Your search keyword '"DNS spoofing"' showing total 14 results

1. Smart collaborative distribution for privacy enhancement in moving target defense

Author

Ilsun You, Tian-Ming Zhao, Yu Wang, Hongke Zhang, Fei Song, and Yutong Zhou

Subjects

Scheme (programming language), Information Systems and Management, Computer science, Domain Name System, 05 social sciences, Survivability, Vulnerability, 050301 education, 02 engineering and technology, Computer security, computer.software_genre, Port (computer networking), Computer Science Applications, Theoretical Computer Science, Artificial Intelligence, Control and Systems Engineering, 0202 electrical engineering, electronic engineering, information engineering, Dependability, 020201 artificial intelligence & image processing, DNS spoofing, 0503 education, computer, Software, Vulnerability (computing), computer.programming_language

Abstract

The Moving Target Defense (MTD) has been widely discussed in many communities to upgrade the network reliability, survivability, dependability , etc. However, utilizing MTD in privacy protection still needs more investigations. In this paper, we propose a smart collaborative distribution scheme to enhance the privacy based on MTD guidelines. A target application scenario is the Domain Name System (DNS) that is experiencing serious and complex privacy issues. The preliminary and potential risks are firstly analyzed based on DNS attack approaches, DNS server locations and the vulnerability of user privacy. Then, the details of our scheme are illustrated through port number assignment patterns, main procedures of dynamic port hopping and the implementation method. To quantitatively evaluate the performance, an analytical model was established from theoretical perspectives. The relationships between multiple parameters and overall system capacity are explored as well. The validation results demonstrate that the smart collaborative distribution is able to improve the privacy without affecting the basic DNS functionality.

Published

2019

2. A trust-based method for mitigating cache poisoning in Name Data Networking

Author

Jian Wang, Heekuck Oh, and Zeinab Rezaeifar

Subjects

Computer Networks and Communications, Computer science, business.industry, 020206 networking & telecommunications, 02 engineering and technology, Content based networking, Computer Science Applications, Hardware and Architecture, Feature (computer vision), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, DNS spoofing, business, Computer network

Abstract

Mitigating Cache poisoning in Name Data Networking (NDN) can significantly improve the effect of ubiquitous data caching, which is a prominent feature in NDN. However, since verification signatures cannot be practical in the network routers, finding a suitable method to mitigate cache poisoning in NDN routers is a challenge. Therefore, in this paper, the proposed method tries to identify invalid contents by the defined parameters: popularity, negative feedback and credibility. Then, with combining these three metrics, the trust model is presented to estimate the validity of each content. Moreover, the proposed method creates an incentive among users to exchange trusted contents. Finally, the evaluation results indicate the effectiveness of the proposed method to detect invalid contents as compared to previous methods.

Published

2018

3. Study on the latent state of Kaminsky-style DNS cache poisoning: Modeling and empirical analysis

Author

He Ming, Hu Weihong, Jue Wang, Ye Jueyu, Zhang Haikuo, Qian Wang, Yue Qiaoli, Yan Xiali, and Wanbo Lv

Subjects

ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, General Computer Science, Computer science, Process (engineering), ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Cache, State (computer science), DNS spoofing, Computer security, computer.software_genre, Law, computer, Domain (software engineering)

Abstract

Due to the slow adoption of DNSSEC, the defense against Kaminsky-style DNS cache poisoning still mainly relies on conventional challenge-response mechanisms which have security vulnerabilities. Existing industry and academic research on DNS cache poisoning focuses on preventing cache injection, while systematic study on the entire poisoning process including the domain hijacking phase remains scarce. From an attacker’s perspective, we provide a complete tri-state poisoning model, based on which we further mathematically model the latent state (i.e., hijacking phase) and quantitatively analyze the influence of different factors on the hijacking effect. The simulation and experiment results are consistent with the mathematical model in different scenarios, justifying the effectiveness of the model and the significance of the domain hijacking phase. Finally, countermeasures and suggestions are proposed to strengthen the defense against Kaminsky-style cache poisoning by reducing the success rate of domain hijacking.

Published

2021

4. Overcoming Threats and Vulnerabilities in DNS

Author

Faraz Dalvi, Bhavika Pardeshi, and Asadullah Shaikh

Subjects

business.industry, Computer science, Domain Name System, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Computer security, computer.software_genre, Encryption, Domain (software engineering), ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Internet based, The Internet, DNS spoofing, DNS hijacking, business, computer

Abstract

With the advancement of Internet based technology we face intense need of well-defined security mechanisms to be implemented at each phase. Domain Name System (DNS) is among the most important element of the Internet. DNS resolves the domain names and provides it to the user. It lacks support for a proper security mechanism that may lead to exploitation of the vulnerabilities like data on DNS server can be access or manipulated by anyone, this leads to threats like DNS Hijacking, cache poisoning, etc. This paper gives an overview about the threats found in modern DNS system and how to resolve it. Domain Name System Security Extension (DNSSEC) is one of the main security features present in the DNS system to maintain a secure and efficient communication between users. The main aim of DNSSEC is to authenticate the user and grant access to legitimate users only. DNSSEC is used to avoid almost all the vulnerabilities that are found in the existing DNS system. Beside DNSSEC there are other methods like encryption, VPN, verification, etc. which are discussed in this paper, they are used to resolve different threats in the existing DNS system.

Published

2020

5. Statistical estimation of the names of HTTPS servers with domain name graphs

Author

Akihiro Shimoda, Keisuke Ishibashi, Kazumichi Sato, Shigeaki Harada, Shigeki Goto, Tatsuya Mori, and Takeru Inoue

Subjects

Name server, Hostname, Computer Networks and Communications, business.industry, Computer science, Domain Name System, 020206 networking & telecommunications, Round-robin DNS, 02 engineering and technology, Web traffic, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, nsupdate, CNAME record, DNS spoofing, DNS hijacking, business, Computer network

Abstract

We present the domain name graph (DNG), which is a formal expression that can keep track of CNAME chains and characterize the dynamic and diverse nature of DNS mechanisms and deployments.We develop a framework called Service-Flow map (SFMap) that works on top of the DNG. SFMap estimates the hostname of an HTTPS server when given a pair of client and server IP addresses. It can statistically estimate the hostname even when associating DNS queries are unobserved due to caching mechanisms, etc.Through extensive analysis using real packet traces, we demonstrate that the SFMap framework establishes good estimation accuracies and can out- perform the state-of-the art technique called DN-Hunter. We also identify the optimized setting of the SFMap framework. The experiment results suggest that the success of the SFMap lies in the fact that it can complement incomplete DNS information by leveraging the graph structure.To cope with large-scale measurement data, we introduce techniques to make the SFMap framework scalable. We validate the effectiveness of the approach using large-scale traffic data collected at a gateway point of Internet access links. Adoption of SSL/TLS to protect the privacy of web users has become increasingly common. In fact, as of September 2015, more than 68% of top-1M websites deploy SSL/TLS to encrypt their traffic. The transition from HTTP to HTTPS has brought a new challenge for network operators who need to understand the hostnames of encrypted web traffic for various reasons. To meet the challenge, this work develops a novel framework called SFMap, which estimates names of HTTPS servers by analyzing precedent DNS queries/responses in a statistical way. The SFMap framework introduces domain name graph, which can characterize highly dynamic and diverse nature of DNS mechanisms. Such complexity arises from the recent deployment and implementation of DNS ecosystems; i.e., canonical name tricks used by CDNs, the dynamic and diverse nature of DNS TTL settings, and incomplete and unpredictable measurements due to the existence of various DNS caching instances. First, we demonstrate that SFMap establishes good estimation accuracies and outperforms a state-of-the-art approach. We also aim to identify the optimized setting of the SFMap framework. Next, based on the preliminary analysis, we introduce techniques to make the SFMap framework scalable to large-scale traffic data. We validate the effectiveness of the approach using large-scale Internet traffic.

Published

2016

6. PsyBoG: A scalable botnet detection method for large-scale DNS traffic

Author

Adrian Perrig, Heejo Lee, Jonghoon Kwon, and Jehyun Lee

Subjects

Computer Networks and Communications, business.industry, Computer science, Network security, Domain Name System, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Botnet, 020206 networking & telecommunications, 02 engineering and technology, computer.software_genre, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Server, Scalability, 0202 electrical engineering, electronic engineering, information engineering, Malware, 020201 artificial intelligence & image processing, DNS spoofing, Web threat, business, computer, Computer network

Abstract

Domain Name System (DNS) traffic has become a rich source of information from a security perspective. However, the volume of DNS traffic has been skyrocketing, such that security analyzers experience difficulties in collecting, retrieving, and analyzing the DNS traffic in response to modern Internet threats. More precisely, much of the research relating to DNS has been negatively affected by the dramatic increase in the number of queries and domains. This phenomenon has necessitated a scalable approach, which is not dependent on the volume of DNS traffic. In this paper, we introduce a fast and scalable approach, called PsyBoG, for detecting malicious behavior within large volumes of DNS traffic. PsyBoG leverages a signal processing technique, power spectral density (PSD) analysis, to discover the major frequencies resulting from the periodic DNS queries of botnets. The PSD analysis allows us to detect sophisticated botnets regardless of their evasive techniques, sporadic behavior, and even normal users’ traffic. Furthermore, our method allows us to deal with large-scale DNS data by only utilizing the timing information of query generation regardless of the number of queries and domains. Finally, PsyBoG discovers groups of hosts which show similar patterns of malicious behavior. PsyBoG was evaluated by conducting experiments with two different data sets, namely DNS traces generated by real malware in controlled environments and a large number of real-world DNS traces collected from a recursive DNS server, an authoritative DNS server, and Top-Level Domain (TLD) servers. We utilized the malware traces as the ground truth, and, as a result, PsyBoG performed with a detection accuracy of 95%. By using a large number of DNS traces, we were able to demonstrate the scalability and effectiveness of PsyBoG in terms of practical usage. Finally, PsyBoG detected 23 unknown and 26 known botnet groups with 0.1% false positives.

Published

2016

7. Game-theoretic modeling of the behavior of Domain Name System attacker

Author

Abdul Aziz Al Abri, Mohamed Ould-Khaoua, Ahmed Al Maashri, and Hadj Bourdoucen

Subjects

General Computer Science, Mathematical model, Markov chain, Process (engineering), Computer science, Domain Name System, 020206 networking & telecommunications, 02 engineering and technology, Intrusion detection system, Computer security, computer.software_genre, Control and Systems Engineering, Server, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, DNS spoofing, Electrical and Electronic Engineering, Game theory, computer

Abstract

The last few years have witnessed a rapid increase in the number of cyber-attacks on governments and organizations. To combat these attacks, a number of works have developed mathematical models that attempt to capture the behavior of attackers. However, these works focus on the process of the attack rather than the behavior of the attacker, which hinders the effectiveness of these models. On the other hand, many applications in cyber security have utilized game theory to model both the defender and attacker. This paper combines the Markov Chain models with game theory in order to assess the security state of Domain Name System (DNS) servers. This assessment was performed using realistic values of reward and cost in the game model. The simulation results indicate that the proposed modifications to the model have improved the accuracy of modeling the behavior of attackers on DNS servers.

Published

2020

8. Visualizing and characterizing DNS lookup behaviors via log-mining

Author

Changling Zhou, Shiyang Chen, Hao Ma, Qingnan Lai, and Zhen Wu

Subjects

Name server, Computer science, business.industry, Cognitive Neuroscience, Domain Name System, DNS zone transfer, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, DNS zone, Split-brain (computing), Round-robin DNS, Computer Science Applications, World Wide Web, Campus network, Artificial Intelligence, Zone file, Server, Dig, nsupdate, DNS spoofing, DNS hijacking, business, Computer network

Abstract

The Domain Name System (DNS) is a critical Internet service, which translates easily memorized domain names to numerical IP addresses for locating computer resources and services. In this paper, we try to explore the behaviors of DNS lookup by mining DNS logs from three primary DNS servers in a large university campus network in China. Our dataset is made up of two parts, namely DNS query logs and messages received or send by DNS servers. Firstly, through analyzing these DNS query logs, we are able to understand the overall trend of users’ surfing. For dealing with huge DNS dataset, we introduce an algorithm we call DNSReduce , which can be used to dig out top 10 client IP addresses and top 10 destination domain names efficiently. Moreover, we make comparative analysis of lookup behavior between wired and wireless users. Secondly, with messages received or send by DNS servers we can find these DNS servers׳ behaviors, i.e., TTLs, equivalent answers and are able to accurately identify domain names with dynamic IP addresses. We provide different and specific visualization techniques for presenting these analysis results and show these techniques are very useful for understanding user behaviors, analyzing security events and characterizing overall tendency in campus network management.

Published

2015

9. Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning

Author

Yaoqi Jia, Yue Chen, Zhenkai Liang, Jian Mao, Prateek Saxena, and Xinshu Dong

Subjects

World Wide Web, HTML5, General Computer Science, Computer science, Vulnerability, Session (computer science), Cache, DNS spoofing, Computer security, computer.software_genre, Law, computer, Browser security

Abstract

In this paper, we present a systematic study of browser cache poisoning (BCP) attacks, wherein a network attacker performs a one-time Man-In-The-Middle (MITM) attack on a user's HTTPS session, and substitutes cached resources with malicious ones. We investigate the feasibility of such attacks on five mainstream desktop browsers and 16 popular mobile browsers. We find that browsers are highly inconsistent in their caching policies for loading resources over SSL connections with invalid certificates. In particular, the majority of desktop browsers (99% of the market share) and popular mobile browsers (over a billion user downloads) are affected by BCP attacks to a large extent. Existing solutions for safeguarding HTTPS sessions fail to provide comprehensive defense against this threat. We provide guidelines for users and browser vendors to defeat BCP attacks. Meanwhile, we propose defense techniques for website developers to mitigate an important subset of BCP attacks on existing browsers without cooperation of users and browser vendors. We have reported our findings to browser vendors and confirmed the vulnerabilities. For example, Google has acknowledged the vulnerability we reported in Chrome's HTML5 AppCache and has fixed the problem according to our suggestion.

Published

2015

10. A CDN-based Domain Name System

Author

Yuehui Jin, Zhen Qin, Qiyao Wang, Aleksandar Kuzmanovic, and Chunjing Xiao

Subjects

Name server, Computer Networks and Communications, Computer science, business.industry, Domain Name System, DNS zone transfer, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, DNS zone, Round-robin DNS, Server, nsupdate, DNS spoofing, DNS hijacking, business, Computer network

Abstract

To enhance end-user experiences, Content Distribution Networks (CDNs) effectively exploit the Domain Name System (DNS) to redirect end-users to close-by content replicas over short time scales. While the use of DNS has brought a significant advantage to CDNs, in this paper we confirm that reliance on DNS also poses a fundamental threat to large-scale CDNs’ content distribution model. In particular, we demonstrate that a considerable penetration of public DNS resolving services ( e.g. , OpenDNS and GoogleDNS) effectively corrupts the CDN approach, equally the large-scale server distribution and quick DNS redirections. Our contributions are threefold. First, we systematically evaluate and quantify how the use of public DNS resolving services impacts Akamai’s content distribution model, the corresponding end-user service performance, and ISPs that host CDN edge servers. Second, we show that a CDN-based DNS architecture, which can effectively function as both the current authoritative nameservers and resolvers, coexist with the current DNS infrastructure, and directly response end-users with authoritative DNS records. Third, we implement a prototype CDN-based DNS system by using popular Web 2.0 websites as a vehicle to publish DNS records onto CDN edge servers. We demonstrate that in an extreme setting, such an approach can achieve one order of magnitude faster lookup times relative to existing DNS resolving systems. Most importantly, we argue that the proposed design provides a realistic way to change DNS and address a number of long-lasting and emerging problems associated with this basic Internet service.

Published

2014

11. An efficacious method for detecting phishing webpages through target domain identification

Author

Gowtham Ramesh, K. Sampath Sree Kumar, and Ilango Krishnamurthi

Subjects

Information Systems and Management, Spoofing attack, Computer science, Hyperlink, Phishing, Masking (Electronic Health Record), Management Information Systems, World Wide Web, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Arts and Humanities (miscellaneous), Web page, Developmental and Educational Psychology, ComputingMilieux_COMPUTERSANDSOCIETY, DNS spoofing, Domain identification, Information Systems

Abstract

Phishing is a fraudulent act to acquire sensitive information from unsuspecting users by masking as a trustworthy entity in an electronic commerce. Several mechanisms such as spoofed e-mails, DNS spoofing and chat rooms which contain links to phishing websites are used to trick the victims. Though there are many existing anti-phishing solutions, phishers continue to lure the victims. In this paper, we present a novel approach that not only overcomes many of the difficulties in detecting phishing websites but also identifies the phishing target that is being mimicked. We have proposed an anti-phishing technique that groups the domains from hyperlinks having direct or indirect association with the given suspicious webpage. The domains gathered from the directly associated webpages are compared with the domains gathered from the indirectly associated webpages to arrive at a target domain set. On applying Target Identification (TID) algorithm on this set, we zero-in the target domain. We then perform third-party DNS lookup of the suspicious domain and the target domain and on comparison we identify the legitimacy of the suspicious page.

Published

2014

12. Quantifying DNS namespace influence

Author

Prasant Mohapatra, Jeff Sedayao, Casey Deccio, and Krishna Kant

Subjects

Name server, Information retrieval, Computer Networks and Communications, Computer science, DNS zone transfer, Domain Name System, A domain, DNS zone, Split-brain (computing), computer.software_genre, Wildcard DNS record, Root name server, Zone file, nsupdate, DNS spoofing, Data mining, Fully qualified domain name, CNAME record, computer

Abstract

Name resolution using the Domain Name System (DNS) is integral to today's Internet. The resolution of a domain name is often dependent on namespace outside the control of the domain's owner. In this article we review the DNS protocol and several DNS server implementations. Based on our examination, we propose a formal model for analyzing the name dependencies inherent in DNS. Using our name dependency model we derive metrics to quantify the extent to which domain names affect other domain names. It is found that under certain conditions, more than half of the queries for a domain name are influenced by namespaces not expressly configured by administrators. This result serves to quantify the degree of vulnerability of DNS due to dependencies that administrators are unaware of. When we apply metrics from our model to production DNS data, we show that the set of domains whose resolution affects a given domain name is much smaller than previously thought. However, behaviors such as using cached addresses for querying authoritative servers and chaining domain name aliases increase the number and diversity of influential domains, thereby making the DNS infrastructure more vulnerable.

Published

2012

13. An Internet without the Internet protocol

Author

Craig A. Shue and Minaxi Gupta

Subjects

Routing protocol, Dynamic Source Routing, Computer Networks and Communications, Computer science, computer.internet_protocol, Routing table, Internet layer, IP forwarding, Enhanced Interior Gateway Routing Protocol, Computer security, computer.software_genre, law.invention, law, Reserved IP addresses, Internet Protocol, DNS spoofing, Hierarchical routing, IPv4 address exhaustion, Static routing, IPv6 address, Protocol Independent Multicast, business.industry, Network packet, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Policy-based routing, Autonomous system (Internet), Supernetwork, IPv6, Routing domain, Border Gateway Protocol, Default-free zone, The Internet, business, computer, Computer network

Abstract

The growth of the Internet has brought about many challenges for its critical infrastructure. The DNS infrastructure, which translates mnemonic host names into IP addresses understood by the routers, is frequently the target of cache poisoning attacks. Internet routers are also experiencing alarming growth in their routing table sizes, which may soon make it impossible for them to forward packets quickly enough to meet demand. Further, concerns about IPv4 address space exhaustion loom on the horizon despite the availability of IPv6. In this paper, we take a fresh look at Internet routing and propose a scheme that addresses all of these concerns cleanly. Our scheme forgoes IP addresses entirely and instead uses host names as identifiers in packets. The scalability of routing is ensured by encapsulating these packets in highly aggregated routing locators: we use autonomous system numbers (ASNs), which are already an integral part of inter-domain routing. We present data and experiments to show that a much simpler and scalable routing infrastructure can be designed for a future Internet by using fewer identifiers for its entities.

Published

2010

14. A Self Configuring and Self Administrating Name System with Dynamic Address Assignment

Author

Michael W. Butler, Paul Huck, Michael Feng, and Amar Gupta

Subjects

Name server, Root name server, resolv.conf, Computer science, Domain Name System, Operating system, DNS zone, Access Point Name, nsupdate, DNS spoofing, computer.software_genre, computer

Abstract

A distributed system that stores name-to-address bindings and provides name resolution to a network of computers is presented in this paper. This name system consists of a network of name services that are individually self-configuring and self-administering. The name service consists of an agent program that works in conjunction with the current implementation of the Domain Name System (DNS). The DNS agent program automatically configures a Berkeley Internet Name Domain (BIND) process during start up and dynamically reconfigures and administers the BIND process based on the changing state of the network. The proposed name system offers high scalability and fault-tolerance capabilities and communicates using standard Internet protocols.

Published

2001