2nd AEGIS Workshop


Phoenix Domain is a general and novel attack that allows adversaries to maintain the revoked malicious domain continuously resolvable at scale, which enables an old, mitigated attack, Ghost Domain. Phoenix Domain has two variations and affects all mainstream DNS software and public DNS resolvers overall because it does not violate any DNS specifications and best security practices. The attack is made possible through systematically “reverse engineer” the cache operations of 8 DNS implementations, and new attack surfaces are revealed in the domain name delegation processes. We select 41 well-known public DNS resolvers and prove that all surveyed DNS services are vulnerable to Phoenix Domain, including Google Public DNS and Cloudflare DNS. Extensive measurement studies are performed with 210k stable and distributed DNS recursive resolvers, and results show that even after one month from domain name revocation and cache expiration, more than 25% of recursive resolvers can still resolve it. The proposed attack provides an opportunity for adversaries to evade the security practices of malicious domain take-down. We have reported discovered vulnerabilities to all affected vendors and suggested 6 types of mitigation approaches to them. Until now, 7 DNS software providers and 15 resolver vendors, including BIND, Unbound, Google, and Cloudflare, have confirmed the vulnerabilities, and some of them are implementing and publishing mitigation patches according to our suggestions. In addition, 9 CVE numbers have been assigned. The study calls for standardization to address the issue of how to revoke domain names securely and maintain cache consistency.

8月 26, 2023 8:00 AM — 9:00 AM
Online workshop

在第二届AEGIS Workshop中(线上),我分享了最新的研究工作不死域名


李想,清华大学网络科学与网络空间研究院五年级博士研究生,导师为李琦副教授和段海新教授。研究方向为网络与协议安全,已发表论文12篇(含一作5篇:在网络安全四大顶会均有发表、通讯1篇),授权专利1项,在Black Hat多次演讲,获得180+CVE等漏洞编号。研究获得多个政府及大学CERT安全公告、60+媒体报道,并被纳入RFC标准文档。其也获得了多项奖项荣誉,如清华优秀奖学金、龙湖奖学金卓越奖等。