Chaoyi Lu,Baojun Liu,Zhou Li,Shuang Hao,Haixin Duan,Mingming Zhang,Chunying Leng,Ying Liu,Zaifeng Zhang,Jianping Wu

DOI: https://doi.org/10.1145/3355369.3355580

2019-01-01

Abstract:DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. While some proposals have been standardized and are gaining strong support from the industry, little has been done to understand their status from the view of global users. This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption. By collecting data from Internet scanning, user-end measurement and passive monitoring logs, we have gained several unique insights. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted by in-path interception compared to traditional DNS, and the extra overhead is tolerable. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push broader adoption of DNS-over-Encryption and we also suggest the service providers carefully review their implementations.

Ranya Sharma,Nick Feamster,Austin Hounsel

DOI: https://doi.org/10.48550/arXiv.2208.04999

2022-08-10

Abstract:Unencrypted DNS traffic between users and DNS resolvers can lead to privacy and security concerns. In response to these privacy risks, many browser vendors have deployed DNS-over-HTTPS (DoH) to encrypt queries between users and DNS resolvers. Today, many client-side deployments of DoH, particularly in browsers, select between only a few resolvers, despite the fact that many more encrypted DNS resolvers are deployed in practice. Unfortunately, if users only have a few choices of encrypted resolver, and only a few perform well from any particular vantage point, then the privacy problems that DoH was deployed to help address merely shift to a different set of third parties. It is thus important to assess the performance characteristics of more encrypted DNS resolvers, to determine how many options for encrypted DNS resolvers users tend to have in practice. In this paper, we explore the performance of a large group of encrypted DNS resolvers supporting DoH by measuring DNS query response times from global vantage points in North America, Europe, and Asia. Our results show that many non-mainstream resolvers have higher response times than mainstream resolvers, particularly for non-mainstream resolvers that are queried from more distant vantage points -- suggesting that most encrypted DNS resolvers are not replicated or anycast. In some cases, however, certain non-mainstream resolvers perform at least as well as mainstream resolvers, suggesting that users may be able to use a broader set of encrypted DNS resolvers than those that are available in current browser configurations.

Cryptography and Security

Minzhao Lyu,Hassan Habibi Gharakheili,Vijay Sivaraman

DOI: https://doi.org/10.1145/3547331

2022-07-08

Abstract:The domain name system (DNS) that maps alphabetic names to numeric Internet Protocol (IP) addresses plays a foundational role for Internet communications. By default, DNS queries and responses are exchanged in unencrypted plaintext, and hence, can be read and/or hijacked by third parties. To protect user privacy, the networking community has proposed standard encryption technologies such as DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) for DNS communications, enabling clients to perform secure and private domain name lookups. We survey the DNS encryption literature published since 2016, focusing on its current landscape and how it is misused by malware, and highlighting the existing techniques developed to make inferences from encrypted DNS traffic. First, we provide an overview of various standards developed in the space of DNS encryption and their adoption status, performance, benefits, and security issues. Second, we highlight ways that various malware families can exploit DNS encryption to their advantage for botnet communications and/or data exfiltration. Third, we discuss existing inference methods for profiling normal patterns and/or detecting malicious encrypted DNS traffic. Several directions are presented to motivate future research in enhancing the performance and security of DNS encryption.

Cryptography and Security,Networking and Internet Architecture

Ruixuan Li,Baojun Liu,Chaoyi Lu,Haixin Duan,Jun Shao

DOI: https://doi.org/10.1145/3589334.3645539

2024-01-01

Abstract:To protect user DNS privacy, four DNS over Encryption (DoE) protocols have been proposed, including DNS over TLS (DoT), DNS over HTTPS (DoH), DNS over QUIC (DoQ), and DNS over HTTP/3 (DoH3). Ensuring reachability stands as a prominent prerequisite for the proper functionality of these DoE protocols, driving considerable efforts in this domain. However, existing studies predominantly concentrate on a limited number of DoT/DoH domains or employ a restricted subset of vantage points (VPs). In this paper, we present the first comprehensive worldwide view of DoE service reachability. By collecting data from our 15-month-long scan, we elaborately built a list of 1302 operational DoE domains as measurement targets, 448 of which support IPv6. Then we performed 10M DoE over IPv4 (DoEv4) and 570K DoE over IPv6 (DoEv6) queries from 5K VPs over two months, encompassing 102 countries/regions. Our results reveal that the reachability of DoE services is poor in some countries/regions. Specifically, 592K (5.92%) DoEv4 queries and 28K (4.91%) DoEv6 queries are blocked. In countries/regions with strict Internet control, DoEv4 service blocking often occurs during TCP connection and QUIC version negotiation. Compared to DoEv4, the reachability of DoEv6 services is better. In particular, some DoE blocking policies target only specific IP addresses or DoE protocols, providing clients with the opportunity to access blocked DoE domains. Our study highlights the need for the DNS community to pay attention and improve the reachability of DoE services.

Sandra Siby,Marc Juarez,Claudia Diaz,Narseo Vallina-Rodriguez,Carmela Troncoso

DOI: https://doi.org/10.48550/arXiv.1906.09682

2019-10-07

Abstract:Virtually every connection to an Internet service is preceded by a DNS lookup which is performed without any traffic-level protection, thus enabling manipulation, redirection, surveillance, and censorship. To address these issues, large organizations such as Google and Cloudflare are deploying recently standardized protocols that encrypt DNS traffic between end users and recursive resolvers such as DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). In this paper, we examine whether encrypting DNS traffic can protect users from traffic analysis-based monitoring and censoring. We propose a novel feature set to perform the attacks, as those used to attack HTTPS or Tor traffic are not suitable for DNS' characteristics. We show that traffic analysis enables the identification of domains with high accuracy in closed and open world settings, using 124 times less data than attacks on HTTPS flows. We find that factors such as location, resolver, platform, or client do mitigate the attacks performance but they are far from completely stopping them. Our results indicate that DNS-based censorship is still possible on encrypted DNS traffic. In fact, we demonstrate that the standardized padding schemes are not effective. Yet, Tor -- which does not effectively mitigate traffic analysis attacks on web traffic -- is a good defense against DoH traffic analysis.

Cryptography and Security

Cong Dong,Jiahai Yang,Yun Li,Yue Wu,Yufan Chen,Chenglong Li,Haoran Jiao,Xia Yin,Yuling Liu

2024-03-19

Abstract:In recent years, DNS over Encrypted (DoE) methods have been regarded as a novel trend within the realm of the DNS ecosystem. In these DoE methods, DNS over HTTPS (DoH) provides encryption to protect data confidentiality while providing better obfuscation to avoid censorship by multiplexing port 443 with web services. This development introduced certain inconveniences in discovering publicly available DoH services. In this paper, we propose the E-DoH method for elegant and efficient DoH service detection. First, we optimized the probing mechanism to enable a single DoH connection to accomplish multiple tasks including service discovery, correctness validation and dependency construction. Second, we propose an efficient DoH detection tool. This tool can enhance probing efficiency while significantly reduce the required traffic volume. Third, based on the above optimization methods, we conducted an exploration of the IPv4 space and performed an in-depth analysis of DoH based on the collected information. Through experiments, our approach demonstrates a remarkable 80% improvement in time efficiency, and only requires 4%-20% traffic volume to complete the detection task. In wild detection, our approach discovered 46k DoH services, which nearly doubles the number discovered by the state-of-the-art. Based on the collected data, we present several intriguing conclusions about the current DoH service ecosystem.

Cryptography and Security,Networking and Internet Architecture

Jonas Bushart,Christian Rossow

DOI: https://doi.org/10.48550/arXiv.1907.01317

2019-07-02

Abstract:DNS over TLS (DoT) and DNS over HTTPS (DoH) encrypt DNS to guard user privacy by hiding DNS resolutions from passive adversaries. Yet, past attacks have shown that encrypted DNS is still sensitive to traffic analysis. As a consequence, RFC 8467 proposes to pad messages prior to encryption, which heavily reduces the characteristics of encrypted traffic. In this paper, we show that padding alone is insufficient to counter DNS traffic analysis. We propose a novel traffic analysis method that combines size and timing information to infer the websites a user visits purely based on encrypted and padded DNS traces. To this end, we model DNS sequences that capture the complexity of websites that usually trigger dozens of DNS resolutions instead of just a single DNS transaction. A closed world evaluation based on the Alexa top-10k websites reveals that attackers can deanonymize at least half of the test traces in 80.2% of all websites, and even correctly label all traces for 32.0% of the websites. Our findings undermine the privacy goals of state-of-the-art message padding strategies in DoT/DoH. We conclude by showing that successful mitigations to such attacks have to remove the entropy of inter-arrival timings between query responses.

Cryptography and Security

Baojun Liu,Chaoyi Lu,Haixin Duan,Ying Liu,Zhou Li,Shuang Hao,Min Yang

DOI: https://doi.org/10.1145/3340301.3341122

2018-01-01

Abstract:DNS is a critical service for almost all Internet applications. DNS queries from end users are handled by recursive DNS servers for scalability. For convenience, Internet Service Providers (ISPs) assign recursive servers for their clients automatically when the clients choose the default network settings. On the other hand, users should also have the flexibility to use their preferred recursive servers, like public DNS servers. Since almost all DNS queries are sent in plain-text, it's possible for on-path devices to intercept DNS queries sent to public resolvers, by spoofing the IP addresses of user-specified DNS servers and surreptitiously responding using alternative resolvers instead. The trust relationship between users and public DNS are thus broken by the hidden interception of the DNS resolution path (which we term as DNS interception). The hidden DNS interception can pose users to privacy and security threats, and we aim to shed light on this behavior in this study. It's challenging to observe DNS interception because we need vantages points distributed across the globe. We solved this problem by recruiting clients from a proxy network and popular security software with a large number of real-world users. In this paper, we performed a large-scale analysis on on-path DNS interception and investigate its scope and characteristics. In practice, we designed a novel approach to detecting DNS interception and deployed a global measurement platform. Considering different transport protocols and various recursive servers, we have gained multi-faceted insights. In particular, using traffic from 148,478 residential and cellular IP addresses, we find that 259 of the 3,047 ASes (8.5%) that we inspect exhibit DNS interception behavior, including large providers, such as China Mobile. Particularly, 27.9% DNS/UDP queries from China to Google Public DNS are intercepted. Moreover, we find that alternative resolvers used by interceptors may use outdated software (which should be deprecated before 2009) and lack security-related functionality, such as handling DNSSEC requests. Our work highlights the issues around on-path DNS interception and provides new insights into its countermeasures. Our research provides a first large-scale study on DNS end-to-end violation. Our work delivers evidence of DNS interception and serves as strong motivation of deploying encrypted DNS (e.g., DNS-over-TLS and DNS-over-HTTPS). After being published, our findings are reported by several well-known media, such as ACM Technews, The Register, and Hackread. This paper is based on: Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao, and Min Yang. 2018. Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path. In Proceedings of USENIX Security 2018. USENIX Security Symposium, Baltimore, USA, 16 pages. This work was supported in part by the National Natural Science Foundation of China (U1836213, U1636204) and the BNRist Network and Software Security Research Program (Grant No. BNR2019TD01004).

Hongyu Gao,Vinod Yegneswaran,Jian Jiang,Yan Chen,Phillip Porras,Shalini Ghosh,Haixin Duan

DOI: https://doi.org/10.1109/tnet.2014.2358637

2016-01-01

IEEE/ACM Transactions on Networking

Abstract:The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid top-level domains (TLDs). Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i. e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.

Timm Boettger,Felix Cuadrado,Gianni Antichi,Eder Leao Fernandes,Gareth Tyson,Ignacio Castro,Steve Uhlig

DOI: https://doi.org/10.48550/arXiv.1909.06192

2019-09-13

Abstract:DNS is a vital component for almost every networked application. Originally it was designed as an unencrypted protocol, making user security a concern. DNS-over-HTTPS (DoH) is the latest proposal to make name resolution more secure. In this paper we study the current DNS-over-HTTPS ecosystem, especially the cost of the additional security. We start by surveying the current DoH landscape by assessing standard compliance and supported features of public DoH servers. We then compare different transports for secure DNS, to highlight the improvements DoH makes over its predecessor, DNS-over-TLS (DoT). These improvements explain in part the significantly larger take-up of DoH in comparison to DoT. Finally, we quantify the overhead incurred by the additional layers of the DoH transport and their impact on web page load times. We find that these overheads only have limited impact on page load times, suggesting that it is possible to obtain the improved security of DoH with only marginal performance impact.

Networking and Internet Architecture

Xiang Li,Wei Xu,Baojun Liu,Mingming Zhang,Zhou Li,Jia Zhang,Deliang Chang,Xiaofeng Zheng,Chuhan Wang,Jianjun Chen,Haixin Duan,Qi Li

DOI: https://doi.org/10.1109/sp54263.2024.00172

2024-01-01

Abstract:DNS can be compared to a game of chess in that its rules are simple, yet the possibilities it presents are endless. While the fundamental rules of DNS are straightforward, DNS implementations can be extremely complex. In this study, we intend to explore the complexities and vulnerabilities in DNS response pre-processing by systematically analyzing DNS RFCs and DNS software implementations. We present the discovery of three new types of logic vulnerabilities, leading to the proposal of three novel attacks, namely the TuDoor attack. These attacks involve the use of malformed DNS response packets to carry out DNS cache poisoning, denial- of-service, and resource consuming attacks. By performing comprehensive experiments, we demonstrate the attack’s feasibility and significant real-world impacts of TUDOOR. In total, 24 mainstream DNS software, including BIND, PowerDNS, and Microsoft DNS, are affected by TuDoor. Attackers can instigate cache poisoning and denial-of-service attacks against vulnerable resolvers using a handful of crafted packets within 1 second or circumvent the query limit to deplete resolution resources (e.g., CPU). Besides, to determine the vulnerable resolver population in the wild, we collect and evaluate 16 popular Wi-Fi routers, 6 prevalent router OSes, 42 public DNS services, and around 1.8M open DNS resolvers. Our measurement results indicate that TUDOOR could exploit 7 routers (OSes), 18 public DNS services, and 424,652 (23.1%) open DNS resolvers. Following the best practice of responsible disclosure, we have reported these vulnerabilities to all affected vendors, and 18 of them, including BIND, Chrome, Cloudflare, and Microsoft, have acknowledged our findings and discussed mitigation solutions with us. Furthermore, 33 CVE IDs are assigned to our discovered vulnerabilities, and we provide an online detection tool as one of the mitigation measures. Our research highlights the urgent need for standardization of DNS response pre-processing logic to enhance the security of DNS.

Mingxuan Liu,Yiming Zhang,Xiang Li,Chaoyi Lu,Baojun Liu,Haixin Duan,Xiaofeng Zheng

DOI: https://doi.org/10.14722/ndss.2024.24782

2024-01-01

Abstract:Domain names are often registered and abused for harmful and illegal Internet activities.To mitigate such threats, as an emerging security service, Protective DNS (PDNS) blocks access to harmful content by proactively offering rewritten DNS responses, which resolve malicious domains to controlled hosts.While it has become an effective tool against cybercrime, given their implementation divergence, little has been done from the security community in understanding the deployment, operational status and security policies of PDNS services.In this paper, we present a large-scale measurement study of the deployment and security implications of open PDNS services.We first perform empirical analysis over 28 popular PDNS providers and summarize major formats of DNS rewriting policies.Then, powered by the derived rules, we design a methodology that identifies intentional DNS rewriting enforced by open PDNS servers in the wild.Our findings are multi-faceted.On the plus side, the deployment of PDNS is now starting to scale: we identify 17,601 DNS servers (9.1% of all probed) offering such service.For DNS clients, switching from regular DNS to PDNS induces negligible query latency, despite additional steps (e.g., checking against threat intelligence and rewriting DNS response) being required from the server side.However, we also find flaws and vulnerabilities within PDNS implementation, including evasion of blocking policies and denial of service.Through responsible vulnerability disclosure, we have received 12 audit assessment results of high-risk vulnerabilities.Our study calls for proper guidance and best practices for secure PDNS operation.

Hongying Dong,Yizhe Zhang,Hyeonmin Lee,Shumon Huque,Yixin Sun

DOI: https://doi.org/10.1145/3646547.3688410

2024-09-12

Abstract:The DNS HTTPS resource record is a new DNS record type designed for the delivery of configuration information and parameters required to initiate connections to HTTPS network services. In addition, it is a key enabler for TLS Encrypted ClientHello (ECH) by providing the cryptographic keying material needed to encrypt the initial exchange. To understand the adoption of this new DNS HTTPS record, we perform a longitudinal study on the server-side deployment of DNS HTTPS for Tranco top million domains, as well as an analysis of the client-side support for DNS HTTPS through snapshots from major browsers. To the best of our knowledge, our work is the first longitudinal study on DNS HTTPS server deployment, and the first known study on client-side support for DNS HTTPS. Despite the rapidly growing trend of DNS HTTPS adoption, our study highlights challenges and concerns in the deployment by both servers and clients, such as the complexity in properly maintaining HTTPS records and connection failure in browsers when the HTTPS record is not properly configured.

Networking and Internet Architecture

Yoshimichi Nakatsuka,Andrew Paverd,Gene Tsudik

DOI: https://doi.org/10.1145/3359789.3359793

2019-09-26

Abstract:Security and privacy of the Internet Domain Name System (DNS) have been longstanding concerns. Recently, there is a trend to protect DNS traffic using Transport Layer Security (TLS). However, at least two major issues remain: (1) how do clients authenticate DNS-over-TLS endpoints in a scalable and extensible manner; and (2) how can clients trust endpoints to behave as expected? In this paper, we propose a novel Private DNS-over-TLS (PDoT ) architecture. PDoT includes a DNS Recursive Resolver (RecRes) that operates within a Trusted Execution Environment (TEE). Using Remote Attestation, DNS clients can authenticate, and receive strong assurance of trustworthiness of PDoT RecRes. We provide an open-source proof-of-concept implementation of PDoT and use it to experimentally demonstrate that its latency and throughput match that of the popular Unbound DNS-over-TLS resolver.

Cryptography and Security

Leyao Nie,Lin He,Guanglei Song,Hao Gao,Chenglong Li,Zhiliang Wang,Jiahai Yang

DOI: https://doi.org/10.23919/cnsm55787.2022.9965032

2022-01-01

Abstract:The Domain Name System (DNS) is critical to Internet communications. EDNS Client Subnet (ECS), a DNS extension, allows recursive resolvers to include client subnet information in DNS queries to improve CDN end-user mapping, extending the visibility of client information to a broader range. Major content delivery network (CDN) vendors, content providers (CP), and public DNS service providers (PDNS) are accelerating their IPv6 infrastructure development. With the increasing deployment of IPv6-enabled services and DNS being the most foundational system of the Internet, it becomes important to analyze the behavioral and privacy status of IPv6 resolvers. However, there is a lack of research on ECS for IPv6 DNS resolvers.In this paper, we study the ECS deployment and compliance status of IPv6 resolvers. Our measurement shows that 11.12% IPv6 open resolvers implement ECS. We discuss abnormal noncompliant scenarios that exist in both IPv6 and IPv4 that raise privacy and performance issues. Additionally, we measured if the sacrifice of clients’ privacy can enhance IPv6 CDN performance. We find that in some cases ECS helps end-user mapping but with an unnecessary privacy loss. And even worse, the exposure of client address information can sometimes backfire, which deserves attention from both Internet users and PDNSes.

Alexandra Nisenoff,Ranya Sharma,Nick Feamster

DOI: https://doi.org/10.48550/arXiv.2208.04991

2023-02-21

Abstract:Recent developments to encrypt the Domain Name System (DNS) have resulted in major browser and operating system vendors deploying encrypted DNS functionality, often enabling various configurations and settings by default. In many cases, default encrypted DNS settings have implications for performance and privacy; for example, Firefox's default DNS setting sends all of a user's DNS queries to Cloudflare, potentially introducing new privacy vulnerabilities. In this paper, we confirm that most users are unaware of these developments -- with respect to the rollout of these new technologies, the changes in default settings, and the ability to customize encrypted DNS configuration to balance user preferences between privacy and performance. Our findings suggest several important implications for the designers of interfaces for encrypted DNS functionality in both browsers and operating systems, to help improve user awareness concerning these settings, and to ensure that users retain the ability to make choices that allow them to balance tradeoffs concerning DNS privacy and performance.

Cryptography and Security,Human-Computer Interaction,Networking and Internet Architecture

Fenglu Zhang,Baojun Liu,Eihal Alowaisheq,Jianjun Chen,Chaoyi Lu,Linjian Song,Yong Ma,Ying Liu,Haixin Duan,Min Yang

DOI: https://doi.org/10.1145/3576915.3616647

2023-01-01

Abstract:Authoritative nameservers are delegated to provide the final resource record. Since the security and robustness of DNS are critical to the general operation of the Internet, domain owners are required to deploy multiple candidate nameservers for load balancing. Once the load balancing mechanism is compromised, an adversary can manipulate a large number of legitimate DNS requests to a specified candidate nameserver. As a result, it may bypass the defense mechanisms used to filter malicious traffic that can overload the victim nameserver, or lower the bar for DNS traffic hijacking and cache poisoning attacks. In this study, we report on a class of DNS vulnerabilities and present a novel attack, named Disablance, that targets the domains with different NS records severing to multiple sites of authoritative servers. The attack is made possible by a misconfiguration of nameservers that ignores domains outside their authority, combined with recursive resolvers that use a globally shared status for nameserver selection. By targeting authoritative nameservers configured by a large number of domains, Disablance allows adversaries to stealthily sabotage the DNS load balancing for authoritative nameservers at a low cost. Through simply configuring the DNS records for a domain under their control to point to the targeted nameservers and performing a handful of requests, adversaries can temporarily manipulate a given DNS resolver to overload a specific authoritative server. Therefore, Disablance can redirect benign DNS requests for all hosted domains to the specific nameserver and disrupts the load balancing mechanism. Our extensive study proves the security threat of Disablance is realistic and prevalent. First, we demonstrated that mainstream DNS implementations, including BIND9, PowerDNS, and Microsoft DNS, are vulnerable to Disablance. Second, we developed a measurement framework to measure vulnerable authoritative servers in the wild. 22.24% of top 1M FQDNs and 3.94% of top 1M SLDs were proven can be the victims of Disablance. Our measurement results also show that 37.88% of stable open resolvers and 10 of 14 popular public DNS services can be exploited to conduct Disablance, including Cloudflare and Quad9. Furthermore, the critical security threats of Disablance were observed and acknowledged through in-depth discussion with a world-leading DNS service provider. We have reported discovered vulnerabilities and provided recommendations to the affected vendors. Until now, Tencent Cloud (DNSPod) and Amazon have taken action to fix this issue according to our suggestions.

Yevheniya Nosyk,Maciej Korczyński,Qasim Lone,Marcin Skwarek,Baptiste Jonglez,Andrzej Duda

DOI: https://doi.org/10.1109/TNET.2023.3257413

2023-03-15

Abstract:Source Address Validation (SAV) is a standard aimed at discarding packets with spoofed source IP addresses. The absence of SAV for outgoing traffic has been known as a root cause of Distributed Denial-of-Service (DDoS) attacks and received widespread attention. While less obvious, the absence of inbound filtering enables an attacker to appear as an internal host of a network and may reveal valuable information about the network infrastructure. Inbound IP spoofing may amplify other attack vectors such as DNS cache poisoning or the recently discovered NXNSAttack. In this paper, we present the preliminary results of the Closed Resolver Project that aims at mitigating the problem of inbound IP spoofing. We perform the first Internet-wide active measurement study to enumerate networks that filter or do not filter incoming packets by their source address, for both the IPv4 and IPv6 address spaces. To achieve this, we identify closed and open DNS resolvers that accept spoofed requests coming from the outside of their network. The proposed method provides the most complete picture of inbound SAV deployment by network providers. Our measurements cover over 55 % IPv4 and 27 % IPv6 Autonomous Systems (AS) and reveal that the great majority of them are fully or partially vulnerable to inbound spoofing. By identifying dual-stacked DNS resolvers, we additionally show that inbound filtering is less often deployed for IPv6 than it is for IPv4. Overall, we discover 13.9 K IPv6 open resolvers that can be exploited for amplification DDoS attacks - 13 times more than previous work. Furthermore, we enumerate uncover 4.25 M IPv4 and 103 K IPv6 vulnerable closed resolvers that could only be detected thanks to our spoofing technique, and that pose a significant threat when combined with the NXNSAttack.

Networking and Internet Architecture

Deliang Chang,Joann Qiongna Chen,Zhou Li,Xing Li

DOI: https://doi.org/10.1109/eurosp53844.2022.00020

2022-01-01

Abstract:Domain name system (DNS) is the address book of the Internet and domain names are queried before almost every network activity. Since the entities like recursive resolvers can monitor users' DNS queries, privacy concerns such as user tracking arise. Though a number of prior works have looked into this issue, they all focus on the closed-world setting, which means that victim users must be known to the adversary. We argue that it does not reflect the adversary's true capabilities. Moreover, there lacks an effective approach to defend against DNS-based user tracking. In this work, we revisit these issues by investigating the attack surface in both open-world and closed-world settings and studying how to protect users. First, we introduce a new tracking mechanism DSCorr which incorporates domain-based word embedding to capture the fine-grained distance between domain names, and automatic threshold generation for fine-tuning the attack outcome. The evaluation result on a real-world DNS dataset shows DSCorr is able to outperform the existing works by a large margin especially in the open-world setting. On the defense side, we develop a system called LDPResolve, which incorporates a recently proposed differential privacy notion ULDP (Utility-optimized Local Differential Privacy) and a new technique named parallel domain resolving, to provide privacy guarantees without damaging the utility of legitimate applications. The evaluation result on the same dataset shows the DNS-based user tracking can be effectively curbed, e.g., tracking accuracy degraded from 93% to 10.1%.

Qinwen Hu,Muhammad Rizwan Asghar,Nevil Brownlee

DOI: https://doi.org/10.3233/jcs-200070

2021-02-03

Journal of Computer Security

Abstract:HTTPS refers to an application-specific implementation that runs HyperText Transfer Protocol (HTTP) on top of Secure Socket Layer (SSL) or Transport Layer Security (TLS). HTTPS is used to provide encrypted communication and secure identification of web servers and clients, for different purposes such as online banking and e-commerce. However, many HTTPS vulnerabilities have been disclosed in recent years. Although many studies have pointed out that these vulnerabilities can lead to serious consequences, domain administrators seem to ignore them. In this study, we evaluate the HTTPS security level of Alexa’s top 1 million domains from two perspectives. First, we explore which popular sites are still affected by those well-known security issues. Our results show that less than 0.1% of HTTPS-enabled servers in the measured domains are still vulnerable to known attacks including Rivest Cipher 4 (RC4), Compression Ratio Info-Leak Mass Exploitation (CRIME), Padding Oracle On Downgraded Legacy Encryption (POODLE), Factoring RSA Export Keys (FREAK), Logjam, and Decrypting Rivest–Shamir–Adleman (RSA) using Obsolete and Weakened eNcryption (DROWN). Second, we assess the security level of the digital certificates used by each measured HTTPS domain. Our results highlight that less than 0.52% domains use the expired certificate, 0.42% HTTPS certificates contain different hostnames, and 2.59% HTTPS domains use a self-signed certificate. The domains we investigate in our study cover 5 regions (including ARIN, RIPE NCC, APNIC, LACNIC, and AFRINIC) and 61 different categories such as online shopping websites, banking websites, educational websites, and government websites. Although our results show that the problem still exists, we find that changes have been taking place when HTTPS vulnerabilities were discovered. Through this three-year study, we found that more attention has been paid to the use and configuration of HTTPS. For example, more and more domains begin to enable the HTTPS protocol to ensure a secure communication channel between users and websites. From the first measurement, we observed that many domains are still using TLS 1.0 and 1.1, SSL 2.0, and SSL 3.0 protocols to support user clients that use outdated systems. As the previous studies revealed security risks of using these protocols, in the subsequent studies, we found that the majority of domains updated their TLS protocol on time. Our 2020 results suggest that most HTTPS domains use the TLS 1.2 protocol and show that some HTTPS domains are still vulnerable to the existing known attacks. As academics and industry professionals continue to disclose attacks against HTTPS and recommend the secure configuration of HTTPS, we found that the number of vulnerable domain is gradually decreasing every year.