Tengchao Ma,Changqiao Xu,Shujie Yang,Yiting Huang,Xiaohui Kuang,Hong Tang,Luigi Alfredo Grieco

DOI: https://doi.org/10.1002/int.22934

IF: 8.993

2022-05-29

International Journal of Intelligent Systems

Abstract:A new class of poisoning attacks has recently emerged targeting the client‐side Domain Name System (DNS) cache. It allows users to visit fake websites unconsciously, thereby revealing their information, such as passwords. However, the current DNS defense architecture does not include DNS clients. Although relative encryption solutions can mitigate this attack, they require the cooperation of multiple parties, and the deployment speed is slow. Therefore, we propose an intelligent‐driven proactive defense strategy. First, we model the offensive and defensive process as a stochastic game based on moving target defense. Second, we adopt and optimize Proximal Policy Optimization (PPO), a deep reinforcement learning method, to solve problems caused by uncertain attack strategies and unknown state transition probability. Third, we design a self‐checking component in PPO to solve the uncertainty of action space caused by game state constraints based on our previous work. Thus the convergence speed and stability of PPO are improved. Finally, to the best of our knowledge, we are the first to game with intelligent attackers besides three conventional ones. Our strategy does not require any modifications to the DNS architecture. Through an extensive experimental campaign, the prototype system is proved to be effective against multiple attack modes. Its success rate is 98.5% approximately, and network round‐trip time is about 55 ms. Even for random attackers, our method can achieve the theoretical maximum defensive success rate.

computer science, artificial intelligence

Keyu Man,Zhiyun Qian,Zhongjie Wang,Xiaofeng Zheng,Youjun Huang,Haixin Duan

DOI: https://doi.org/10.1145/3372297.3417280

2020-01-01

Abstract:In this paper, we report a series of flaws in the software stack that leads to a strong revival of DNS cache poisoning --- a classic attack which is mitigated in practice with simple and effective randomization-based defenses such as randomized source port. To successfully poison a DNS cache on a typical server, an off-path adversary would need to send an impractical number of $2^32 $ spoofed responses simultaneously guessing the correct source port (16-bit) and transaction ID (16-bit). Surprisingly, we discover weaknesses that allow an adversary to "divide and conquer'' the space by guessing the source port first and then the transaction ID (leading to only $2^16 +2^16 $ spoofed responses). Even worse, we demonstrate a number of ways an adversary can extend the attack window which drastically improves the odds of success. The attack affects all layers of caches in the DNS infrastructure, such as DNS forwarder and resolver caches, and a wide range of DNS software stacks, including the most popular BIND, Unbound, and dnsmasq, running on top of Linux and potentially other operating systems. The major condition for a victim being vulnerable is that an OS and its network is configured to allow ICMP error replies. From our measurement, we find over 34% of the open resolver population on the Internet are vulnerable (and in particular 85% of the popular DNS services including Google's 8.8.8.8). Furthermore, we comprehensively validate the proposed attack with positive results against a variety of server configurations and network conditions that can affect the success of the attack, in both controlled experiments and a production DNS resolver (with authorization).

Chang-Ting Lin,Chunming Wu,Min Huang,Zhenyu Wen,Qiumei Cheng

DOI: https://doi.org/10.1109/SRDSW.2016.21

2016-01-01

Abstract:IP address mutation is a proactive defense method that is used to reduce the risk of network attacks, especially to deal with the worm propagation attacks. However, previous work did not give much consideration to the negative effects that IP address mutation could bring to network performance. To be specific, there is a trade-off between network performance and security, which implies that when a security mechanism is reinforced, network performance would be impaired and vice versa. Therefore, in order to achieve the optimal balance between performance and security, an optimal solution should be provided. In this paper, we propose an adaptive IP mutation defense method which is based on temporal-dimension, to dynamically control the mutation interval according to real-time measurable metrics, assurance and avoidance. This method leverages a genetic algorithm to achieve the optimization of performance-security trade-off. We then evaluate our method in a simulated computer cluster environment, including 1024 hosts, and demonstrate that our method can successfully find the optimal solution according to the experimental results. For example, it can reduce the worm propagation significantly, while maintaining the network performance in a predefined level.

Haider Salim Hmood,Zhitang Li,Hasan Khalaf Abdulwahid,Yang Zhang

DOI: https://doi.org/10.1093/comjnl/bxu023

2014-01-01

The Computer Journal

Abstract:It is well known that the domain name system (DNS) is responsible for translating domain names to the corresponding IP addresses. It plays a fundamental role in running efficiently all Internet application, such as web browsing, email, multimedia applications and other projects. However, using the technique of the DNS cache poisoning attack, an attacker can effectively introduce forged DNS information to the cache memory of the domain name resolvers, with the goal of manipulating the resolver data so as to make then unavailable or divert traffic to the wrong destination, which is considered a real threat to Internet users today. Thus, in this paper, we present a new prevention methodology called Adaptive-Cache of DNS (ACDNS). Our proposed solution relies on a caching mechanism to prevent these kinds of attacks. Conversely, domain name system security extension has been presented as a conclusive solution to overcome weaknesses in the DNS protocol, but from that time up to now it still has not been deployed on a large scale. ACDNS is designed to be backward compatible with the current standards of DNS and completely appropriate with the basic protocol processes and infrastructure. In particular, our modifications are only in caching-timing in case of the need to store a new mapping. To this end, we design and implement a novel protocol for extensively simulating our approach. At the same time, we compare the performance of the ACDNS with the DNS. We show that our methodology completely protects domain name resolvers against cache-poisoning attacks.

Xiang Li,Chaoyi Lu,Baojun Liu Fi,Qifan Zhang,Zhou Li,Haixin Duan,Qi Li

2023-01-01

Abstract:In this paper, we report MAGINOTDNS, a powerful cache poisoning attack against DNS servers that simultaneously act as recursive resolvers and forwarders (termed as CDNS). The attack is made possible through exploiting vulnerabilities in the bailiwick checking algorithms, one of the cornerstones of DNS security since the 1990s, and affects multiple versions of popular DNS software, including BIND and Microsoft DNS. Through field tests, we find that the attack is potent, allowing attackers to take over entire DNS zones, even including Top-Level Domains (e.g.,.com and.net). Through a large-scale measurement study, we also confirm the extensive usage of CDNSes in real-world networks (up to 41.8% of our probed open DNS servers) and find that at least 35.5% of all CDNSes are vulnerable to MAGINOTDNS. After interviews with ISPs, we show a wide range of CDNS use cases and real-world attacks. We have reported all the discovered vulnerabilities to DNS software vendors and received acknowledgments from all of them. 3 CVE-ids have been published, and 2 vendors have fixed their software. Our study brings attention to the implementation inconsistency of security checking logic in different DNS software and server modes (i.e., recursive resolvers and forwarders), and we call for standardization and agreements among software vendors.

Lei He,Quan Ren,Bolin Ma,Weili Zhang,Jiangxing Wu

DOI: https://doi.org/10.23919/jcc.2021.00.011

2022-01-01

China Communications

Abstract:With the rapid development of information technology, the cyberspace security problem is increasingly serious. Kinds of dynamic defense technology have emerged such as moving target defense and mimic defense. This paper aims to describe the architecture and analyze the performance of Cyberspace Mimic DNS based on generalized stochastic Petri net. We propose a general method of anti-attacking analysis. For general attack and special attack model, the available probability, escaped probability and non-special awareness probability are adopted to quantitatively analyze the system performance. And we expand the GSPN model to adjust to engineering practice by specifying randomness of different output vectors. The result shows that the proposed method is effective, and Mimic system has high anti-attacking performance. To deal with the special attack, we can integrate the traditional defense mechanism in engineering practice. Besides, we analyze the performance of mimic DNSframework based on multi-ruling proxy and input-output desperation, the results represent we can use multi ruling or high-speed cache servers to achieve the consistent cost of delay, throughput compared with single authorized DNS, it can effectively solve 10% to 20% performance loss caused by general ruling proxy.

Hung-Min Sun,Wen-Hsuan Chang,Shih-Ying Chang,Yue-Hsun Lin

DOI: https://doi.org/10.1007/978-3-642-10433-6_12

2009-01-01

Abstract:DNS cache poisoning attacks have been proposed for a long time. In 2008, Kaminsky enhanced the attacks to be powerful based on nonce query method. By leveraging Kaminsky's attack, phishing becomes large-scale since victims are hard to detect attacks. Hence, DNS cache poisoning is a serious threat in the current DNS infrastructure. In this paper, we propose a countermeasure, DepenDNS, to prevent from cache poisoning attacks. DepenDNS queries multiple resolvers concurrently to verify an trustworthy answer while users perform payment transactions, e.g., auction, banking. Without modifying any resolver or authority server, DepenDNS is conveniently deployed on client side. In the end of paper, we conduct several experiments on DepenDNS to show its efficiency. We believe DepenDNS is a comprehensive solution against cache poisoning attacks.

Amir Herzberg,Haya Shulman

DOI: https://doi.org/10.48550/arXiv.1209.1482

2012-09-07

Abstract:We investigate defenses against DNS cache poisoning focusing on mechanisms that can be readily deployed unilaterally by the resolving organisation, preferably in a single gateway or a proxy. DNS poisoning is (still) a major threat to Internet security; determined spoofing attackers are often able to circumvent currently deployed antidotes such as port randomisation. The adoption of DNSSEC, which would foil DNS poisoning, remains a long-term challenge. We discuss limitations of the prominent resolver-only defenses, mainly port and IP randomisation, 0x20 encoding and birthday protection. We then present two new (unilateral) defenses: the sandwich antidote and the NAT antidote. The defenses are simple, effective and efficient, and can be implemented in a gateway connecting the resolver to the Internet. The sandwich antidote is composed of two phases: poisoning-attack detection and then prevention. The NAT antidote adds entropy to DNS requests by switching the resolver's IP address to a random address (belonging to the same autonomous system). Finally, we show how to implement the birthday protection mechanism in the gateway, thus allowing to restrict the number of DNS requests with the same query to 1 even when the resolver does not support this.

Cryptography and Security

Harel Berger,Amit Z. Dvir,Moti Geva

DOI: https://doi.org/10.48550/arXiv.1906.10928

2019-06-26

Abstract:The Domain Name System (DNS) provides a translation between readable domain names and IP addresses. The DNS is a key infrastructure component of the Internet and a prime target for a variety of attacks. One of the most significant threat to the DNS's wellbeing is a DNS poisoning attack, in which the DNS responses are maliciously replaced, or poisoned, by an attacker. To identify this kind of attack, we start by an analysis of different kinds of response times. We present an analysis of typical and atypical response times, while differentiating between the different levels of DNS servers' response times, from root servers down to internal caching servers. We successfully identify empirical DNS poisoning attacks based on a novel method for DNS response timing analysis. We then present a system we developed to validate our technique that does not require any changes to the DNS protocol or any existing network equipment. Our validation system tested data from different architectures including LAN and cloud environments and real data from an Internet Service Provider (ISP). Our method and system differ from most other DNS poisoning detection methods and achieved high detection rates exceeding 99%. These findings suggest that when used in conjunction with other methods, they can considerably enhance the accuracy of these methods.

Cryptography and Security

Jian Peng,S. Hao,Zhiyun Qian,Dongjie Zhou,Qiushi Yang,Haixin Duan,Xiaofeng Zheng,Chaoyi Lu,Keyu Man,Baojun Liu

Abstract:In today’s DNS infrastructure, DNS forwarders are devices standing in between DNS clients and recursive resolvers. The devices often serve as ingress servers for DNS clients, and instead of resolving queries, they pass the DNS requests to other servers. Because of the advantages and several use cases, DNS forwarders are widely deployed and queried by Internet users. However, studies have shown that DNS for-warders can be more vulnerable devices in the DNS infrastructure. In this paper, we present a cache poisoning attack targeting DNS forwarders. Through this attack, attackers can inject rogue records of arbitrary victim domain names using a controlled domain, and circumvent widely-deployed cache poisoning defences. By performing tests on popular home router models and DNS software, we find several vulnerable implementations, including those of large vendors (e.g., D-Link, Linksys, dnsmasq and MS DNS). Further, through a nationwide measurement, we estimate the population of Chinese mobile clients which are using vulnerable DNS for-warders. We have been reporting the issue to the affected vendors, and so far have received positive feedback from three of them. Our work further demonstrates that DNS for-warders can be a soft spot in the DNS infrastructure, and calls for attention as well as implementation guidelines from the community.

Computer Science

Evgeny Sagatov,Samara Mayhoub,Andrei Sukhov,Prasad Calyam

DOI: https://doi.org/10.23919/jcin.2023.10173727

2023-07-08

Journal of Communications and Information Networks

Abstract:Domain name system (DNS) amplification distributed denial of service (DDoS) attacks are one of the popular types of intrusions that involve accessing DNS servers on behalf of the victim. In this case, the size of the response is many times greater than the size of the request, in which the source of the request is substituted for the address of the victim. This paper presents an original method for countering DNS amplification DDoS attacks. The novelty of our approach lies in the analysis of outgoing traffic from the victim's server. DNS servers used for amplification attacks are easily detected in Internet control message protocol (ICMP) packet headers (type 3, code 3) in outgoing traffic. ICMP packets of this type are generated when accessing closed user datagram protocol (UDP) ports of the victim, which are randomly assigned by the Saddam attack tool. To prevent such attacks, we used a Linux utility and a software-defined network (SDN) module that we previously developed to protect against port scanning. The Linux utility showed the highest efficiency of 99.8%, i.e., only two attack packets out of a thousand reached the victim server.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

YAN Boru,FANG Binxing,LI Bin,WANG Yao

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.21.045

2006-01-01

Abstract:DNS is a critical component of the operation of Internet applications.The Internet is greatly affected if DNS is attacked.DNS spoofing is one of the most popular attack means with the character of high dormancy and good attack effection.But so far,little is done to defend the systerm against this attack.Three methods are presented to detect DNS spoofing attack,and then another three techniques are proposed to identify the bogus packets and the right ones to ensure DNS service even attacked.

Amir Herzberg,Haya Shulman

DOI: https://doi.org/10.48550/arXiv.1205.5190

2012-05-23

Abstract:In spite of the availability of DNSSEC, which protects against cache poisoning even by MitM attackers, many caching DNS resolvers still rely for their security against poisoning on merely validating that DNS responses contain some 'unpredictable' values, copied from the re- quest. These values include the 16 bit identifier field, and other fields, randomised and validated by different 'patches' to DNS. We investigate the prominent patches, and show how attackers can circumvent all of them, namely: - We show how attackers can circumvent source port randomisation, in the (common) case where the resolver connects to the Internet via different NAT devices. - We show how attackers can circumvent IP address randomisation, using some (standard-conforming) resolvers. - We show how attackers can circumvent query randomisation, including both randomisation by prepending a random nonce and case randomisation (0x20 encoding). We present countermeasures preventing our attacks; however, we believe that our attacks provide additional motivation for adoption of DNSSEC (or other MitM-secure defenses).

Cryptography and Security

Zheng Wang

DOI: https://doi.org/10.48550/arXiv.1602.08459

2016-02-27

Abstract:The threats of caching poisoning attacks largely stimulate the deployment of DNSSEC. Being a strong but demanding cryptographical defense, DNSSEC has its universal adoption predicted to go through a lengthy transition. Thus the DNSSEC practitioners call for a secure yet lightweight solution to speed up DNSSEC deployment while offering an acceptable DNSSEC-like defense. This paper proposes a new defense against cache poisoning attacks, still using but lightly using DNSSEC. In the solution, DNS operates in the DNSSEC-oblivious mode unless a potential attack is detected and triggers a switch to the DNSSEC-aware mode. The performance of the defense is analyzed and validated. The modeling checking results demonstrate that only a small DNSSEC query load is needed to ensure a small enough cache poisoning success rate.

Cryptography and Security

Guanglin Duan,Qing Li,Zhengxin Zhang,Dan Zhao,Guorui Xie,Yuan Yang,Zhenhui Yuan,Yong Jiang,Mingwei Xu

DOI: https://doi.org/10.1109/tdsc.2024.3409545

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The Domain Name System (DNS) is a growing center of cyber attacks, including both volumetric and non-volumetric attacks. Programmable switches provide a new opportunity for more efficient defense against DNS attacks since they can offer better cost, performance, and flexibility trade-offs compared to traditional defense systems. However, programmable switches have strict limitations on the operations and storage space supported to ensure line-speed packet processing. In this paper, we propose DNSGuard, an intelligent in-network defense framework that can handle volumetric and non-volumetric DNS attacks on programmable switches. We propose a recursive incremental parsing algorithm that can effectively extract variable-length domain names. To achieve real-time and accurate detection against two types of DNS attacks, we design a switch-optimized and resource-efficient algorithm to extract both independent features of each packet and domain-based cumulative features. Then, we propose a multi-phase hybrid model architecture to perform dynamic packet analysis at different time phases of a domain. Further, we design efficient model representation mechanisms to deploy tree-based ensemble models in the data plane. Experimental results show that DNSGuard can defend against diverse DNS attacks at the line rate. In addition, DNSGuard introduces a minimal nanosecond latency to normal traffic in heavily loaded networks.

Xiang Li,Dashuai Wu,Haixin Duan,Qi Li

DOI: https://doi.org/10.1109/sp54263.2024.00264

2024-01-01

Abstract:DNS employs a variety of mechanisms to guarantee availability, protect security, and enhance reliability. In this paper, however, we reveal that these inherent beneficial mechanisms, including timeout, query aggregation, and response fast-returning, can be transformed into malicious attack vectors.We propose a new practical and powerful pulsing DoS attack, dubbed the DNSBomb attack. DNSBomb exploits multiple widely-implemented DNS mechanisms to accumulate DNS queries that are sent at a low rate, amplify queries into large-sized responses, and concentrate all DNS responses into a short, high-volume periodic pulsing burst to simultaneously overwhelm target systems. Through an extensive evaluation on 10 mainstream DNS software, 46 public DNS services, and around 1.8M open DNS resolvers, we demonstrate all DNS resolvers could be exploited to conduct more practical-and-powerful DNSBomb attacks than previous pulsing DoS attacks. Small-scale experiments show the peak pulse magnitude can approach 8.7Gb/s and the bandwidth amplification factor could exceed 20,000x. Our controlled attacks cause complete packet loss or service degradation on both stateless and stateful connections (TCP, UDP, and QUIC). In addition, we present effective mitigation solutions with detailed evaluations. We have responsibly reported our findings to all affected vendors, and received acknowledgement from 24 of them, which are patching their software using our solutions, such as BIND, Unbound, PowerDNS, and Knot. 10 CVE-IDs are assigned.

Zhuo LV,Lei FAN

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.18.039

2011-01-01

Abstract:Aiming at the Domain Name System(DNS) attack,this paper proposes a simple and robust detection mechanism.The core of this mechanism is based on the inherent DNS protocol behaviors and applies an instance of change point detection algorithm to detect attack behavior.To make the detection mechanism insensitive to attack and low computational complexity,based on the nonparametric Cumulative Sum(CUSUM) algorithm,it makes some improvements in view of DNS protocol behavior.Simulation results show the mechanism can detect the DNS attack,it makes good compromise between the detection rate and the false alarm rate.

Qin Zhi-guang

2007-01-01

Abstract:This paper describes the principle of Distributed Denial of Service (DDoS) attack. Several representative defense methods are analyzed to against it. A defense method against IP spoofing DDoS attack is proposed. An active IP record table is used to detect all IP packets passing through the border of autonomy system in this method. Packets of the source IP address which are not active will be discarded by the border routers or routers near the border in the autonomy system, according to the Internet Control Message Protocol (ICMP) protocol, timeout ICMP messages will be sent to the source IP hosts, and thus, IP spoofed packets will be discarded, because their source IP usually are not active. Although some legal packets will also be discarded, the retransmission will be triggered by the timeout ICMP messages immediately.

Fabrice Mvah,Vianney Kengne Tchendji,Clémentin Tayou Djamegni,Ahmed H. Anwar,Deepak K. Tosh,Charles Kamhoua

DOI: https://doi.org/10.1016/j.cose.2023.103696

IF: 5.105

2024-01-06

Computers & Security

Abstract:The Address Resolution Protocol (ARP) spoofing is a form of attack typically used by attackers to cause a denial of service or man-in-the-middle attacks. This attack comes from ARP weaknesses and aims to compromise victims' ARP caches by sending ARP packets containing fake IP-MAC pairs. To overcome ARP spoofing attacks, several approaches leverage the advantages of software-defined networking (SDN) to detect malicious users in the network. To achieve their goal, the SDN controller consecutively checks the characteristics of each ARP packet to ensure its correctness. However, this verification method can lead to latency and congestion at the controller level or render the system unusable for large-scale networks. To address this drawback, we propose a game-theoretic approach to provide an optimal verification method that considers the intelligent attackers' decision-making process during an ARP cache poisoning attempt. This approach is a zero-sum game between the attacker who wants to poison the victims' ARP caches and the defender who must avoid this poisoning. The game model results in mixed-strategy Nash equilibria that identify optimal verification methods to prevent control plane latency and congestion during attacker detection. The results show that an intelligent attacker will refrain from poisoning ARP caches with a high-impact strategy because the defender frequently checks such a strategy. In addition, the attacker's penalty value can deter both rational and irrational attackers from poisoning ARP caches. Simulations in the Mininet simulator have shown that the proposed approach can significantly mitigate control plane latency and congestion during the attacker's characteristic checking.

computer science, information systems