Deployment. In USENIX Security, 2013.

[21]

F. Ljunggren, T. Okubo, R. Lamb, and J. Schlyter. DNSSEC practice statement for the root zone KSK operator. https://www.iana.org/dnssec/icann-dps.txt, 2010.

[22]

F. Ljunggren, T. Okubo, R. Lamb, and J. Schlyter. DNSSEC practice statement for the root zone ZSK operator. http://www.root-dnssec.org/wp-content/uploads/2010/06/vrsn-dps-00.txt, 2010.

[23]

A. Mamiit. FBI searches for suspects in new fiber optics cable attack in California. https://perma.cc/S7V7-QZGG, 2015.

[24]

S. Morris, J. Ihren, J. Dickinson, and W. Mekking. DNSSEC Key Rollover Timing Considerations. RFC 7583 (Informational), 2015.

[25]

NIST. Global prefix/origin validation using RPKI. http://rpki-monitor.antd.nist.gov/.

[26]

RIPE. RIPE NCC RPKI CPS. https://www.ripe.net/publications/docs/ripe-549, 2012.

[27]

Y. Song, A. Venkataramani, and L. Gao. Identifying and addressing protocol manipulation attacks in" secure" bgp. In IEEE International Conference on Distributed Computing Systems (ICDCS), 2013.

[28]

K. Sriram and M. Lepinski. BGPsec Protocol Specification. https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-protocol-15, 2016.

[29]

M. StJohns. Automated Updates of DNS Security (DNSSEC) Trust Anchors. RFC 5011 (Internet Standard), 2007.

[30]

R. van Rigswijk-Deij, A. Sperotto, and A. Pras. DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In ACM Internet Measurement Conference (IMC), 2014.

Digital Library

[31]

X. Xu, Z. M. Mao, and J. A. Halderman. Internet censorship in China: Where does the filtering occur? In PAM, 2011.

Digital Library

[32]

D. Zhang, D. K. Gillmor, D. He, B. Sarikaya, and N. Kong. Certificate transparency for domain name system security extensions. https://tools.ietf.org/html/draft-zhang-trans-ct-dnssec-03, 2016.

Cited By

Klenze TSprenger CBasin D(2023)IsaNet: A framework for verifying secure data plane protocolsJournal of Computer Security10.3233/JCS-22002131:3(217-259)Online publication date: 29-May-2023
https://doi.org/10.3233/JCS-220021
Krähenbühl CPerrig A(2023)Key ManagementTrends in Data Protection and Encryption Technologies10.1007/978-3-031-33386-6_4(15-20)Online publication date: 27-Apr-2023
https://doi.org/10.1007/978-3-031-33386-6_4
Li PSu JWang XXing Q(2021)DIIASecurity and Communication Networks10.1155/2021/19744932021Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1155/2021/1974493
Show More Cited By

Index Terms

Internet Kill Switches Demystified
1. Hardware
  1. Communication hardware, interfaces and storage
2. Networks

Recommendations

Click Here to Kill Everybody: Security and Survival in a Hyper-connected World
Wireless Messaging Demystified: SMS, EMS, MMS, and Others
How (Not) to Deploy Cryptography on the Internet
CODASPY '22: Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy

The core protocols in the Internet infrastructure play a central role in delivering packets to their destination. The inter-domain routing with BGP (Border Gateway Protocol) computes the correct paths in the global Internet, and DNS (Domain Name System) ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSec'17: Proceedings of the 10th European Workshop on Systems Security

April 2017

65 pages

ISBN:9781450349352

DOI:10.1145/3065913

Program Chairs:
Cristiano Giuffrida
VU Amsterdam
,
Angelos Stavrou
George Mason University

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

European Research Council
Institute for Information & Communications Technology Promotion (IITP) grant funded by the Korea government (MSIP)

Conference

EuroSys '17

Sponsor:

SIGOPS

EuroSys '17: Twelfth EuroSys Conference 2017

April 23 - 26, 2017

Belgrade, Serbia

Acceptance Rates

EuroSec'17 Paper Acceptance Rate 10 of 24 submissions, 42%;

Overall Acceptance Rate 47 of 113 submissions, 42%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
192
Total Downloads

Downloads (Last 12 months)20
Downloads (Last 6 weeks)1

Reflects downloads up to 28 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Klenze TSprenger CBasin D(2023)IsaNet: A framework for verifying secure data plane protocolsJournal of Computer Security10.3233/JCS-22002131:3(217-259)Online publication date: 29-May-2023
https://doi.org/10.3233/JCS-220021
Krähenbühl CPerrig A(2023)Key ManagementTrends in Data Protection and Encryption Technologies10.1007/978-3-031-33386-6_4(15-20)Online publication date: 27-Apr-2023
https://doi.org/10.1007/978-3-031-33386-6_4
Li PSu JWang XXing Q(2021)DIIASecurity and Communication Networks10.1155/2021/19744932021Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1155/2021/1974493
Klenze TSprenger CBasin D(2021)Formal Verification of Secure Forwarding Protocols2021 IEEE 34th Computer Security Foundations Symposium (CSF)10.1109/CSF51468.2021.00018(1-16)Online publication date: Jun-2021
https://doi.org/10.1109/CSF51468.2021.00018

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents