Haider Salim Hmood,Zhitang Li,Hasan Khalaf Abdulwahid,Yang Zhang

DOI: https://doi.org/10.1093/comjnl/bxu023

2014-01-01

The Computer Journal

Abstract:It is well known that the domain name system (DNS) is responsible for translating domain names to the corresponding IP addresses. It plays a fundamental role in running efficiently all Internet application, such as web browsing, email, multimedia applications and other projects. However, using the technique of the DNS cache poisoning attack, an attacker can effectively introduce forged DNS information to the cache memory of the domain name resolvers, with the goal of manipulating the resolver data so as to make then unavailable or divert traffic to the wrong destination, which is considered a real threat to Internet users today. Thus, in this paper, we present a new prevention methodology called Adaptive-Cache of DNS (ACDNS). Our proposed solution relies on a caching mechanism to prevent these kinds of attacks. Conversely, domain name system security extension has been presented as a conclusive solution to overcome weaknesses in the DNS protocol, but from that time up to now it still has not been deployed on a large scale. ACDNS is designed to be backward compatible with the current standards of DNS and completely appropriate with the basic protocol processes and infrastructure. In particular, our modifications are only in caching-timing in case of the need to store a new mapping. To this end, we design and implement a novel protocol for extensively simulating our approach. At the same time, we compare the performance of the ACDNS with the DNS. We show that our methodology completely protects domain name resolvers against cache-poisoning attacks.

YAN Boru,FANG Binxing,LI Bin,WANG Yao

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.21.045

2006-01-01

Abstract:DNS is a critical component of the operation of Internet applications.The Internet is greatly affected if DNS is attacked.DNS spoofing is one of the most popular attack means with the character of high dormancy and good attack effection.But so far,little is done to defend the systerm against this attack.Three methods are presented to detect DNS spoofing attack,and then another three techniques are proposed to identify the bogus packets and the right ones to ensure DNS service even attacked.

Xiaolong Bai,Liang Hu,Zixing Song,Feiyan Chen,Kuo Zhao

DOI: https://doi.org/10.1007/978-3-642-23971-7_39

2011-01-01

Abstract:The Domain Name Server (DNS) is a key part of the Internet infrastructure. But DNS protocol is so simple that DNS interaction is quite vulnerable to a kind of man-in-the-middle spoofing attack. This paper introduces one type of defense technique based on the main features of DNS response packets. The technique employs Artificial Neural Networks (ANN), which produces excellent performance.

Mohammed Abdulridha Hussain,Hai Jin,Zaid Alaa Hussien,Zaid Ameen Abduljabbar,Salah H. Abbdal,Ayad Ibrahim

DOI: https://doi.org/10.1155/2017/9479476

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:Online information security is a major concern for both users and companies, since data transferred via the Internet is becoming increasingly sensitive. The World Wide Web uses Hypertext Transfer Protocol (HTTP) to transfer information and Secure Sockets Layer (SSL) to secure the connection between clients and servers. However, Hypertext Transfer Protocol Secure (HTTPS) is vulnerable to attacks that threaten the privacy of information sent between clients and servers. In this paper, we propose Enc-DNS-HTTP for securing client requests, protecting server responses, and withstanding HTTPS attacks. Enc-DNS-HTTP is based on the distribution of a web server public key, which is transferred via a secure communication between client and a Domain Name System (DNS) server. This key is used to encrypt client-server communication. The scheme is implemented in the C programming language and tested on a Linux platform. In comparison with Apache HTTPS, this scheme is shown to have more effective resistance to attacks and improved performance since it does not involve a high number of time-consuming operations.

Kuo Zhao,Xiaolong Bai,Feng Wang,Yuyu Sun,Liang Hu

DOI: https://doi.org/10.1166/jctn.2012.2276

2012-01-01

Journal of Computational and Theoretical Nanoscience

Abstract:The Domain Name System, or DNS, is an important facility in the Internet. But for some reasons, DNS interaction is quite vulnerable to a kind of man-in-the-middle (MITM) spoofing attack. This paper illustrates the MITM spoofing attack and proposes a type of defense technique employing Naive Bayes (NB) Classifier. Considering three types of individual factors, then illustrates, analyzes and evaluates their performances. The 3-factor NB technique achieves the best performance with an average identifying ratio of 99.7875%. What's more, we provide a proposal on taking balance of precision and time consumption accordingly. In all, the presented NB technique is quite helpful in defense against DNS MITM spoofing attack.

Rebeen Rebwar Hama Amin,Dana Hassan,Masnida Hussin

DOI: https://doi.org/10.24017/science.2020.2.6

2020-12-06

Kurdistan Journal of Applied Research

Abstract:DNS reflection/amplification attacks are types of Distributed Denial of Service (DDoS) attacks that take advantage of vulnerabilities in the Domain Name System (DNS) and use it as an attacking tool. This type of attack can quickly deplete the resources (i.e. computational and bandwidth) of the targeted system. Many defense mechanisms are proposed to mitigate the impact of this type of attack. However, these defense mechanisms are centralized-based and cannot deal with a distributed-based attack. Also, these defense mechanisms have a single point of deployment which leads to a lack of computational resources to handle an attack with a large magnitude. In this work, we presented a new distributed-based defense mechanism (DDM) to counter reflection/ amplification attacks. While operating, we calculated the CPU counters of the machines that we deployed our defense mechanism with which showed 19.9% computational improvement. On top of that, our defense mechanism showed that it can protect the attack path from exhaustion during reflection/amplification attacks without putting any significant traffic load on the network by eliminating every spoofed request from getting responses.

Evgeny Sagatov,Samara Mayhoub,Andrei Sukhov,Prasad Calyam

DOI: https://doi.org/10.23919/jcin.2023.10173727

2023-07-08

Journal of Communications and Information Networks

Abstract:Domain name system (DNS) amplification distributed denial of service (DDoS) attacks are one of the popular types of intrusions that involve accessing DNS servers on behalf of the victim. In this case, the size of the response is many times greater than the size of the request, in which the source of the request is substituted for the address of the victim. This paper presents an original method for countering DNS amplification DDoS attacks. The novelty of our approach lies in the analysis of outgoing traffic from the victim's server. DNS servers used for amplification attacks are easily detected in Internet control message protocol (ICMP) packet headers (type 3, code 3) in outgoing traffic. ICMP packets of this type are generated when accessing closed user datagram protocol (UDP) ports of the victim, which are randomly assigned by the Saddam attack tool. To prevent such attacks, we used a Linux utility and a software-defined network (SDN) module that we previously developed to protect against port scanning. The Linux utility showed the highest efficiency of 99.8%, i.e., only two attack packets out of a thousand reached the victim server.

Hassnain ul hassan,Rizal Mohd Nor,Md Amiruzzaman,Sharyar Wani,Md. Rajibul Islam

DOI: https://doi.org/10.48550/arXiv.2106.04575

2021-08-29

Abstract:The Domain Name System (DNS) is essential for the Internet, giving a mechanism to resolve hostnames into Internet Protocol (IP) addresses. DNS is known as the world's largest distributed database that manages hostnames and Internet Protocol. By having the DNS, only simple names that can be easily memorized will be used and then the domain name system will map it into the numeric Internet Protocol addresses that are used by computers to communicate. This research aims to propose a model for the development of a private cloud infrastructure to host DNS. The cloud infrastructure will be created using the OpenStack software platform where each server will be hosted separately in a different virtual machine. Virtual network architecture will be created using the Software Defined Networking (SDN) approach and it will be secured using Firewall as a Service (FWaaS). By hosting DNS in private cloud infrastructure, the DNS servers will be out of reach by attackers which will prevent DNS attacks. Besides, available research had proven that the cloud is the best choice for DNS. A prototype had been implemented and evaluated for its efficiencies. The findings from the evaluation carried out shown a positive result.

Cryptography and Security

Harel Berger,Amit Z. Dvir,Moti Geva

DOI: https://doi.org/10.48550/arXiv.1906.10928

2019-06-26

Abstract:The Domain Name System (DNS) provides a translation between readable domain names and IP addresses. The DNS is a key infrastructure component of the Internet and a prime target for a variety of attacks. One of the most significant threat to the DNS's wellbeing is a DNS poisoning attack, in which the DNS responses are maliciously replaced, or poisoned, by an attacker. To identify this kind of attack, we start by an analysis of different kinds of response times. We present an analysis of typical and atypical response times, while differentiating between the different levels of DNS servers' response times, from root servers down to internal caching servers. We successfully identify empirical DNS poisoning attacks based on a novel method for DNS response timing analysis. We then present a system we developed to validate our technique that does not require any changes to the DNS protocol or any existing network equipment. Our validation system tested data from different architectures including LAN and cloud environments and real data from an Internet Service Provider (ISP). Our method and system differ from most other DNS poisoning detection methods and achieved high detection rates exceeding 99%. These findings suggest that when used in conjunction with other methods, they can considerably enhance the accuracy of these methods.

Cryptography and Security

蒋卫华,李伟华,杜君

DOI: https://doi.org/10.3969/j.issn.1000-2758.2002.04.008

2002-01-01

Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University

Abstract:IP (Internet Protocol) spoofing was first introduced in 1985. By IP spoofing and TCP (Transport Control Protocol) sequence number prediction, hackers can gain unauthorized access to remote machines. The existing firewalls and IDS (Intrusion Detection System) cannot solve the problem completely. In this paper, we first introduce the principles, methods, and tools of IP spoofing. Then through the tests on our local area network, we analyze the technical features and approaches of IP spoofing attacks, and provide the countermeasures to reduce the possibility of such attacks, including the configuration of boundary routers, the adoption of encrypted protocols, and the building of intelligent pattern matching strategies. These methods can effectively detect and prevent prevalent IP spoofing attacks.

Amir Herzberg,Haya Shulman

DOI: https://doi.org/10.48550/arXiv.1209.1482

2012-09-07

Abstract:We investigate defenses against DNS cache poisoning focusing on mechanisms that can be readily deployed unilaterally by the resolving organisation, preferably in a single gateway or a proxy. DNS poisoning is (still) a major threat to Internet security; determined spoofing attackers are often able to circumvent currently deployed antidotes such as port randomisation. The adoption of DNSSEC, which would foil DNS poisoning, remains a long-term challenge. We discuss limitations of the prominent resolver-only defenses, mainly port and IP randomisation, 0x20 encoding and birthday protection. We then present two new (unilateral) defenses: the sandwich antidote and the NAT antidote. The defenses are simple, effective and efficient, and can be implemented in a gateway connecting the resolver to the Internet. The sandwich antidote is composed of two phases: poisoning-attack detection and then prevention. The NAT antidote adds entropy to DNS requests by switching the resolver's IP address to a random address (belonging to the same autonomous system). Finally, we show how to implement the birthday protection mechanism in the gateway, thus allowing to restrict the number of DNS requests with the same query to 1 even when the resolver does not support this.

Cryptography and Security

Minzhao Lyu,Hassan Habibi Gharakheili,Vijay Sivaraman

DOI: https://doi.org/10.1145/3547331

2022-07-08

Abstract:The domain name system (DNS) that maps alphabetic names to numeric Internet Protocol (IP) addresses plays a foundational role for Internet communications. By default, DNS queries and responses are exchanged in unencrypted plaintext, and hence, can be read and/or hijacked by third parties. To protect user privacy, the networking community has proposed standard encryption technologies such as DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) for DNS communications, enabling clients to perform secure and private domain name lookups. We survey the DNS encryption literature published since 2016, focusing on its current landscape and how it is misused by malware, and highlighting the existing techniques developed to make inferences from encrypted DNS traffic. First, we provide an overview of various standards developed in the space of DNS encryption and their adoption status, performance, benefits, and security issues. Second, we highlight ways that various malware families can exploit DNS encryption to their advantage for botnet communications and/or data exfiltration. Third, we discuss existing inference methods for profiling normal patterns and/or detecting malicious encrypted DNS traffic. Several directions are presented to motivate future research in enhancing the performance and security of DNS encryption.

Cryptography and Security,Networking and Internet Architecture

Yunwei Dai,Tao Huang,Shuo Wang

DOI: https://doi.org/10.1016/j.cose.2024.103718

IF: 5.105

2024-01-24

Computers & Security

Abstract:Domain Name System (DNS) amplification attacks exploit botnets and open recursive DNS servers to launch Distributed Denial of Service (DDoS) attacks. During an attack, the attacker leverages infected computers (bots) to perpetually send small spoofed DNS queries to numerous open recursive DNS servers. The servers, in turn, respond with lots of large DNS responses, which are reflected back to the victim. Such responses are usually several times larger than the original queries, and could exhaust the resources of CPUs, memory, and network bandwidth, rendering them unavailable for benign users. However, most in-network DDoS mitigation systems today inevitably cause normal DNS responses to be discarded while scrubbing traffic, as they do not distinguish between legitimate and malicious responses. To address this issue, some existing solutions employ Bloom filters to filter out unsolicited DNS responses, utilizing the "one-to-one mapping" relationship between DNS queries and responses. In this work, we present a framework called DAmpADF, designed to defend against DNS amplification attacks. The framework employs Bloom filters at the edge or core routers of Internet Service Providers (ISPs) or organizations to filter out malicious DNS responses. To reduce the false positives of the Bloom filters, we propose a novel data structure called the Non-amplifier Keeper (NAmpKeeper), which maintains the most frequently queried DNS servers that are not DNS amplifiers. By excluding queries to non-amplifiers from the Bloom filters, the false positives of Bloom filters are decreased significantly. Experimental results show that DAmpADF outperforms previous methods and achieves a superior filtration ratio of illegitimate DNS responses. Furthermore, the proposed approach incurs small, constant processing and memory overhead, enabling support for high line rates.

computer science, information systems

XU Cheng-xi,HU Rong-gui,SHI Fan,ZHANG Yan-qing

DOI: https://doi.org/10.3969/j.issn.1000-3428.2013.01.003

2013-01-01

Abstract:Current cache Domain Name System(DNS) servers can not resist continuing Kaminsky DNS cache poisoning,so this paper proposes a defense strategy based on response packets checking.Probability theory is used to analyze the internal relation between success probability and continuing time of poisoning,which attests the harmfulness of continuing Kaminsky poisoning.Packet checking suppresses success probability's accumulative effect on time on the existing basis so that it can be used to defense continuing Kaminsky poisoning.Simulation experiment is conducted based on probabilistic model checking tool PRISM,whose results prove that the strategy can make poison attack more difficult by over 3 600 times than it is now.

Keyu Man,Zhiyun Qian,Zhongjie Wang,Xiaofeng Zheng,Youjun Huang,Haixin Duan

DOI: https://doi.org/10.1145/3372297.3417280

2020-01-01

Abstract:In this paper, we report a series of flaws in the software stack that leads to a strong revival of DNS cache poisoning --- a classic attack which is mitigated in practice with simple and effective randomization-based defenses such as randomized source port. To successfully poison a DNS cache on a typical server, an off-path adversary would need to send an impractical number of $2^32 $ spoofed responses simultaneously guessing the correct source port (16-bit) and transaction ID (16-bit). Surprisingly, we discover weaknesses that allow an adversary to "divide and conquer'' the space by guessing the source port first and then the transaction ID (leading to only $2^16 +2^16 $ spoofed responses). Even worse, we demonstrate a number of ways an adversary can extend the attack window which drastically improves the odds of success. The attack affects all layers of caches in the DNS infrastructure, such as DNS forwarder and resolver caches, and a wide range of DNS software stacks, including the most popular BIND, Unbound, and dnsmasq, running on top of Linux and potentially other operating systems. The major condition for a victim being vulnerable is that an OS and its network is configured to allow ICMP error replies. From our measurement, we find over 34% of the open resolver population on the Internet are vulnerable (and in particular 85% of the popular DNS services including Google's 8.8.8.8). Furthermore, we comprehensively validate the proposed attack with positive results against a variety of server configurations and network conditions that can affect the success of the attack, in both controlled experiments and a production DNS resolver (with authorization).

Christian Bassey,Francis Jeremiah,Rustem Iuzlibaev,Opeyemi Oloruntola,Success Imakuh

DOI: https://doi.org/10.30574/wjarr.2024.22.3.1716

2024-06-30

World Journal of Advanced Research and Reviews

Abstract:These days, quite a large number of application servers are being considered to be easily spoofed. Even though technologies like DNSSec, DNS over HTTPS/TLS, and DNSCurve have always been suitable for this type of problem, many developers need help to exercise the complete chain of trust. Implementing the mentioned protocols might be a matter of time, inexperience, or impossibility. In this paper, some workarounds that rely on BGP Autonomous System numbers (AS) are shown, and protocols therein are described by way of Unicast Reverse Path Forwarding (uRPF), its benefits and drawbacks from an analytical standpoint, as well as the primary flow to defend end systems, are presented. Our approach focuses on filtering malicious traffic closer to the source by identifying anomalies in BGP AS path information. The methodology is implemented and tested using Snort as an Intrusion Detection System (IDS) to capture and analyze DNS request patterns, then MikroTik router configurations are used for strict uRPF and ingress filtering, demonstrating the practical application of this solution proposed solution in real-world network environments.

Qin Zhi-guang

2007-01-01

Abstract:This paper describes the principle of Distributed Denial of Service (DDoS) attack. Several representative defense methods are analyzed to against it. A defense method against IP spoofing DDoS attack is proposed. An active IP record table is used to detect all IP packets passing through the border of autonomy system in this method. Packets of the source IP address which are not active will be discarded by the border routers or routers near the border in the autonomy system, according to the Internet Control Message Protocol (ICMP) protocol, timeout ICMP messages will be sent to the source IP hosts, and thus, IP spoofed packets will be discarded, because their source IP usually are not active. Although some legal packets will also be discarded, the retransmission will be triggered by the timeout ICMP messages immediately.

Jiancong Zhang,Shining Li,Changhao Wang

DOI: https://doi.org/10.1155/2022/6304927

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Named data networking (NDN) is a promising alternative data dissemination technology of TCP/IP communication networks, which can bring out much more cost-effective and resilient communication in a highly mobile environment. However, due to the feature of NDN, content poisoning comes out as a potential threat. Hence, state-of-the-art studies introduce network layer approaches based on name-key binding, in which the producer notifies routers of the bindings of names and key values. Key values include publisher public key digest or content digest. Routers check key values to determine whether incoming data packets have been poisoned. Unfortunately, the approaches lead to more vulnerabilities in dynamic content poisoning because attackers can impersonate the producer to alter or fabricate the bindings. Thus, we introduce a consumer-oriented two-phased lightweight security scheme, which consists of an end-to-end authentication and a packet-level name-key query mechanism. Specifically, the name-key bindings are authenticated via an additional verification by the consumer. Furthermore, we also introduce a novel trust model to help routers to determine and disconnect from the malicious nodes. Finally, our extensive experimental results demonstrate that the scheme can work effectively in improving the vulnerability of existing studies on dynamic content poisoning and lowering the system overhead simultaneously.

Futai Zou,Siyu Zhang,Li Pang,Linsen Li,Jianhua Li,Bei Pei

DOI: https://doi.org/10.1109/dsc.2016.96

2016-01-01

Abstract:Domain Name System (DNS) is one of the most crucial components of the Internet. However, due to the vulnerability of DNS, its security has been continuously challenged in recent years. In order to thoroughly understand the root cause of the security risks in the DNS, researches in DNS security are surveyed, and vulnerabilities in DNS and corresponding countermeasures are summarized. First, based on the protocol design and implementation of DNS, weaknesses in DNS fall into 5 categories: cache poisoning, denial of service, software vulnerabilities, information leakage and unauthorized data manipulation. Then, fundamental properties and defense approaches for the 5 categories are analyzed. Next, to improve the Internet name service, new secure DNS architectures are analyzed and compared. And finally, future aspects of research in DNS security are discussed.

Aminollah Khormali,Jeman Park,Hisham Alasmary,Afsah Anwar,David Mohaisen

DOI: https://doi.org/10.48550/arXiv.2006.15277

2020-06-27

Abstract:The domain name system (DNS) is one of the most important components of today's Internet, and is the standard naming convention between human-readable domain names and machine-routable IP addresses of Internet resources. However, due to the vulnerability of DNS to various threats, its security and functionality have been continuously challenged over the course of time. Although, researchers have addressed various aspects of the DNS in the literature, there are still many challenges yet to be addressed. In order to comprehensively understand the root causes of the vulnerabilities of DNS, it is mandatory to review the various activities in the research community on DNS landscape. To this end, this paper surveys more than 170 peer-reviewed papers, which are published in both top conferences and journals in the last ten years, and summarizes vulnerabilities in DNS and corresponding countermeasures. This paper not only focuses on the DNS threat landscape and existing challenges, but also discusses the utilized data analysis methods, which are frequently used to address DNS threat vulnerabilities. Furthermore, we looked into the DNSthreat landscape from the viewpoint of the involved entities in the DNS infrastructure in an attempt to point out more vulnerable entities in the system.

Networking and Internet Architecture