A wrinkle in time: A case study in DNS poisoning.

Published on Jun 26, 2019in arXiv: Cryptography and Security
Harel Berger1
Estimated H-index: 1
Amit Dvir9
Estimated H-index: 9
Moti Geva1
Estimated H-index: 1
The Domain Name System (DNS) provides a translation between readable domain names and IP addresses. The DNS is a key infrastructure component of the Internet and a prime target for a variety of attacks. One of the most significant threat to the DNS's wellbeing is a DNS poisoning attack, in which the DNS responses are maliciously replaced, or poisoned, by an attacker. To identify this kind of attack, we start by an analysis of different kinds of response times. We present an analysis of typical and atypical response times, while differentiating between the different levels of DNS servers' response times, from root servers down to internal caching servers. We successfully identify empirical DNS poisoning attacks based on a novel method for DNS response timing analysis. We then present a system we developed to validate our technique that does not require any changes to the DNS protocol or any existing network equipment. Our validation system tested data from different architectures including LAN and cloud environments and real data from an Internet Service Provider (ISP). Our method and system differ from most other DNS poisoning detection methods and achieved high detection rates exceeding 99%. These findings suggest that when used in conjunction with other methods, they can considerably enhance the accuracy of these methods.
  • References (25)
  • Citations (2)
📖 Papers frequently viewed together
4 Authors (Pratik Satam, ..., Salim Hariri)
6 Citations
2017ESORICS: European Symposium on Research in Computer Security
6 Authors (SoYoung Kim, ..., Hyoungshick Kim)
6 Citations
2008CCS: Computer and Communications Security
5 Authors (David Dagon, ..., Wenke Lee)
68 Citations
78% of Scinapse members use related papers. After signing in, all features are FREE.
#1P. AnuH-Index: 1
#2S. Vimala (Mother Teresa Women's University)H-Index: 1
Generally Malicious users make use of different attacks at different levels to steal different level of data. Some of the sniffing attacks that can be used in different levels of networking/transmission are Media Access Control (MAC) Flooding, Dynamic Host Configuration Protocol (DHCP) Attacks, DHCP Starvation Attack, Rogue DHCP Server Attack, Address Resolution Protocol (ARP) Spoofing, MAC spoofing and Domain Name Server (DNS) Poisoning. In this paper, a comparative study has been done with the...
5 CitationsSource
May 1, 2017 in INFOCOM (International Conference on Computer Communications)
#1Amit Klein (Fraunhofer Society)H-Index: 3
#2Haya Shulman (Fraunhofer Society)H-Index: 13
Last. Michael Waidner (Fraunhofer Society)H-Index: 52
view all 3 authors...
DNS caches are an extremely important tool, providing services for DNS as well as for a multitude of applications, systems and security mechanisms, such as anti-spam defences, routing security (e.g., RPKI), firewalls. Subverting the security of DNS is detrimental to the stability and security of the clients and services, and can facilitate attacks, circumventing even cryptographic mechanisms. We study the caching component of DNS resolution platforms in diverse networks in the Internet, and eval...
15 CitationsSource
#1Bahaa Al-Musawi (University of Kufa)H-Index: 2
#2Philip Branch (Swinburne University of Technology)H-Index: 19
Last. Grenville Armitage (Swinburne University of Technology)H-Index: 32
view all 3 authors...
The border gateway protocol (BGP) is the Internet’s default inter-domain routing protocol that manages connectivity among autonomous systems (ASes). Over the past two decades many anomalies of BGP have been identified that threaten its stability and reliability. This survey discusses and classifies these anomalies and discusses the 20 most significant techniques used to identify them. Our classification is based on the broad category of approach, BGP features used to identify the anomaly, effect...
31 CitationsSource
Nov 14, 2016 in CANS (Cryptology and Network Security)
#1Tianxiang Dai (Fraunhofer Society)H-Index: 2
#2Haya Shulman (Fraunhofer Society)H-Index: 13
Last. Michael Waidner (Fraunhofer Society)H-Index: 52
view all 3 authors...
DNSSEC was designed to protect the Domain Name System (DNS) against DNS cache poisoning and domain hijacking. When widely adopted, DNSSEC is expected to facilitate a multitude of future applications and systems, as well as security mechanisms, that would use the DNS for distribution of security tokens, such as, certificates, IP prefix authentication for routing security, anti-spam mechanisms. Multiple efforts are invested in adopting DNSSEC and in evaluating challenges towards its deployment.
4 CitationsSource
#1Roland van Rijswijk-Deij (UT: University of Twente)H-Index: 9
#2M. Jonker (UT: University of Twente)H-Index: 10
Last. Aiko Pras (UT: University of Twente)H-Index: 28
view all 4 authors...
The domain name system (DNS) is a core component of the Internet. It performs the vital task of mapping human readable names into machine readable data (such as IP addresses, which hosts handle e-mail, and so on). The content of the DNS reveals a lot about the technical operations of a domain. Thus, studying the state of large parts of the DNS over time reveals valuable information about the evolution of the Internet. We collect a unique long-term data set with daily DNS measure-ments for all th...
28 CitationsSource
Dec 12, 2013 in CNS (Communications and Networking Symposium)
#1Amir Herzberg (BIU: Bar-Ilan University)H-Index: 30
#2Haya Shulman (Information Technology University)H-Index: 13
DNSSEC was proposed more than 15 years ago but its (correct) adoption is still very limited. Recent cache poisoning attacks motivate deployment of DNSSEC. In this work we present a comprehensive overview of challenges and potential pitfalls of DNSSEC, including: Vulnerable configurations: we show that inter-domain referrals (via NS, MX and CNAME records) present a challenge for DNSSEC deployment and may result in vulnerable configurations. Due to the limited deployment so far, these configuratio...
19 CitationsSource
Dec 9, 2013 in ACSAC (Annual Computer Security Applications Conference)
#1Amir Herzberg (BIU: Bar-Ilan University)H-Index: 30
#2Haya Shulman (Technische Universität Darmstadt)H-Index: 13
We present a new technique, which we call socket overloading, that we apply for off-path attacks on DNS. Socket overloading consists of short, low-rate, bursts of inbound packets, sent by off-path attacker to a victim host. Socket overloading exploits the priority assigned by the kernel to hardware interrupts, and enables an off-path attacker to illicit a side-channel on client hosts, which can be applied to circumvent source port and name server randomisation. Both port and name server randomis...
30 CitationsSource
Jul 7, 2013 in ISCC (International Symposium on Computers and Communications)
#1Z. Berkay CelikH-Index: 13
#2Sema OktugH-Index: 16
In this work, we study the detection of Fast-Flux Service Networks (FFSNs) using DNS (Domain Name System) response packets. We have observed that current approaches do not employ a large combination of DNS features to feed into the proposed detection systems. The lack of features may lead to high false positive or false negative rates triggered by benign activities including Content Distribution Networks (CDNs). In this paper, we study recently proposed detection frameworks to construct a high-d...
20 CitationsSource
#1Marc KrochmalH-Index: 3
#2Stuart CheshireH-Index: 8
This document specifies how DNS resource records are named and structured to facilitate service discovery. Given a type of service that a client is looking for, and a domain in which the client is looking for that service, this mechanism allows clients to discover a list of named instances of that desired service, using standard DNS queries. This mechanism is referred to as DNS-based Service Discovery, or DNS-SD.
252 Citations
Distributed denial of service attacks (DDoS) have become more and more frequent and caused some fatal problems in the recent time. Internet users experience denial- of-service (DoS) attacks every day. Our inboxes are swamped with spam containing subject lines that sometimes fool us; our search-engine queries return many irrelevant results; and online auctions are plagued by corrupt database records filled with intentionally misleading keywords and many more .Intense research have been done to de...
6 CitationsSource
Cited By2
#1Chen Hajaj (Ariel University)H-Index: 3
Last. Amit Dvir (Ariel University)H-Index: 9
view all 4 authors...
Malicious domains are increasingly common and pose a severe cybersecurity threat. Specifically, many types of current cyber attacks use URLs for attack communications (e.g., C\&C, phishing, and spear-phishing). Despite the continuous progress in detecting these attacks, many alarming problems remain open, such as the weak spots of the defense mechanisms. Since machine learning has become one of the most prominent methods of malware detection, A robust feature selection mechanism is proposed that...
#2Amit DvirH-Index: 9
Last. Chen HajajH-Index: 3
view all 3 authors...