14,927
edits
Changes
Jump to navigation
Jump to search
Line 39:
Line 39: − + Line 56:
Line 56: − + +
→Vectors
==Vectors==
==Vectors==
The DSFI-TSG identified seven categories of attack vectors.<ref>[https://community.icann.org/display/DSFI/DSFI+TSG+Final+Report?preview=/176623416/176623417/DSFI-TSG-Final-Report.pdf DSFI-TSG Final Report, ICANN Community]</ref>
The [[DSFI-TSG]] identified seven categories of attack vectors.<ref>[https://community.icann.org/display/DSFI/DSFI+TSG+Final+Report?preview=/176623416/176623417/DSFI-TSG-Final-Report.pdf DSFI-TSG Final Report, ICANN Community]</ref>
===Identity and Access Management===
===Identity and Access Management===
* Attacks on and through credential systems result in the modification of registration data, which can lead to [[Domain Hijacking]], traffic interception, and [[social engineering attacks]].
* Attacks on and through credential systems result in the modification of registration data, which can lead to [[Domain Hijacking]], traffic interception, and [[social engineering attacks]].
* Using look-alike domains relies on similarities in domain names, such as [[gTLD|Domain suffix]] appending, [[Typosquatting]], or [[IDN|internationalized domain name]] homographs, or [[bitsquatting]] to lead users into interacting with a bogus website, generally to carry out a phishing attack.
* Using look-alike domains relies on similarities in domain names, such as [[gTLD|Domain suffix]] appending, [[Typosquatting]], or [[IDN|internationalized domain name]] homographs, or [[bitsquatting]] to lead users into interacting with a bogus website, generally to carry out a phishing attack.
* Transport Layer Security (TLS) certificates can be issued to a requestor who is not the legitimate operator of the service secured by the certificate when there are inadequate access controls of DNS entries or the BGP route has been manipulated with path injection or prefix, route, or IP hijacking.
* Transport Layer Security (TLS) certificates can be issued to a requestor who is not the legitimate operator of the service secured by the certificate when there are inadequate access controls of DNS entries or the BGP route has been manipulated with path injection or prefix, route, or IP hijacking.
===Code and Protocol Vulnerabilities===
===Code and Protocol Vulnerabilities===
* Modifying the protocol, for instance through a software update, can cause interoperability issues and requires coordination among many implementers and operators, leaving an opening for an attacker to access critical or trusted components within the DNS infrastructure chain.
* In the case of [[DNS Cache Poisoning]], a perpetrator can insert incorrect data into a recursive nameserver cache for end users to receive and use.
===Infrastructure Choices===
===Infrastructure Choices===
===DNS===
===DNS===