The Attack and Defense of Computers Dr. 許 富 皓. Who is Managing the Internet today?

The Attack and Defense of Computers

Dr. 許 富 皓

Who is Managing

the Internet today?

Who is Managing the Internet today?

Core functions of the Internet are managed by a nonprofit organization named the Internet Corporation for Assigned Names and Numbers (ICANN; http://www.icann.org ).

Created in Oct. 1998, ICANN is assuming responsibility for a set of technical functions previously performed under U.S. government contract by the Internet Assigned Numbers Authority (IANA; http://www.iana.org ) and other groups.

• P.S.: In practice, IANA still handles much of the day-to-day operations, but these will eventually be transitioned to ICANN

Some of ICANN’s Major Functions

ICANN coordinates the assignment of the following identifiers that must be globally unique for the Internet to function:

Internet domain names.IP address numbers.Protocol parameters and port numbers.

ICANN also coordinates the stable operation of the Internet’s root DNS server system.

Three Special ICANN Suborganizations

Address Supporting Organization (ASO; http://www.aso.icann.org ).Generic Names Supporting Organization (GNSO; http://www.gnso.icann.org )Country Code Domain Name Supporting Organization (CCNSO; http://www.ccnso.icann.org )

ASOReviews and develops recommendations on IP address policy and advises the ICANN Board on these matters.Allocates IP address blocks to various Regional Internet Registries (RIRs).

A RIR’s responsibility is to manage, distribute, and register public Internet number resources within their respective regions.

RIRs allocate IPs to organizations, Internet service providers (ISPs), or, in some cases, National Internet Registries (NIRS) or Local Internet Registries (LIRS.)Taiwan’s Case:

Taiwan’s ISPs get their IPs from TWNIC:NIR of Taiwan: TWNIC http://www.twnic.net.tw/ip/ip_01.htmLIRs/ISPs List of Taiwan: http://www.twnic.net.tw/english/ip/ip_03.htm.

RIRCurrently there are five Regional Registries, four active and one in observer status.

APNIC ( http://www.apnic.net ) Asia-Pacific region.ARIN ( http://www.arin.net ) North and South America, sub-Sahara Africa regions.LACNIC ( http://www.lacnic.net ) Latin America and portions of the Caribbean RIPE ( http://www.ripe.net ) Europe, parts of Asia, Africa north of the equator, and the Middle East regions.AfriNIC ( http://www.afrinic.net, currently in ”observer status” )

RIR Summary

ASO – allocate IP address blocks to

the five RIRs – allocate IPs to

Organizations, ISPs, or NIRs, or LIRs.

Registry-Registrar-Registrant Model -- [Eduardo Sztokbant]

Registry-Registrar-Registrant Model

3 entities involved in Internet domain name registration within this model:

Registrant: final client, the one who wishes to register the domain name.Registry: the operators that maintain the list of available domain names within their extension.Registrar: interface between registry and registrant, may provide extra services to the latter one.

Relationship among the three Rs

While there can be several registrars that provide domain registration and related services for a same given TLD, there's necessairly only ONE authoritative repository responsible for this TLD.

GNSOReviews and develops recommendations on domain-name policy for all generic top-level domains (gTLDs) and advises the ICANN Board on these matters.

However, GNSO is not responsible fro domain-name registration, but rather is responsible for the generic top-level domains (for example, .com, .net, .edu, .org, and . info), which can be found at http://www.iana.org/gtld/gtld.htm .root name servers: http://www.gnso.icann.org/gtld-registries/

GNSO Summary

GNSO

TLDR for .edu ……TLD Registry TLDR for .orgTLDR for .com

Verisign Global Registry Service

Registrar A

MarkMointor Inc

Registrar XRegistrar…

Registrant e1 Registrant ep Registrant a1 Registrant aq Registrant x1.. ..Registrant

CCNSOReviews and develops recommendations on domain-name policy for all country-code top-level domains (ccTLDs) and advises the ICANN Board on these matters.

Again, ICANN does not handle domain-name registrations. The definitive list of country-code top-level domains can be found at http:// www.iana.org/cctld/cctld-whois.htm.tw domain name is managed by TWNIC: http://www.twnic.net.tw/dn/dn_01.htm http://rs.twnic.net.tw

CCNSO Summary

CCNSO

TLDR for .uk ……TLD Registry TLDR for .caTLDR for .tw

TWNIC

Registrar A

.edu.tw

MOE

Registrar Y

com.tw, .org.tw

.div.tw,.net.tw

台灣固網

Registrar…

school s1 School sp Registrant x1 Registrant xq Registrant y1.. ..Registrant

Registrar X

.com.tw, .org.tw

.div.tw,.net.tw

中華電信

Some Other Useful LinksIP v4 allocation: http://www.iana.org/assignments/ipv4-address-space .IP address services: http://www.iana.org/ipaddress/ip-addresses.htm .Special-use IP addresses: http://www.rfc-editor.org/rfc/rfc3330.txt .Registered port numbers: http://www.iana.org/assignments/port-numbers Registered protocol: http://www.iana.org/assignments/protocol-numbers .

WHOIS Servers

WHOIS Servers and Protocol

Essentially, the WHOIS is a database of contact information about domain name registrants. It is accessed through the websites of registrars or registries, as well as through technical means by the registrars and registries, themselves.

Methods to Store WHOIS Information

There are two ways that WHOIS information may be stored: Thick or Thin.

Thick Model

Thick model: one WHOIS server stores the WHOIS information from all the registrars for the particular set of data (so that one WHOIS server can respond with WHOIS information on all .org domains, for example).

Thin Model

Thin model: one WHOIS server stores the name of the WHOIS server of a registrar that has the full details on the data being looked up (such as the .com WHOIS servers, which refer the WHOIS query to the registrar that the domain was registered from).

Availability of WHOIS ServersThe WHOIS query syntax, type of permitted queries, available data, and the formatting of the results can vary widely from server to server.Many of the registrars are actively restricting queries to combat spammers, attackers, and resource overload.Information for .mil and .gov have been pulled from public view entirely due to national security concerns.Information for .edu.tw is not available in .tw domain registry—TWNIC ( http://rs.twnic.net.tw/ .)

Problems with WHOIS Servers

Privacy: Registrant’s contact details.

Spam.

Internationalization.

Lack of WHOIS server lists.

Domain-Related vs. IP-RelatedDomain-related items (such as osborne.com) are registerd separately from IP-related items (such as IP net-blocks).Therefore, we will have two different paths in our methodology for finding these details.

Domain - Related Search

Domain-Related SearchThe authoritative Registry for a given TLD, e.g. com, contains information about which registrar the target entity registered its domain with.By querying the appropriate Registrar, the Registrant details for the particular domain name can be found.The above steps are referred to as the “Three Rs” of WHOIS– Registry, Registrar, Registrant.

Exmaple for tsmc.comIANA Whois service

Result: Registry VeriSign Global Registry Services

VeriSign Global Registry Services Whois Service

Result: Registrar NETWORK SOLUTIONS, LLC.

NETWORK SOLUTIONS, LLC.Whois Service

Result: Registrant TSMC

keyword: com

keyword: tsmc.com

keyword: tsmc.com

Exmaple for uni-president.com.tw

keyword: tw

keyword: uni-president.com.tw

IANA Whois service

Result: Registry Taiwan Network Information Center (TWNIC)

Registrar Taiwan Network Information Center (TWNIC) Whois Service

Result: Registrant 統一企業股份有限公司

P.S.: TWNIC is also the Registrar of com.tw

One-Stop-Shopping for WHOIS Information

http://www.allwhois.com .http://www.uwhois.com .http://www.internic.net/whois.html .

TARNET-Related URLshttp://www.moe.gov.tw/

http://domain.edu.tw/index.html

IP-Related Search

IP-Related Search (1)The WHOIS server at ICANN (IANA) does not currently act as an authoritative registry for all the RIRs as it does for the TLDs, but each RIR does know which IP ranges it manage. This allows us to simply pick any one of them to start our search. If we pick the wrong one, it will tell us which one e need to go to.

IP-Related Search (2)You are interested in the IP address 140.115.50.80.

Try the WHOIS search at RIR ARIN’s web site.The result shows that the IP address is managed by RIR APNIC.Then go to RIR APNIC’s web site to search the same IP address.Here you are.

The above process can be followed to trace back any IP address in the world to its owner, or at least to a point of contact that may be willing to provide the remaining details. Laundered IP addresses: an attacker can also masquerade her/his true IPs.

IP-Related Search (3)We can also find out IP ranges and BGP autonomous system numbers that an organization “owns” by searching the RIR WHOSI servers for the organization’s literal name.

E.g. go to http://whois.apnic.net and type ncu.• TWNIC doesn’t provide detailed information; therefore no

detailed information are shown.

E.g. go to http://www.arin.net and type Google. • Useful information:

Administrative contact Administrators’ names: could be used to cheat gullible users to

change their passwords. Phone and fax number DNS names: could be used in DNS interrogation.