Your search keyword '"DNS spoofing"' showing total 412 results

1. Implementation of Ethical Hacking—The Importance of Protecting User and System Data

Author

Satija, Bhavya, Sharma, Puneet, Partha Sarathi, M., Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Giri, Debasis, editor, Das, Swagatam, editor, Corchado Rodríguez, Juan Manuel, editor, and De, Debashis, editor

Published

2024

2. Preserving Privacy in Internet of Things (IoT)-Based Devices

Author

Sharma, Dheeraj, Tyagi, Amit Kumar, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Singh, Pradeep Kumar, editor, Wierzchoń, Sławomir T., editor, Tanwar, Sudeep, editor, Rodrigues, Joel J. P. C., editor, and Ganzha, Maria, editor

Published

2023

3. Adversarial Defense: DGA-Based Botnets and DNS Homographs Detection Through Integrated Deep Learning

Author

Ajay Arunachalam, Sriram Srinivasan, Vinayakumar Ravi, K. P. Soman, and Mamoun Alazab

Subjects

Homograph, Computer science, business.industry, Strategy and Management, Domain Name System, 05 social sciences, Botnet, Machine learning, computer.software_genre, Domain (software engineering), Robustness (computer science), Server, 0502 economics and business, Malware, Artificial intelligence, DNS spoofing, Electrical and Electronic Engineering, business, computer, 050203 business & management

Abstract

Cybercriminals use domain generation algorithms (DGAs) to prevent their servers from being potentially blacklisted or shut down. Existing reverse engineering techniques for DGA detection is labor intensive, extremely time-consuming, prone to human errors, and have significant limitations. Hence, an automated real-time technique with a high detection rate is warranted in such applications. In this article, we present a novel technique to detect randomly generated domain names and domain name system (DNS) homograph attacks without the need for any reverse engineering or using nonexistent domain (NXDomain) inspection using deep learning. We provide an extensive evaluation of our model over four large, real-world, publicly available datasets. We further investigate the robustness of our model against three different adversarial attacks: DeepDGA, CharBot, and MaskDGA. Our evaluation demonstrates that our method is effectively able to identify DNS homograph attacks and DGAs and also is resilient to common evading cyberattacks. Promising results show that our approach provides a more effective detection rate with an accuracy of 0.99. Additionally, the performance of our model is compared against the most popular deep learning architectures. Our findings highlight the essential need for more robust detection models to counter adversarial learning.

Published

2023

4. A Formal Verification of ArpON – A Tool for Avoiding Man-in-the-Middle Attacks in Ethernet Networks

Author

Elena Pagani, Andrea Lanzi, Silvio Ghilardi, Andrea Di Pasquale, and Danilo Bruschi

Subjects

Ethernet, business.industry, Computer science, Local area network, Cryptography, Man-in-the-middle attack, Computer security, computer.software_genre, ARP spoofing, DNS spoofing, Electrical and Electronic Engineering, Communications protocol, business, Host (network), computer

Abstract

Since the nineties, the Man-in-The-Middle (MITM) attack has been one of the most effective strategies adopted for compromising information security in network environments. In this paper, we focus our attention on ARP cache poisoning, which is one of the most well-known and more adopted techniques for performing MITM attacks in Ethernet local area networks. More precisely, we will prove that, in network environments with at least one malicious host in the absence of cryptography, an ARP cache poisoning attack cannot be avoided. Subsequently, we advance ArpON, an efficient and effective solution to counteract ARP cache poisoning, and we use a model-checker for verifying its safety property. Our main finding, in accordance with the above impossibility result, is that the only event that compromises the safety of ArpON is a cache poisoning that nevertheless is removed by ArpON itself after a very short period, thus making it practically infeasible to perpetrate an ARP cache poisoning attack on network hosts where ArpON is installed.

Published

2022

5. Techno-Economic Aspect of the Man-in-the-Middle Attacks

Author

Zoran Cekerevac, Zdenek Dvorak, Ludmila Prigoda, and Petar Cekerevac

Subjects

man-in-the-middle, it, internet, eavesdropping, arp poisoning, dns spoofing, ssl hijacking, internet of things, Transportation and communications, HE1-9990, Science, Transportation engineering, TA1001-1280

Abstract

This paper analyzes some aspects of the man-in-the-middle (MITM) attacks. After a short introduction, which outlines the essence of this attack, there are presented used scientific methods and hypotheses. The next chapter presents technology of MITM attacks and benefits that a successful attack provides the attacker with. Some of the most significant examples of such attacks, which have a larger scale and significant impact on the broader Internet community, are presented. This part of the article ends with an analysis of possible protection against MITM attacks. Later, on the basis of available data, the analysis of MITM attack from an economic point of view is given. In Conclusion, the summary of the whole analysis is performed.

Published

2017

6. DNS 스푸핑을 이용한 포털 해킹과 파밍의 위험성.

Author

최재원

Subjects

INTERNET protocol address, WEBSITES, PROFESSIONAL-client communication, SECURITY systems, COMPUTER hacking, INTERNET servers, INTERNET domain naming system

Abstract

DNS spoofing is an attack in which an attacker intervenes in the communication between client and DNS server to deceive DNS server by responding to a fake IP address rather than actual IP address. It is possible to implement a pharming site that hacks user ID and password by duplicating web server’s index page and simple web programming. In this paper we have studied web spoofing attack that combines DNS spoofing and pharming site implementation which leads to farming site. We have studied DNS spoofing attack method, procedure and farming site implementation method for portal server of this university. In the case of Kyungsung Portal, bypassing attack and hacking were possible even though the web server was SSL encrypted and secure authentication. Many web servers do not have security measures, and even web servers secured by SSL can be disabled. So it is necessary that these serious risks are to be informed and countermeasures are to be researched. [ABSTRACT FROM AUTHOR]

Published

2019

7. An Effective and Lightweight Countermeasure Scheme to Multiple Network Attacks in NDN

Author

Guoxin Lv, Zhaoyang Heng, Yang Yue, Haiying Shen, Dapeng Qu, and Qu Shijun

Subjects

Router, Computer Networks and Communications, Computer science, business.industry, Cache pollution, Security token, Computer Science Applications, Flooding (computer networking), Core router, Overhead (computing), Network performance, DNS spoofing, Electrical and Electronic Engineering, business, Software, Computer network

Abstract

In Named Data Networking, cache pollution, cache poisoning and interest flooding are three popular types of attacks that can drastically degrade the network performance. However, previous methods for mitigating these attacks are not sufficiently effective or efficient. Also, they cannot simultaneously handle the three attacks, or the case that core routers or edge routers are compromised. To handle these problems, we propose an effective and lightweight countermeasure scheme. It consists of token-based router monitoring policy (TRM), hierarchical consensus-based trust management (HCT), and popularity-based probabilistic caching and caching replacement policy (PPC). In TRM, each edge router monitors and evaluates each data requester's probability of launching the cache pollution attack and each data provider's probability of launching the cache poisoning attack, and accordingly assigns, rewards and penalizes tokens to them to control their data request and data provision activities. Thus, the interest flooding attack can also be mitigated by limiting the consumption of tokens. In HCT, each core router manages its directly connected edge routers using TRM, and the core routers trust each other through adopting the concept of consensus in Blockchain. Thus, the edge and core routers executing monitoring and evaluation are trustable. PPC uses probabilistic caching and caching replacement based on the popularity of received content to further mitigate the attacks and reduce caching and data verification overhead. Results from simulation experiments demonstrate that our proposed scheme has better performance, in terms of interest satisfaction ratio and average end-to-end delay than current mechanisms.

Published

2022

8. Dynamic forest of random subsets-based one-time signature-based capability enhancing security architecture for named data networking

Author

M. Victor Jose and Varghese Jensy Babu

Subjects

Authentication, Computer Networks and Communications, Computer science, Network packet, business.industry, Applied Mathematics, Denial-of-service attack, Enterprise information security architecture, Computer Science Applications, Flooding (computer networking), Computational Theory and Mathematics, Artificial Intelligence, PlanetLab, DNS spoofing, Electrical and Electronic Engineering, business, Dissemination, Information Systems, Computer network

Abstract

Network caching in named data networks (NDN) is essential for improving the potentialities of the conventional IP networking. The concept of network caching is necessary for achieving optimal bandwidth utilization and location independent data access during multipath data dissemination. However, network caching in NDN makes it highly vulnerable to security breaches such as access content packets violation, flooding or malicious injection of packets and content cache poisoning. In this paper, a dynamic forest of random subsets-based one-time signature-based capability enhancing security architecture (DFORS-CSA) is proposed for attaining distributed data authentication. This DFORS-CSA security architecture leverages the potential in exploring the access privileges of the packets disseminated in the network. It includes the capability through which the routes can perform authentication of packets forwarded in NDN. It supports a significant verification strategy through which the routers can ensure the packet timeliness for resolving the problems that get introduced through unsolicited packets exchanged during flooding-based denial of service attacks. The simulation experiments of the proposed DFORS-CSA is conducted using the open source CCNs platform and Planetlab simulator. The results of the proposed DFORS-CSA confirmed its predominance in minimizing overall delay and time incurred in the bit vector generation by 16.74 and 15.63%, excellent to the baseline approaches. The results of the proposed DFORS-CSA also conformed a mean improvement in the precision rate by 10.21%, true positive rate by 8.94% and F-measure by 7.62% with decreased false positive rate of 8.56%, during the process of detecting content cache poisoning attack.

Published

2021

9. Security and Privacy for Mobile Edge Caching: Challenges and Solutions

Author

Kuan Zhang, Jianbing Ni, and Athanasios V. Vasilakos

Subjects

Networking and Internet Architecture (cs.NI), FOS: Computer and information sciences, Computer Science - Cryptography and Security, Hardware_MEMORYSTRUCTURES, Edge device, Computer science, 0805 Distributed Computing, 0906 Electrical and Electronic Engineering, 1005 Communications Technologies, Key distribution, 020206 networking & telecommunications, 02 engineering and technology, Cache pollution, Computer security, computer.software_genre, Computer Science Applications, Computer Science - Networking and Internet Architecture, Base station, 0202 electrical engineering, electronic engineering, information engineering, DNS spoofing, Cache, Side channel attack, Enhanced Data Rates for GSM Evolution, Electrical and Electronic Engineering, Networking & Telecommunications, Cryptography and Security (cs.CR), computer

Abstract

Mobile edge caching is a promising technology for the next-generation mobile networks to effectively offer service environment and cloud-storage capabilities at the edge of networks. By exploiting the storage and computing resources at the network edge, mobile edge caching can significantly reduce service latency, decrease network load, and improve user experience. On the other hand, edge caching is subject to a number of threats regarding privacy violation and security breach. In this article, we first introduce the architecture of mobile edge caching, and address the key problems regarding why, where, what, and how to cache. Then, we examine the potential cyber threats, including cache poisoning attacks, cache pollution attacks, cache side-channel attacks, and cache deception attacks, which result in huge concerns about privacy, security, and trust in content placement, content delivery, and content usage for mobile users, respectively. After that, we propose a service-oriented and location-based efficient key distribution protocol (SOLEK) as an example in response to efficient and secure content delivery in mobile edge caching. Finally, we discuss the potential techniques for privacy-preserving content placement, efficient and secure content delivery, and trustful content usage, which are expected to draw more attention and efforts into secure edge caching., This article has been accepted by IEEE Wireless Communications Magazine

Published

2021

10. B-DNS: A Secure and Efficient DNS Based on the Blockchain Technology

Author

Songtao Guo, Zhe Peng, Shang Gao, Bin Xiao, Zecheng Li, and Yuanyuan Yang

Subjects

Computer Networks and Communications, Network security, business.industry, Computer science, Domain Name System, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Denial-of-service attack, Attack surface, Computer security, computer.software_genre, Computer Science Applications, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Control and Systems Engineering, Server, The Internet, DNS spoofing, business, computer, Protocol (object-oriented programming)

Abstract

The Domain Name System (DNS) plays a crucial role in the Internet. However, it is vulnerable to many attacks such as the cache poisoning attack and DDoS attack. Though some countermeasures have been proposed, they still have some limitations. In this paper, we propose B-DNS, a blockchain-based domain name system, which can provide a secure and efficient DNS service. B-DNS fills up two shortcomings of current blockchain-based DNS, namely computation-heavy Proof-of-Work (PoW) protocol and inefficient query, by building a Proof-of-Stake (PoS) consensus protocol and an index of domains. We propose a novel way to quantitatively compare the security of B-DNS and legacy DNS in terms of attack success rate, attack cost, and attack surface. Our experiments show that the probability of a successful attack on B-DNS is 1% of a successful attack on legacy DNS, the attack cost goes up a million times in B-DNS, and the attack surface of B-DNS is far smaller than that of legacy DNS. The query performance evaluation of B-DNS shows that B-DNS can achieve similar or even less query latency than state-of-the-art commercial DNS implementations.

Published

2021

11. Hierarchical Anomaly-Based Detection of Distributed DNS Attacks on Enterprise Networks

Author

Craig Russell, Minzhao Lyu, Hassan Habibi Gharakheili, and Vijay Sivaraman

Subjects

Computer Networks and Communications, business.industry, Computer science, Domain Name System, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, 020206 networking & telecommunications, Denial-of-service attack, 02 engineering and technology, Intrusion detection system, Subnet, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Firewall (construction), Server, 0202 electrical engineering, electronic engineering, information engineering, Anomaly detection, DNS spoofing, Electrical and Electronic Engineering, business, Computer network

Abstract

Domain Name System (DNS) is a critical service for enterprise operations, and is often made openly accessible across firewalls. Malicious actors use this fact to attack organizational DNS servers, or use them as reflectors to attack other victims. Further, attackers can operate with little resources, can hide behind open recursive resolvers, and can amplify their attack volume manifold. The rising frequency and effectiveness of DNS-based DDoS attacks make this a growing concern for organizations. Solutions available today, such as firewalls and intrusion detection systems, use combinations of black-lists of malicious sources and thresholds on DNS traffic volumes to detect and defend against volumetric attacks, which are not robust to attack sources that morph their identity or adapt their rates to evade detection. We propose a method for detecting distributed DNS attacks that uses a hierarchical graph structure to track DNS traffic at three levels of host, subnet, and autonomous system (AS), combined with machine learning that identifies anomalous behaviors at various levels of the hierarchy. Our method can detect distributed attacks even with low rates and stealthy patterns. Our contributions are three-fold: (1) We analyze real DNS traffic over a week (nearly 400M packets) from the edges of two large enterprise networks to highlight various types of incoming DNS queries and the behavior of malicious entities generating query scans and floods; (2) We develop a hierarchical graph structure to monitor DNS activity, identify key attributes, and train/tune/evaluate anomaly detection models for various levels of the hierarchy, yielding more than 99% accuracy at each level; and (3) We apply our scheme to a month’s worth of DNS data from the two enterprises and compare the results against blacklists and firewall logs to demonstrate its ability in detecting distributed attacks that might be missed by legacy methods while maintaining a decent real-time performance.

Published

2021

12. Thirty Years of DNS Insecurity: Current Issues and Perspectives

Author

Giovanni Schmid

Subjects

Standardization, Computer science, business.industry, Data loss, Computer security, computer.software_genre, Asset (computer security), nobody, Internet governance, The Internet, DNS spoofing, Digital economy, Electrical and Electronic Engineering, business, computer

Abstract

When DNS was created, nobody expected that it would have become the base for the digital economy and a prime target for cybercriminals. And nobody expected that one main asset of the digital economy would have been users’ browsing habits, putting at risk their privacy. The DNS was designed and implemented according to speed, scalability, and reliability criteria, whereas security and privacy did not fit in the objectives. Although the first attacks were already conceived about thirty years ago, the DNS infrastructure - with a bunch of improvements but its original design - continues to play a pivotal role in enabling access to services, data and devices. And, despite the fairly widespread adoption of DNSSEC security extensions in recent years, DNS attacks are becoming more and more frequent, sophisticated and dangerous. They are global, varied, dynamic and can circumvent traditional security systems such as next-generation firewalls and data loss prevention systems. A revisitation of DNS assumptions has been proposed in very different ways, reflecting diverse point of views in terms of Internet governance and user freedom, and a great effort is in place by standardization bodies, industry consortia and academic research to converge toward an updated design and implementation. The present work overviews the most promising proposals, trying to shed some insight on the future of DNS.

Published

2021

13. Improved Merkle Hash Tree-Based One-Time Signature Scheme for Capability-Enhanced Security Enforcing Architecture for Named Data Networking

Author

M. Victor Jose and Varghese Jensy Babu

Subjects

Network packet, Computer science, business.industry, 020206 networking & telecommunications, Denial-of-service attack, 02 engineering and technology, Cache pollution, Merkle tree, Computer Science Applications, Flooding (computer networking), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, DNS spoofing, Electrical and Electronic Engineering, business, Dissemination, Computer network

Abstract

The concept of network caching is determined to be the potential requirement of named data networks (NDN) for enhancing the capabilities of the traditional IP networking. It is responsible for location independent data accesses and optimal bandwidth utilization in multi-path data dissemination. However, the network caching process in NDN introduces security challenges such as content cache poisoning, malicious injection or flooding of the packets and violation in accessing content packets. In this paper, an Improved Merkle Hash Tree-based one-time signature scheme for capability-enhanced security enforcing architecture (IMHT-OTSS-CSEA) is proposed for provisioning data authenticity in a distributed manner for leveraging the capabilities to inform the access privileges of the packets during the process of data dissemination. It is proposed for permitting the routers to verify the forwarded packets’ authenticity in NDN. It is capable in handling the issues that emerge from unsolicited packets during a flooding-based denial of service attacks by supporting the indispensable verification process in routers that confirms the timeliness of packets. The simulation experiments conducted using the open source CCNs platform and Planetlab confirmed a significant mean reduction in delay of 14.61%, superior to the benchmarked schemes. It is identified to minimize the delay incurred in generating bit vectors by a average margin of 13.06%, excellent to the baseline approaches. It also confirmed a mean increase in the true positive rate of 5.42%, a mean increase in the precision rate of 6.04%, decrease in false positive rate of 6.82% and increase in F-measure of 5.62% compared to the baseline approaches in the context of detecting content cache pollution attack respectively.

Published

2020

14. A wrinkle in time: a case study in DNS poisoning

Author

Moti Geva, Amit Dvir, and Harel Berger

Subjects

FOS: Computer and information sciences, 021110 strategic, defence & security studies, Computer Science - Cryptography and Security, Computer Networks and Communications, Computer science, business.industry, Domain Name System, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, 0211 other engineering and technologies, Cryptography, 02 engineering and technology, Networking hardware, Root name server, Server, Key (cryptography), The Internet, DNS spoofing, Safety, Risk, Reliability and Quality, business, Cryptography and Security (cs.CR), Software, Information Systems, Computer network

Abstract

The Domain Name System (DNS) provides a translation between readable domain names and IP addresses. The DNS is a key infrastructure component of the Internet and a prime target for a variety of attacks. One of the most significant threat to the DNS's wellbeing is a DNS poisoning attack, in which the DNS responses are maliciously replaced, or poisoned, by an attacker. To identify this kind of attack, we start by an analysis of different kinds of response times. We present an analysis of typical and atypical response times, while differentiating between the different levels of DNS servers' response times, from root servers down to internal caching servers. We successfully identify empirical DNS poisoning attacks based on a novel method for DNS response timing analysis. We then present a system we developed to validate our technique that does not require any changes to the DNS protocol or any existing network equipment. Our validation system tested data from different architectures including LAN and cloud environments and real data from an Internet Service Provider (ISP). Our method and system differ from most other DNS poisoning detection methods and achieved high detection rates exceeding 99%. These findings suggest that when used in conjunction with other methods, they can considerably enhance the accuracy of these methods.

Published

2020

15. Analysis of planes of attacks on the Blockchain system

Author

G.Z. Khalimov, E.V. Kotukh, and P.I. Stetsenko

Subjects

Application Context, Network architecture, Blockchain, Computer science, business.industry, Denial-of-service attack, Cryptography, General Medicine, Computer security, computer.software_genre, Task (computing), DNS spoofing, Architecture, business, computer

Abstract

This paper presents a study of attack planessurfaces and possible ways of conducting various attacks on decentralized systems based on Blockchain technology. To accomplish the task, the effectiveness of the attack is studied relative to the plane of its application, namely, relatively: cryptographic designs of Blockchain technology, distributed architecture of systems based on Blockchain technology, Blockchain application context. Several attacks have been identified for each of these planes, including malicious mining strategies, coordinated peer behavior, 51% attacks, domain name attacks (DNS), distributed denial of service attacks, delayed consensus achieving, Blockchain branching, orphaned and obsolete blocks, digital wallet thefts and privacy attacks.An attack by malicious mining allows an attacker to increase rewards by intentionally keeping his blocks closed in order to obtain a longer version of the Blockchain register than the current main version of the register. A 51% attack occurs when a single attacker, a group of nodes, or a mining pool (a combination of miners) in a network reaches most of the total processing power of mining in the system and gets the ability to manipulate the functionality of the Blockchain system. In the plane of DNS attacks, an attacker can potentially isolate peers of the Blockchain system, distribute fake blocks with fraudulent transactions among new nodes, and invalidate transactions. Manifestations of DDoS attacks can vary, depending on the nature of the functionality of the Blockchain application, the features of its network architecture and the behavior of peer nodes. Measures to counter attacks on peer-to-peer peer-to-peer architecture are considered.

Published

2020

16. Analysis of Malware Dns Attack on the Network Using Domain Name System Indicators

Author

Beni Brahara, Yesi Novaria Kunang, and Dedy Syamsuar

Subjects

dns malware, Computer science, Domain Name System, lcsh:Mathematics, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, anomaly, normal traffic, Filter (signal processing), computer.software_genre, lcsh:QA1-939, lcsh:QA75.5-76.95, Domain (software engineering), dga, malicious traffic, Server, Malware, Table (database), Domain analysis, DNS spoofing, Data mining, lcsh:Electronic computers. Computer science, computer, log

Abstract

University of Bina Darma Palembang has its own DNS server and in this study using log data from the Bina Darma University DNS server as data in the study, DNS log server data is analyzed by network traffic, using Network Analyzer tools to see the activity of a normal traffic or anomaly traffic, or even contains DGA Malware (Generating Algorthm Domain).DGA malware produces a number of random domain names that are used to infiltrate DNS servers. To detect DGA using DNS traffic, NXDomain. The result is that each domain name in a group domain is generated by one domain that is often used at short times and simultaneously has a similar life time and query style. Next look for this pattern in NXDomain DNS traffic to filter domains generated algorithmically that the domain contains DGA. In analyzing DNS traffic whether it contains Malware and whether network traffic is normal or anomaly, in this study it detects Malwere DNS From the results of the stages of the suspected domain indicated by malware, a suspected domain list table is also created and also a suspected list of IP addresses. To support the suspected domain analysis results, info graphic is displayed using rappidminer tools to test decisions that have been made using the previous tools using the Decision Tree method.

Published

2020

17. DNS Cache Poisoning Attack: Resurrections with Side Channels

Author

Keyu Man, Zhiyun Qian, and Xin'an Zhou

Subjects

business.industry, Computer science, Attack surface, Computer security, computer.software_genre, Internet Control Message Protocol, Ephemeral port, Software, The Internet, DNS spoofing, Side channel attack, business, computer, Randomness

Abstract

DNS is one of the fundamental and ancient protocols on the Internet that supports many network applications and services. Unfortunately, DNS was designed without security in mind and is subject to a variety of serious attacks, one of which is the well-known DNS cache poisoning attack. Over the decades of evolution, it has proven extraordinarily challenging to retrofit strong security features into it. To date, only weaker versions of defenses based on the principle of randomization have been widely deployed, e.g., the randomization of UDP ephemeral port number, making it hard for an off-path attacker to guess the secret. However, as it has been shown recently, such randomness is subject to clever network side channel attacks, which can effectively derandomize the ephemeral port number. In this paper, we conduct an analysis of the previously overlooked attack surface, and are able to uncover even stronger side channels that have existed for over a decade in Linux kernels. The side channels affect not only Linux but also a wide range of DNS software running on top of it, including BIND, Unbound and dnsmasq. We also find about 38% of open resolvers (by frontend IPs) and 14% (by backend IPs) are vulnerable including the popular DNS services such as OpenDNS and Quad9. We have extensively validated the attack experimentally under realistic configuration and network conditions and showed that it works reliably and fast.

Published

2021

18. Let's Downgrade Let's Encrypt

Author

Haya Shulman, Michael Waidner, and Tianxiang Dai

Subjects

Name server, Computer science, business.industry, Public key infrastructure, Downgrade, Adversary, Man-in-the-middle attack, Encryption, Computer security, computer.software_genre, Domain (software engineering), DNS spoofing, business, computer

Abstract

Following the recent off-path attacks against PKI, Let's Encrypt deployed in 2020 domain validation from multiple vantage points to ensure security even against the stronger on-path MitM adversaries. The idea behind such distributed domain validation is that even if the adversary can hijack traffic of some vantage points, it will not be able to intercept traffic of all the vantage points to all the nameservers in a domain. In this work we show that two central design issues of the distributed domain validation of Let's Encrypt make it vulnerable to downgrade attacks: (1) the vantage points are selected from a small fixed set of vantage points, and (2) the way the vantage points select the nameservers in target domains can be manipulated by a remote adversary. We develop off-path methodologies, based on these observations, to launch downgrade attacks against Let's Encrypt. The downgrade attacks reduce the validation with 'multiple vantage points to multiple nameservers', to validation with 'multiple vantage points to a single attacker-selected nameserver'. Through experimental evaluations with Let's Encrypt and the 1M-Let's Encrypt-certified domains, we find that our off-path attacker can successfully launch downgrade attacks against more than 24.53% of the domains, rendering Let's Encrypt to use a single nameserver for validation with them. We then develop an automated off-path attack against the 'single-server'-domain validation for these 24.53% domains, to obtain fraudulent certificates for more than 107K domains, which constitute 10% of the 1M domains in our dataset. We also evaluate our attacks against other major CAs and compare the security and efforts needed to launch the attacks, to those needed to launch the attacks against Let's Encrypt. We provide recommendations for mitigations against our attacks.

Published

2021

19. DNS water torture detection in the data plane

Author

Shir Landau Feibish and Alexander Kaplan

Subjects

business.industry, Computer science, Feature (computer vision), Server, Resolver, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Forwarding plane, False positive paradox, Range (statistics), DNS spoofing, business, Word (computer architecture), Computer network

Abstract

DNS Water Torture (also known as Random Subdomain attack) has been gaining popularity since the severe impact of the 2016 Mirai attack on Dyn DNS servers, which caused a large number of sites to become unavailable. One existing solution is rate limiting, which is not effective in cases where the attack is highly distributed. A more robust solution is provided by DNSSEC, which enables a range of subdomains to be declared as non-existent following a single NXDOMAIN response. However, the deployment of DNSSEC has been limited and the resolver needs to explicitly support this feature. DNS resolver, meaning it does not require any resolver compatibility and can potentially react to the attack at an earlier stage and avoid much of the malicious traffic generated by the attack. We present WORD, a system for statistical detection of DNS Water Torture that is implemented directly in the data plane using the P4 language. WORD efficiently collects data about DNS requests and responses on a per-domain basis, and alerts the control plane if malicious traffic is detected. The solution we present succeeds in detecting the attack within the notably confined resources of the data plane, while reducing false positives by separately addressing domains which naturally have large amounts of subdomains (e.g. wordpress). In addition, our solution is easily expandable to further DNS related data plane processing, such as other types of DNS attacks, or collection of other DNS statistics in the data plane.

Published

2021

20. From IP to transport and beyond

Author

Tianxiang Dai, Haya Shulman, Philipp Jeitner, and Michael Waidner

Subjects

FOS: Computer and information sciences, IP hijacking, Computer Science - Cryptography and Security, Voice over IP, Computer science, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Denial-of-service attack, Cryptography, Computer security, computer.software_genre, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Filter (video), The Internet, DNS spoofing, Routing (electronic design automation), business, Cryptography and Security (cs.CR), computer

Abstract

We perform the first analysis of methodologies for launching DNS cache poisoning: manipulation at the IP layer, hijack of the inter-domain routing and probing open ports via side channels. We evaluate these methodologies against DNS resolvers in the Internet and compare them with respect to effectiveness, applicability and stealth. Our study shows that DNS cache poisoning is a practical and pervasive threat. We then demonstrate cross-layer attacks that leverage DNS cache poisoning for attacking popular systems, ranging from security mechanisms, such as RPKI, to applications, such as VoIP. In addition to more traditional adversarial goals, most notably impersonation and Denial of Service, we show for the first time that DNS cache poisoning can even enable adversaries to bypass cryptographic defences: we demonstrate how DNS cache poisoning can facilitate BGP prefix hijacking of networks protected with RPKI even when all the other networks apply route origin validation to filter invalid BGP announcements. Our study shows that DNS plays a much more central role in the Internet security than previously assumed. We recommend mitigations for securing the applications and for preventing cache poisoning.

Published

2021

21. Exploring the Attack Surface of Blockchain: A Comprehensive Survey

Author

Jeffrey Spaulding, Charles A. Kamhoua, DaeHun Nyang, Sachin Shetty, Muhammad Saad, Laurent Njilla, and David Mohaisen

Subjects

Application Context, Blockchain, Smart contract, Computer science, business.industry, Data_MISCELLANEOUS, 020206 networking & telecommunications, Denial-of-service attack, Cryptography, 02 engineering and technology, Attack surface, Computer security, computer.software_genre, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, DNS spoofing, Electrical and Electronic Engineering, business, computer, Block (data storage)

Abstract

In this paper, we systematically explore the attack surface of the Blockchain technology, with an emphasis on public Blockchains. Towards this goal, we attribute attack viability in the attack surface to 1) the Blockchain cryptographic constructs, 2) the distributed architecture of the systems using Blockchain, and 3) the Blockchain application context. To each of those contributing factors, we outline several attacks, including selfish mining, the 51% attack, DNS attacks, distributed denial-of-service (DDoS) attacks, consensus delay (due to selfish behavior or distributed denial-of-service attacks), Blockchain forks, orphaned and stale blocks, block ingestion, wallet thefts, smart contract attacks, and privacy attacks. We also explore the causal relationships between these attacks to demonstrate how various attack vectors are connected to one another. A secondary contribution of this work is outlining effective defense measures taken by the Blockchain technology or proposed by researchers to mitigate the effects of these attacks and patch associated vulnerabilities.

Published

2020

22. A Demonstration of Practical DNS Attacks and their Mitigation Using DNSSEC

Author

Kevin Curran, Israr Khan, and William Farrelly

Subjects

World Wide Web, Thesaurus (information retrieval), Computer science, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, 020206 networking & telecommunications, 02 engineering and technology, DNS spoofing

Abstract

The authors implement common attacks on a DNS server and demonstrate that DNSSEC is an effective solution to counter DNS security flaws. This research demonstrates how to counter the zone transfer attack via the generation of DNSSEC keys on the name servers which prevent attackers from obtaining a full zone transfer as its request for the transfer without the keys was denied by the primary server. This article also provides a detailed scenario of how DNSSEC can be used as a mechanism to protect against the attack if an attacker tried to perform Cache Poisoning. The authors ultimately show that a DNSSEC server will not accept responses from unauthorised entities and would only accept responses which are authenticated throughout the DNSSEC chain of trust.

Published

2020

23. An analysis of security solutions for ARP poisoning attacks and its effects on medical computing

Author

Ajith Abraham, B. Prabadevi, and N. Jeyanthi

Subjects

Stateless protocol, Computer science, Strategy and Management, 020206 networking & telecommunications, Denial-of-service attack, 02 engineering and technology, Intrusion detection system, Computer security, computer.software_genre, Information sensitivity, 0202 electrical engineering, electronic engineering, information engineering, ARP spoofing, 020201 artificial intelligence & image processing, Address Resolution Protocol, DNS spoofing, Safety, Risk, Reliability and Quality, computer, Host (network)

Abstract

Network utilization reached its maximum level due to the availability of high-end technologies in the least cost. This enabled the network users to share the sensitive information like account details, patient records, genomics details for biomedical research and defence details leading to cyber-war. Data are vulnerable at any level of communication. The link-layer Address Resolution Protocol (ARP) is initiated for any data communication to take place among the hosts in a LAN. Because of the stateless nature of this protocol, it has been misused for illegitimate activities. These activities lead to the most devasting attacks like Denial of Service, Man-in-the-Middle, host impersonation, sniffing, and cache poisoning. Though various host-based and network-based intrusion detection/prevention techniques exist, they fail to provide a complete solution for this type of poisoning. This paper analyzes the existing defence systems against ARP attacks and proposes three different techniques for detecting and preventing the ARP attacks. The three techniques ensure security of traditional ARP and its impact in Medical computing where a single bit inversion could lead to wrong diagnosis.

Published

2019

24. Cache Effect of Shared DNS Resolver

Author

Akira Sato, Kazunori Fujiwara, and Kenichi Yoshida

Subjects

Computer Networks and Communications, Computer science, business.industry, DNS zone transfer, Domain Name System, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Round-robin DNS, 020206 networking & telecommunications, 02 engineering and technology, 020210 optoelectronics & photonics, Campus network, Software deployment, Server, Resolver, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), DNS root zone, 020201 artificial intelligence & image processing, The Internet, DNS spoofing, Cache, Electrical and Electronic Engineering, business, Software, Computer network

Abstract

The Domain Name System (DNS) is a key part of the infrastructure of the Internet. Recent discussions have centered on the removal of the shared DNS resolver and the use of a local full-service resolver instead. From the viewpoint of the cache mechanism, these discussions involve removing the shared DNS cache from the Internet. Although the removal of unnecessary parts from a total system tends to simplify the system, such a large configuration change in the system would need to be be carefully analyzed before its actual deployment. This paper presents our analysis of the effect of a shared DNS resolver based on the campus network traffic. Our findings were as follows: 1) this removal can be expected to amplify the DNS traffic by about 3.3 times, 2) the amplification ratio on the root DNS is much higher (about 10.9 times), and 3) removal of all caching systems from the Internet is likely to amplify the DNS traffic by approximately 12.1 times. Thus, the above-mentioned shared DNS resolver removal should not be considered. Our data analysis also revealed: 4) an increase in the number of clients that do not have a local DNS cache and generate repeated queries at short intervals (less than 1 min). 5) Since the amount of traffic from such clients is not small (about 95.0% of total DNS traffic), the deployment of a local cache itself is feasible.

Published

2019

25. Smart collaborative distribution for privacy enhancement in moving target defense

Author

Ilsun You, Tian-Ming Zhao, Yu Wang, Hongke Zhang, Fei Song, and Yutong Zhou

Subjects

Scheme (programming language), Information Systems and Management, Computer science, Domain Name System, 05 social sciences, Survivability, Vulnerability, 050301 education, 02 engineering and technology, Computer security, computer.software_genre, Port (computer networking), Computer Science Applications, Theoretical Computer Science, Artificial Intelligence, Control and Systems Engineering, 0202 electrical engineering, electronic engineering, information engineering, Dependability, 020201 artificial intelligence & image processing, DNS spoofing, 0503 education, computer, Software, Vulnerability (computing), computer.programming_language

Abstract

The Moving Target Defense (MTD) has been widely discussed in many communities to upgrade the network reliability, survivability, dependability , etc. However, utilizing MTD in privacy protection still needs more investigations. In this paper, we propose a smart collaborative distribution scheme to enhance the privacy based on MTD guidelines. A target application scenario is the Domain Name System (DNS) that is experiencing serious and complex privacy issues. The preliminary and potential risks are firstly analyzed based on DNS attack approaches, DNS server locations and the vulnerability of user privacy. Then, the details of our scheme are illustrated through port number assignment patterns, main procedures of dynamic port hopping and the implementation method. To quantitatively evaluate the performance, an analytical model was established from theoretical perspectives. The relationships between multiple parameters and overall system capacity are explored as well. The validation results demonstrate that the smart collaborative distribution is able to improve the privacy without affecting the basic DNS functionality.

Published

2019

26. DNS-over-TCP considered vulnerable

Author

Haya Shulman, Tianxiang Dai, and Michael Waidner

Subjects

Name server, Exploit, Computer science, Network packet, business.industry, Server, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Attack surface, DNS spoofing, IP fragmentation, business, Market fragmentation, Computer network

Abstract

The research and operational communities believe that TCP provides protection against IP fragmentation attacks and recommend that servers avoid sending DNS responses over UDP but use TCP instead. In this work we show that IP fragmentation attacks also apply to servers that communicate over TCP. Our measurements indicate that in the 100K-top Alexa domains there are 393 additional domains whose nameservers can be forced to (source) fragment IP packets that contain TCP segments. In contrast, responses from these domains cannot be forced to fragment when sent over UDP. Our study not only shows that the recommendation to use TCP instead of UDP in order to avoid attacks that exploit fragmentation is risky, but it also unveils that the attack surface due to fragmentation is larger than was previously believed. We evaluate IP fragmentation-based DNS cache poisoning attacks against DNS responses over TCP.

Published

2021

27. Exploiting Queue-driven Cache Replacement Technique for Thwarting Pollution Attack in ICN

Author

Mercy Shalinie S, Abishek Joshua T, Rajesh Alias Harinarayan R, K Narasimma Mallikaarjunan, J Dharani, and Vimala Rani

Subjects

business.industry, Computer science, Testbed, Cache, DNS spoofing, Active queue management, Cache pollution, business, Literature survey, Queue, Computer network, Scheduling (computing)

Abstract

Information Centric Network (ICN) is upcoming next-generation internet. The ubiquitous caching is primary goal of ICN to reduce the content latency and increase the user satisfaction ratio in the network. Due to this pervasive caching, its prone to security attack namely Cache pollution Attack (CPA) and cache poisoning attack. From the profound literature survey, CPA attacks are more vulnerable than other security threats. In this paper, we propose the Fuzzy C-Means Clustering (FuCL) for CPA attack detection in ICN. Then we propose a novel Multi-Queue Management technique for uninterrupted service provisioning to user during the attack period. This hybrid approach utilize the best of Active Queue Management (AQM) for assigning service scheduling for each users. We are the first to leverage the Fuzzy decision making for content prioritization in the queue. Finally, we adopt the fuzzy based cache replacement algorithm to prevent the malicious content not being cached in CS. The experiments are carried over the ICN testbed and proves the proposed methodology detects the attack with better detection ratio and achieved the higher cache hit ratio compared to state-of-art solutions.

Published

2021

28. Poster: Fragmentation Attacks on DNS over TCP

Author

Michael Waidner, Tianxiang Dai, and Haya Shulman

Subjects

Name server, business.industry, Computer science, Network packet, Server, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, DNS spoofing, Attack surface, IP fragmentation, business, Computer network, Market fragmentation

Abstract

The research and operational community believe that TCP provides protection against IP fragmentation based attacks and recommend that servers avoid sending responses over UDP and use TCP instead. In this work we show for the first time that IP fragmentation attacks may also apply to communication over TCP. We perform a study of the nameservers in the 100K-top Alexa domains and find that 454 domains are vulnerable to IP fragmentation attacks. Of these domains, we find 366 additional domains that are vulnerable only to IP fragmentation attacks on communication with TCP. We also find that the servers vulnerable to TCP fragmentation can be forced to fragment packets to much smaller sizes (of less than 292 bytes) than servers vulnerable to UDP fragmentation (not below 548 bytes). This makes the impact of the attacks against servers vulnerable to fragmentation of TCP segments much more detrimental. Our study not only shows that the recommendation to use TCP and avoid UDP is risky but it also shows that the attack surface due to fragmentation is larger than was previously believed. We evaluate known IP fragmentation-based DNS cache poisoning attacks against DNS responses over TCP.

Published

2021

29. Poster: Off-path VoIP Interception Attacks

Author

Tianxiang Dai, Haya Shulman, and Michael Waidner

Subjects

Voice over IP, Computer science, business.industry, InformationSystems_INFORMATIONSYSTEMSAPPLICATIONS, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Computer security, computer.software_genre, The Internet, DNS spoofing, Telephony, business, computer, Protocol (object-oriented programming), PATH (variable)

Abstract

The proliferation of Voice-over-IP (VoIP) technologies make them a lucrative target of attacks. While many attack vectors have been uncovered, one critical vector has not yet received attention: hijacking telephony via DNS cache poisoning. We demonstrate practical VoIP hijack attacks by manipulating DNS responses with a weak off-path attacker. We evaluate our attacks against popular telephony VoIP systems in the Internet and provide a live demo of the attack against Extensible Messaging and Presence Protocol at https://sit4.me/M4.

Published

2021

30. EDITH - A Robust Framework for Prevention of Cyber Attacks in the Covid Era

Author

A Prajwal and Adwitiya Mukhopadhyay

Subjects

business.industry, Computer science, Cloud computing, Server Message Block, computer.software_genre, Computer security, Port (computer networking), Phishing, Electronic mail, Trap (computing), ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Malware, DNS spoofing, business, computer

Abstract

In the era of cloud technology, all the emails sent from one person to another needs to be secure. Security attacks like email phishing, EBomb, DNS spoofing and so on have become a trend in this digital era. Among the said attacks, email phishing has been observed to be most common to be used by attackers to trap victims using fake email with embedded malwares, which is not made aware of non-cyber professionals. With the current pandemic that is Covid-19, which is storming the whole world and enforcing people all over to stay indoors, thus indirectly increasing the online digital footprints of all, so there’s an increase in SMB(Server message block) port all over the world which is leading attackers to find their victims easily by unique, dynamic and various other vulnerabilities which no standard virus, malware detection software which was before being provided by the IT companies to its employees and for general internet users; have proven to be not that effective. so we propose a different approach along with a tool kit that will work in identifying the embedded malware files and fake websites more dynamically and effectively.

Published

2021

31. 웹 기반 실시간 DNS 질의 분석 시스템.

Author

장상동

Abstract

In this paper, we present the design and implementation of a realtime DNS Query Analysis System to detect and to protect from DNS attacks. The proposed system uses mirroring to collect data in DMZ, then analizes the collected data. As a result of the analysis, if the proposed system finds attack information, the information is used as a filtering information of firewall. statistic of the collected data is viewed as a realtime monitoring information on the web. To verify the effictiveness of the proposed system, we have built the proposed system and conducted some experiments. As the result, Our proposed system can be used effectively to defend DNS spoofing, DNS flooding attack, DNS amplification attack, can prevent interior network's attackers from attacking and provides realtime DNS query statistic information and geographic information for monitoring DNS query using GeoIP API and Google API. It can be useful information for ICT convergence and the future work. [ABSTRACT FROM AUTHOR]

Published

2015

32. Security of Alerting Authorities in the WWW: Measuring Namespaces, DNSSEC, and Web PKI

Author

Eric Osterweil, Thomas C. Schmidt, Pouyan Fotouhi Tehrani, Jochen Schiller, and Matthias Wählisch

Subjects

Networking and Internet Architecture (cs.NI), FOS: Computer and information sciences, Service (business), 021110 strategic, defence & security studies, Computer Science - Cryptography and Security, Computer science, business.industry, 0211 other engineering and technologies, 020206 networking & telecommunications, Public key infrastructure, 02 engineering and technology, Service provider, Certificate, Computer security, computer.software_genre, Phishing, Computer Science - Networking and Internet Architecture, Threat model, 0202 electrical engineering, electronic engineering, information engineering, The Internet, DNS spoofing, business, Cryptography and Security (cs.CR), computer

Abstract

During disasters, crisis, and emergencies the public relies on online services provided by official authorities to receive timely alerts, trustworthy information, and access to relief programs. It is therefore crucial for the authorities to reduce risks when accessing their online services. This includes catering to secure identification of service, secure resolution of name to network service, and content security and privacy as a minimum base for trustworthy communication. In this paper, we take a first look at Alerting Authorities (AA) in the US and investigate security measures related to trustworthy and secure communication. We study the domain namespace structure, DNSSEC penetration, and web certificates. We introduce an integrative threat model to better understand whether and how the online presence and services of AAs are harmed. As an illustrative example, we investigate 1,388 Alerting Authorities. We observe partial heightened security relative to the global Internet trends, yet find cause for concern as about 78% of service providers fail to deploy measures of trustworthy service provision. Our analysis shows two major shortcomings. First, how the DNS ecosystem is leveraged: about 50% of organizations do not own their dedicated domain names and are dependent on others, 55% opt for unrestricted-use namespaces, which simplifies phishing, and less than 4% of unique AA domain names are secured by DNSSEC, which can lead to DNS poisoning and possibly to certificate misissuance. Second, how Web PKI certificates are utilized: 15% of all hosts provide none or invalid certificates, thus cannot cater to confidentiality and data integrity, 64% of the hosts provide domain validation certification that lack any identity information, and shared certificates have gained on popularity, which leads to fate-sharing and can be a cause for instability., 12 pages and 8 figures

Published

2021

33. Two-Stage Classification Technique for Malicious DNS Identification

Author

Dong-Seong Kim, Danielle Jaye S. Agron, Gabriel Chukwunonso Amaizu, and Jae-Min Lee

Subjects

Scheme (programming language), 0209 industrial biotechnology, Computer science, business.industry, Domain Name System, 02 engineering and technology, computer.software_genre, Internet security, Convolutional neural network, Critical Internet infrastructure, Information sensitivity, Identification (information), 020901 industrial engineering & automation, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, DNS spoofing, Data mining, business, computer, computer.programming_language

Abstract

Cyber-security for years has been a challenging topic for the research community and most of these attacks have been directed at one of the most critical Internet infrastructure, the domain name system (DNS). DNS attacks are usually catastrophic and often results in loss of sensitive information, hence this paper aims at proffering a solution to these type of attacks. In this paper, a two-stage classification process is proposed for mitigating DNS attacks. The proposed scheme employs long short-term memory in the first stage a convolutional neural network at the second stage. Simulation results show a good classification accuracy for both stages of the proposed scheme.

Published

2021

34. Domain Name System (DNS) Security

Author

Raj Badhwar

Subjects

ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Dns security, Stack (abstract data type), Computer science, Domain Name System, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Domain Name System Security Extensions, DNS spoofing, Computer security, computer.software_genre, computer

Abstract

The risk from DNS poisoning, tunneling and hijacking has gone up exponentially. Domain Name System Security Extensions (DNSSEC) and associated or alternative technologies like DNS over TLS, also known as DOT, and DNS over HTTP/s, also known as DOH can provide the needed security hardening and protection, but present both implementation challenges and some security issues. Security solutions should be more straightforward. CISOs must also make the case to have NTP and DNS security services be part of the security stack.

Published

2021

35. A Peek into the DNS Cookie Jar

Author

Casey Deccio and Jacob Davis

Subjects

050101 languages & linguistics, Spoofing attack, Computer science, Network packet, InformationSystems_INFORMATIONSYSTEMSAPPLICATIONS, Domain Name System, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, 05 social sciences, Denial-of-service attack, 02 engineering and technology, Computer security, computer.software_genre, Identity management, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Server, 0202 electrical engineering, electronic engineering, information engineering, User Datagram Protocol, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, DNS spoofing, computer

Abstract

The Domain Name System (DNS) has been frequently abused for Distributed Denial of Service (DDoS) attacks and cache poisoning because it relies on the User Datagram Protocol (UDP). Since UDP is connection-less, it is trivial for an attacker to spoof the source of a DNS query or response. DNS Cookies, a protocol standardized in 2016, add pseudo-random values to DNS packets to provide identity management and prevent spoofing attacks. In this paper, we present the first study measuring the deployment of DNS Cookies in nearly all aspects of the DNS architecture. We also provide an analysis of the current benefits of DNS Cookies and the next steps for stricter deployment. Our findings show that cookie use is limited to less than 30% of servers and 10% of recursive clients. We also find several configuration issues that could lead to substantial problems if cookies were strictly required. Overall, DNS Cookies provide limited benefit in a majority of situations, and, given current deployment, do not prevent DDoS or cache poisoning attacks.

Published

2021

36. Statistical Model Checking of Common Attack Scenarios on Blockchain

Author

Anton Khritankov and Ivan Fedotov

Subjects

FOS: Computer and information sciences, Computer Science - Logic in Computer Science, Blockchain, Computer science, Memory pool, Computer security, computer.software_genre, Statistical model checking, Flooding (computer networking), Logic in Computer Science (cs.LO), Software Engineering (cs.SE), Computer Science - Software Engineering, Software deployment, DNS spoofing, Architecture, computer

Abstract

Blockchain technology has developed significantly over the last decade. One of the reasons for this is its sustainability architecture, which does not allow modification of the history of committed transactions. That means that developers should consider blockchain vulnerabilities and eliminate them before the deployment of the system. In this paper, we demonstrate a statistical model checking approach for the verification of blockchain systems on three real-world attack scenarios. We build and verify models of DNS attack, double-spending with memory pool flooding, and consensus delay scenario. After that, we analyze experimental results and propose solutions to avoid these kinds of attacks., Comment: In Proceedings SCSS 2021, arXiv:2109.02501

Published

2021

37. The Far Side of DNS Amplification: Tracing the DDoS Attack Ecosystem from the Internet Core

Author

Marcin Nawrocki, Thomas C. Schmidt, Matthias Wählisch, Mattijs Jonker, Design and Analysis of Communication Systems, and Digital Society Institute

Subjects

Networking and Internet Architecture (cs.NI), FOS: Computer and information sciences, Honeypot, Computer Science - Cryptography and Security, Computer science, business.industry, Fingerprint (computing), Internet exchange point, 020206 networking & telecommunications, Denial-of-service attack, 02 engineering and technology, Computer security, computer.software_genre, Computer Science - Networking and Internet Architecture, 020204 information systems, Passive attack, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), The Internet, DNS spoofing, business, computer, Cryptography and Security (cs.CR)

Abstract

In this paper, we shed new light on the DNS amplification ecosystem, by studying complementary data sources, bolstered by orthogonal methodologies. First, we introduce a passive attack detection method for the Internet core, i.e., at Internet eXchange Points (IXPs). Surprisingly, IXPs and honeypots observe mostly disjoint sets of attacks: 96% of IXP-inferred attacks were invisible to a sizable honeypot platform. Second, we assess the effectiveness of observed DNS attacks by studying IXP traces jointly with diverse data from independent measurement infrastructures. We find that attackers efficiently detect new reflectors and purposefully rotate between them. At the same time, we reveal that attackers are a small step away from bringing about significantly higher amplification factors (14x). Third, we identify and fingerprint a major attack entity by studying patterns in attack traces. We show that this entity dominates the DNS amplification ecosystem by carrying out 59% of the attacks, and provide an in-depth analysis of its behavior over time. Finally, our results reveal that operators of various .gov names do not adhere to DNSSEC key rollover best practices, which exacerbates amplification potential. We can verifiably connect this operational behavior to misuses and attacker decision-making., Comment: Proc. of ACM IMC'21, camera-ready

Published

2021

38. Evil Twin Attack Mitigation Techniques in 802.11 Networks

Author

Sachin Sanjay and Raja Muthalagu

Subjects

General Computer Science, business.industry, Computer science, Data_MISCELLANEOUS, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Frame (networking), Whitelist, Data security, Computer security, computer.software_genre, GeneralLiterature_MISCELLANEOUS, IP address spoofing, Evil twin, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Default gateway, Wireless, DNS spoofing, business, computer

Abstract

Evil Twin Wi-Fi attack is an attack on the 802.11 IEEE standard. The attack poses a threat to wireless connections. Evil Twin Wi-Fi attack is one of the attacks which has been there for a long time. Once the Evil Twin Wi-Fi attack is performed this acts as a gateway to many other attacks such as DNS spoofing, SSL Strip, IP Spoofing, and many more attacks. Thus, preventing the attack is essential for privacy and data security. This paper will be going through in detail how the attack is performed and different measures to prevent the attack. The proposed algorithm sniffs for fake AP using the whitelist in all the channels, once an unauthorized AP is detected the user has an option to de-authenticate any user in the unauthorized network in case any clients do connect to it by accident also the algorithm will be checking if any de-authentication frame is being sent to any of the AP to know which of the AP is being compromised. The efficiency of proposed approach is verified by simulating and mitigating the evil-twin attack.

Published

2021

39. Detecting Malicious DNS over HTTPS Traffic Using Machine Learning

Author

Pradeep Kumar Roy and Sunil Kumar Singh

Subjects

business.industry, Computer science, Domain Name System, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Encryption, computer.software_genre, Machine learning, Naive Bayes classifier, Server, Malware, The Internet, DNS spoofing, Gradient boosting, Artificial intelligence, business, computer

Abstract

Network with the internet has grown-up very faster compared with any other technology around the world. From the beginning of the Internet, the Domain name system (DNS) is an integral and important part of it. The primary task of DNS is to redirect the users at correct computers, applications, and files by mapping IP and domain name. Due to certain security flaws of DNS, it is always a major attack target for attackers like DNSbased malware, DNS-amplification, false-positive triggering, DNS tunneling, etc. DNS over TLS (DoT) and DNS over HTTPS (DoH) are recently developed and deployed by Google and Cloudflare to prevent these types of attacks. DoT and DoH are the standard protocols which mainly designed for privacy and security by encrypting the DNS traffic between users and DNS resolver servers. This paper uses various machine learning classifiers such as (i) Naive Bayes (NB), ii) Logistic Regression (LR), iii) Random Forest (RF), (iv) K-Nearest Neighbor (KNN), and (v) Gradient Boosting (GB) to detect the malicious activity at DNS level in the DoH environment. The experiments are conducted on a benchmark MoH dataset (CIRA-CIC-DoHBrw-2020). Several features are used to develop a robust model. The experimental outcome confirmed that the RF and GB classifiers are better choices for the said problem. Since, majority of the malicious activity detected by the developed model, it can be said that the ML-based algorithms are a better option for the prevention of DNS attacks on DoH traffic.

Published

2020

40. Cross Layer Attacks and How to Use Them (for DNS Cache Poisoning, Device Tracking and More)

Author

Amit Klein

Subjects

FOS: Computer and information sciences, Pseudorandom number generator, Software_OPERATINGSYSTEMS, Computer Science - Cryptography and Security, Computer science, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Linux kernel, computer.software_genre, IPv6, OSI model, Kernel (statistics), Operating system, Cache, DNS spoofing, Android (operating system), Cryptography and Security (cs.CR), computer

Abstract

We analyze the prandom pseudo random number generator (PRNG) in use in the Linux kernel (which is the kernel of the Linux operating system, as well as of Android) and demonstrate that this PRNG is weak. The prandom PRNG is in use by many "consumers" in the Linux kernel. We focused on three consumers at the network level -- the UDP source port generation algorithm, the IPv6 flow label generation algorithm and the IPv4 ID generation algorithm. The flawed prandom PRNG is shared by all these consumers, which enables us to mount "cross layer attacks" against the Linux kernel. In these attacks, we infer the internal state of the prandom PRNG from one OSI layer, and use it to either predict the values of the PRNG employed by the other OSI layer, or to correlate it to an internal state of the PRNG inferred from the other protocol. Using this approach we can mount a very efficient DNS cache poisoning attack against Linux. We collect TCP/IPv6 flow label values, or UDP source ports, or TCP/IPv4 IP ID values, reconstruct the internal PRNG state, then predict an outbound DNS query UDP source port, which speeds up the attack by a factor of x3000 to x6000. This attack works remotely, but can also be mounted locally, across Linux users and across containers, and (depending on the stub resolver) can poison the cache with an arbitrary DNS record. Additionally, we can identify and track Linux and Android devices -- we collect TCP/IPv6 flow label values and/or UDP source port values and/or TCP/IPv4 ID fields, reconstruct the PRNG internal state and correlate this new state to previously extracted PRNG states to identify the same device., To be published in 2021 IEEE Symposium on Security and Privacy (SP)

Published

2020

41. Cryptanalysis of FNV-Based Cookies

Author

Haya Shulman, Michael Waidner, and Amit Klein

Subjects

Software_OPERATINGSYSTEMS, Reflection (computer programming), Computer science, business.industry, InformationSystems_INFORMATIONSYSTEMSAPPLICATIONS, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Denial-of-service attack, Computer security, computer.software_genre, law.invention, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, law, Server, Overhead (computing), The Internet, DNS spoofing, Cryptanalysis, business, computer

Abstract

DNS cookies is a recently standardised proposal of the IETF meant to protect DNS against off-path cache poisoning attacks. In contrast to other defences for DNS, DNS cookies is a lightweight mechanism, is easy to deploy and does not introduce overhead on the DNS servers. In this work we demonstrate off-path attacks allowing to circumvent the DNS cookies mechanism and impersonate legitimate Internet sources, exposing the DNS servers to cache poisoning and amplification reflection DoS attacks. We implement and evaluate the attacks, and provide recommendations for countermeasures.

Published

2020

42. Intelligent-Driven Adapting Defense Against the Client-Side DNS Cache Poisoning in the Cloud

Author

Tengchao Ma, Xiaohui Kuang, Changqiao Xu, Zan Zhou, Lujie Zhong, and Luigi Alfredo Grieco

Subjects

Password, 020203 distributed computing, business.industry, Computer science, Domain Name System, 020208 electrical & electronic engineering, Cloud computing, 02 engineering and technology, Client-side, Computer security, computer.software_genre, Encryption, Server, 0202 electrical engineering, electronic engineering, information engineering, DNS spoofing, business, computer

Abstract

A new Domain Name System (DNS) cache poisoning attack aiming at clients has emerged recently. It induced cloud users to visit fake web sites and thus reveal information such as account passwords. However, the design of current DNS defense architecture does not formally consider the protection of clients. Although the DNS traffic encryption technology can alleviate this new attack, its deployment is as slow as the new DNS architecture. Thus we propose a lightweight adaptive intelligent defense strategy, which only needs to be deployed on the client without any configuration support of DNS. Firstly, we model the attack and defense process as a static stochastic game with incomplete information under bounded rationality conditions. Secondly, to solve the problem caused by uncertain attack strategies and large quantities of game states, we adopt a deep reinforcement learning (DRL) with guaranteed monotonic improvement. Finally, through the prototype system experiment in Alibaba Cloud, the effectiveness of our method is proved against multiple attack modes with a success rate of 97.5% approximately.

Published

2020

43. DNS Cache Poisoning Attack Reloaded

Author

Keyu Man, Youjun Huang, Haixin Duan, Xiaofeng Zheng, Zhongjie Wang, and Zhiyun Qian

Subjects

education.field_of_study, Spoofing attack, Computer science, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Population, 020206 networking & telecommunications, 02 engineering and technology, Internet Control Message Protocol, Resolver, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, The Internet, DNS spoofing, Side channel attack, Cache, business, education, Computer network

Abstract

In this paper, we report a series of flaws in the software stack that leads to a strong revival of DNS cache poisoning --- a classic attack which is mitigated in practice with simple and effective randomization-based defenses such as randomized source port. To successfully poison a DNS cache on a typical server, an off-path adversary would need to send an impractical number of $2^32 $ spoofed responses simultaneously guessing the correct source port (16-bit) and transaction ID (16-bit). Surprisingly, we discover weaknesses that allow an adversary to "divide and conquer'' the space by guessing the source port first and then the transaction ID (leading to only $2^16 +2^16 $ spoofed responses). Even worse, we demonstrate a number of ways an adversary can extend the attack window which drastically improves the odds of success. The attack affects all layers of caches in the DNS infrastructure, such as DNS forwarder and resolver caches, and a wide range of DNS software stacks, including the most popular BIND, Unbound, and dnsmasq, running on top of Linux and potentially other operating systems. The major condition for a victim being vulnerable is that an OS and its network is configured to allow ICMP error replies. From our measurement, we find over 34% of the open resolver population on the Internet are vulnerable (and in particular 85% of the popular DNS services including Google's 8.8.8.8). Furthermore, we comprehensively validate the proposed attack with positive results against a variety of server configurations and network conditions that can affect the success of the attack, in both controlled experiments and a production DNS resolver (with authorization).

Published

2020

44. A Light-weight Mitigation Scheme on the Mole Content Poisoning Attack in NDN

Author

Pengfei Yue, Ru Li, and Bin Pang

Subjects

Router, business.industry, Computer science, Network packet, Scalability, Overhead (computing), The Internet, DNS spoofing, Encryption, business, Hazard (computer architecture), Computer network

Abstract

With a novel content-based communication model that is designed for data sharing, Named Data Networking (NDN) borns with innate security by per package encryption and achieves better scalability and mobility. Security attacks in the current Internet, e.g., IP and/or DNS spoofing, can hardly hazard NDN since there is no address and the embedded security in the data packet. However, some new kinds of attacks (e.g., interest flooding attack and content poisoning attack) damage NDN if not investigated thoroughly. In NDN, there exists a variant of content poisoning attack (CPA) that the attack is launched by some compromised core routers and this kind of attack causes severe damage to the network. In this paper, this variant of CPA has named the mole content poisoning attack (MCPA), and a Kalman filter based light-weight mitigation scheme is proposed. Besides, random sampling is imposed on the data traffic and tunes the state parameters in the Kalman filter to achieve faster convergence in a router. Compared with the mitigation scheme by the probabilistically checking of signatures on the data traffic, the proposed light-weight mitigation scheme recovers interest satisfaction rates (ISRs) of consumers while introducing less computation overhead.

Published

2020

45. Proposal of Anomaly Detection for DNS Attacks Based on Packets Prediction Using LSTM

Author

Inaba Hiroyuki and Kimura Satoshi

Subjects

business.industry, Computer science, Network packet, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Process (computing), 020206 networking & telecommunications, 02 engineering and technology, Set (abstract data type), Resolver, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, The Internet, Anomaly detection, DNS spoofing, business, Protocol (object-oriented programming), Algorithm

Abstract

DNS is an essential protocol of the Internet. However, DNS also tends to be used as the target of attacks, such as DNS Amplification Attack and Open Resolver Scanning due to its protocol. To detect these attacks, we present a novel anomaly detection method for DNS attacks based on the prediction values of DNS using LSTM(Long Short-Term Memory). Through the experiment, we compared the prediction accuracy of the sequential prediction method for short-term prediction and the batch prediction method for long-term prediction. Furthermore, we propose a dynamic threshold method that can be set automatically by using the error derived from training process. As a result, the sequential prediction method can predict with higher accuracy than the batch prediction method. We also show that the attacks can be detected by using the dynamic threshold method with the sequential prediction method.

Published

2020

46. The Research on Intelligent DNS Security

Author

Georgi Tsochev and Radoslav Yoshinov

Subjects

Computer science, media_common.quotation_subject, Domain Name System, Computer security, computer.software_genre, Payment, Intrusion, Dns security, Information and Communications Technology, Server, DNS spoofing, computer, Digitization, media_common

Abstract

Digitization of information in all spheres of human activity and use of technological innovations, as a basic case for the emergence of all wages and attacks that may be insufficient to modern technologies and the continuous expansion of the complexity of security and hardware. Protection against these attacks and payment can be viewed in different directions in information and communication technologies and only from this is secure with protection of DNS servers. DNS servers are recommended as a subject in the research. The basic idea behind this is to simulate different types of DNS attacks and to propose a method to look for interceptions and alarms using a system to detect and prevent intrusion into a DNS server. Along with that, there is an opportunity, the results of what you need to visualize and statistically processed in your graphs and charts.

Published

2020

47. An Effective and Lightweight Countermeasure Scheme to Multiple Network Attacks in NDNs

Author

Yang Yue, Haiying Shen, Qu Shijun, and Dapeng Qu

Subjects

Router, 021110 strategic, defence & security studies, business.industry, Computer science, 0211 other engineering and technologies, 020206 networking & telecommunications, 02 engineering and technology, Cache pollution, Security token, Flooding (computer networking), Core router, 0202 electrical engineering, electronic engineering, information engineering, Network performance, DNS spoofing, business, Computer network

Abstract

In Named Data Networks, cache pollution, cache poisoning and interest flooding are three popular types of attacks that can drastically degrade the network performance. However, previous methods for mitigating these attacks are not sufficiently effective or efficient. Also, they cannot simultaneously handle the three attacks. To handle these problems, we propose an effective and lightweight countermeasure scheme. It consists of token-based router monitoring policy (TRM), hierarchical consensus-based trust management (HCT), and popularity-based probabilistic caching policy (PPC). In TRM, each edge router monitors and evaluates each data requester’s probability of launching the cache pollution attack and each data provider’s probability of launching the cache poisoning attack, and accordingly assigns, rewards and penalizes tokens to them to control their data request and data provision activities. In HCT, each core router manages its directly connected edge routers using TRM, and the core routers trust each other through adopting the concept of consensus in Blockchain. PPC uses probabilistic caching based on the popularity of received content to further mitigate the attacks and reduce caching and data verification overhead. Results from simulation experiments demonstrate that our proposed scheme has better performance, in terms of interest satisfaction ratio and average end-to-end delay than current mechanisms.

Published

2020

48. Detection of DoH Tunnels using Time-series Classification of Encrypted Traffic

Author

Mohammadreza MontazeriShatoori, Logan Davidson, Gurdip Kaur, and Arash Habibi Lashkari

Subjects

Hypertext Transfer Protocol, Transport Layer Security, business.industry, Computer science, computer.internet_protocol, Domain Name System, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Covert channel, 020206 networking & telecommunications, 02 engineering and technology, Man-in-the-middle attack, Computer security, computer.software_genre, Encryption, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, The Internet, DNS spoofing, business, computer

Abstract

Computer networks have fallen easy prey to cyber attacks in the ever-evolving internet services. Domain Name System (DNS) has also not remained untouched with these cybercrime attempts. Encrypted HyperText Transfer Protocol (HTTP) traffic over Secure Socket Layer (SSL), alternatively called HTTPS, has succeeded to prevent DNS attacks to a great extent. To secure DNS traffic, the security community has introduced the concept of DNS over HTTPS (DoH) to improve user privacy and security by combating eavesdropping and DNS data manipulation on the way to prevent Man-in-the-Middle (MitM) attacks. This paper discusses one of the persistent security concerns, abuse of DNS protocol to create covert channels by tunneling data through DNS packets. We identify tunneling activities that utilize DNS communications over HTTPS by presenting a two-layered approach to detect and characterize DoH traffic using time-series classifiers.

Published

2020

49. Enabling Privacy-Aware Zone Exchanges Among Authoritative and Recursive DNS Servers

Author

Nikos Kostopoulos, Dimitris Kalogeras, and Vasilis Maglaris

Subjects

Schema (genetic algorithms), Information sensitivity, business.industry, Computer science, Domain Name System, Server, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Testbed, DNS spoofing, Bloom filter, business, Variety (cybernetics), Computer network

Abstract

We propose a privacy-aware schema that enables Authoritative DNS Servers to distribute their zones to third parties, e.g. Recursive DNS Servers or scrubbing services, without disclosing sensitive information. Therefore, DNS attack mitigation may be effectively accomplished at external vantage points, presumably closer to the attack sources than the Authoritative DNS Server. Our schema leverages on the space, time and privacy-enhancing properties of Cuckoo Filters to map zone names in an efficient manner, while permitting rapid name updates for large zones. The feasibility of our approach is tested via experiments within our laboratory testbed for a variety of DNS zones. Our evaluation intends to assess the privacy-awareness of our schema and its responsiveness to zone name changes. We conclude that our approach enables mapping of large DNS zones, while preserving privacy.

Published

2020

50. Autopolicy: Automated Traffic Policing for Improved IoT Network Security

Author

Gianmarco Baldini, Paweł Foremski, Piotr Fröhlich, Sławomir Nowak, and Jose L. Hernandez-Ramos

Subjects

Computer science, Network security, Internet of Things, Denial-of-service attack, 02 engineering and technology, Network interface, security, Computer security, computer.software_genre, lcsh:Chemical technology, Biochemistry, Article, Analytical Chemistry, Firewall (construction), sensor networks, 0202 electrical engineering, electronic engineering, information engineering, lcsh:TP1-1185, DNS spoofing, Electrical and Electronic Engineering, Instrumentation, traffic policing, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, 020206 networking & telecommunications, Internet traffic, packet filtering, Atomic and Molecular Physics, and Optics, Software-Defined Networking, firewall, Distributed Denial of Service, 020201 artificial intelligence & image processing, The Internet, business, Software-defined networking, Wireless sensor network, computer

Abstract

A 2.3Tbps DDoS attack was recently mitigated by Amazon, which is a new record after the 2018 GitHub attack, or the famous 2016 Dyn DNS attack launched from hundreds of thousands of hijacked Internet of Things (IoT) devices. These attacks may disrupt the lives of billions of people worldwide, as we increasingly rely on the Internet. In this paper, we tackle the problem that hijacked IoT devices are often the origin of these attacks. With the goal of protecting the Internet and local networks, we propose Autopolicy: a system that automatically limits the IP traffic bandwidth&mdash, and other network resources&mdash, available to IoT devices in a particular network. We make use of the fact that devices, such as sensors, cameras, and smart home appliances, rarely need their high-speed network interfaces for normal operation. We present a simple yet flexible architecture for Autopolicy, specifying its functional blocks, message sequences, and general operation in a Software Defined Network. We present the experimental validation results, and release a prototype open source implementation.

Published

2020