ABSTRACT
Networks not employing destination-side source address validation (DSAV) expose themselves to a class of pernicious attacks which could be easily prevented by filtering inbound traffic purporting to originate from within the network. In this work, we survey the pervasiveness of networks vulnerable to infiltration using spoofed addresses internal to the network. We issue recursive Domain Name System (DNS) queries to a large set of known DNS servers worldwide, using various spoofed-source addresses. We classify roughly half of the 62,000 networks (autonomous systems) we tested as vulnerable to infiltration due to lack of DSAV. As an illustration of the dangers these networks expose themselves to, we demonstrate the ability to fingerprint the operating systems of internal DNS servers. Additionally, we identify nearly 4,000 DNS server instances vulnerable to cache poisoning attacks due to insufficient---and often non-existent---source port randomization, a vulnerability widely publicized 12 years ago.
Supplemental Material
- Baidu. 2020. Baidu. http://www.baidu.com/Google Scholar
- Robert Beverly, Arthur Berger, Young Hyun, and k claffy. 2009. Understanding the Efficacy of Deployed Internet Source Address Validation Filtering. In Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement (Chicago, Illinois, USA) (IMC 09). Association for Computing Machinery, New York, NY, USA, 356--369. https://doi.org/10.1145/1644893.1644936Google ScholarDigital Library
- S. Bortzmeyer. 2016. RFC 7816: DNS Query Name Minimisation to Improve Privacy.Google Scholar
- S. Bortzmeyer and S. Huque. 2016. RFC 8020: NXDOMAIN: There Really Is Nothing Underneath.Google ScholarCross Ref
- CAIDA. 2020. Spoofer. https://www.caida.org/projects/spoofer/Google Scholar
- B. Carpenter and S. Brim. 2002. RFC 3234: Middleboxes: Taxonomy and Issues.Google ScholarDigital Library
- CenturyLink. 2020. CenturyLink Domain Name Server (DNS). https://www.centurylink.com/home/help/internet/dns.htmlGoogle Scholar
- Cisco. 2020. OpenDNS. https://www.opendns.com/Google Scholar
- M. Cotton, L. Vegoda, Ed. R. Bonica, and B. Haberman. 2013. RFC 6890: Special-Purpose IP Address Registries.Google Scholar
- J. Damas. 2008. RFC 5358: Preventing Use of Recursive Nameservers in Reflector Attacks.Google Scholar
- K. Davies. 2008. DNS Cache Poisoning Vulnerability: Explanation and Remedies.Google Scholar
- C. Deccio, D. Argueta, and J. Demke. 2019. A Quantitative Study of the Deployment of DNS Rate Limiting. In International Conference on Computing, Networking and Communications (ICNC 2019). IEEE, New York, NY, USA, 442--447.Google Scholar
- J. Dickinson, S. Dickinson, R. Bellis, A. Mankin, and D. Wessels. 2016. RFC 7766: DNS Transport over TCP - Implementation Requirements.Google Scholar
- D. Dittrich and E. Kenneally. 2012. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. Technical Report. U.S. Department of Homeland Security.Google Scholar
- DNS Operations, Analysis, and Research Center (DNS-OARC). 2018. 2018 DITL Data. https://www.dns-oarc.net/oarc/data/ditl/2018Google Scholar
- DNS Operations, Analysis, and Research Center (DNS-OARC). 2019. 2019 DITL Data. https://www.dns-oarc.net/oarc/data/ditl/2019Google Scholar
- Domain Name System Operation, Analysis, and Research Center. 2020. DNS-OARC. https://www.dns-oarc.net/Google Scholar
- Chad Dougherty. 2008. Multiple DNS implementations vulnerable to cache poisoning. https://www.kb.cert.org/vuls/id/800113/Google Scholar
- D. Eastlake and R. van Mook. 2009. RFC 5452: Measures for Making DNS More Resilient against Forged Answers.Google Scholar
- P. Ferguson and D. Senie. 2000. BCP 38: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing.Google Scholar
- Oliver Gasser, Quirin Scheitle, Pawel Foremski, Qasim Lone, Maciej Korczynski, Stephen D. Strowes, Luuk Hendriks, and Georg Carle. 2018. Clusters in the Expanse: Understanding and Unbiasing IPv6 Hitlists. In Proceedings of the 2018 Internet Measurement Conference (Boston, MA, USA). ACM, New York, NY, USA, 15 pages. https://doi.org/10.1145/3278532.3278564Google ScholarDigital Library
- Google. 2020. Google Public DNS. https://developers.google.com/speed/public-dns/Google Scholar
- Olafur Gudmundsson. 2018. Introducing DNS Resolver, 1.1.1.1 (not a joke). https://blog.cloudflare.com/dns-resolver-1-1-1-1/Google Scholar
- H. Marshall Jarrett and Michael W. Bailie. 2015. Prosecuting Computer Crimes. https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdfGoogle Scholar
- Internet Assigned Numbers Authority. 2020. Service Name and Transport Protocol Port Number Registry. https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtmlGoogle Scholar
- Lamont Jones. 2008. fix query-source comment in default install. https://salsa.debian.org/dns-team/bind9/commit/ed511a4a1182d4434d6c18b33201ae92d1bbb72fGoogle Scholar
- Dan Kaminsky. 2008. Black Ops 2008: Its The End Of The Cache As We Know It, Or: '64K Should Be Good Enough For Anyone'. https://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Kaminsky/BlackHat-Japan-08-Kaminsky-DNS08-BlackOps.pdfGoogle Scholar
- S. Kitterman. 2014. RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1.Google Scholar
- Maciej Korczynski, Michał Król, and Michel van Eeten. 2016. Zone Poisoning: The How and Where of Non-Secure DNS Dynamic Updates. In Proceedings of the 2016 Internet Measurement Conference (Santa Monica, California, USA) (IMC 16). Association for Computing Machinery, New York, NY, USA, 271âĂŞ278. https://doi.org/10.1145/2987443.2987477Google ScholarDigital Library
- Maciej Korczyński, Yevheniya Nosyk, Qasim Lone, Marcin Skwarek, Baptiste Jonglez, and Andrzej Duda. 2020. Dont Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation on Inbound Traffic. In Passive and Active Measurement (PAM) conference (PAM 2020) (Eugene, OR). ACM, New York, NY, USA, 14 pages.Google ScholarCross Ref
- Marc Kührer, Thomas Hupperich, Jonas Bushart, Christian Rossow, and Thorsten Holz. 2015. Going Wild: Large-Scale Classification of Open DNS Resolvers. In Proceedings of the 2015 Internet Measurement Conference (Tokyo, Japan) (IMC 15). ACM, New York, NY, USA, 355--368. https://doi.org/10.1145/2815675.2815683Google ScholarDigital Library
- Matthew Luckie, Robert Beverly, Ryan Koga, Ken Keys, Joshua A. Kroll, and k claffy. 2019. Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS 19). Association for Computing Machinery, New York, NY, USA, 465--480. https://doi.org/10.1145/3319535.3354232Google ScholarDigital Library
- D. MacFarland, C. Shue, and A. Kalafut. 2015. Characterizing Optimal DNS Amplification Attacks and Effective Mitigation. In Passive and Active Measurement: 16th International Conference, Proceedings. Springer International Publishing, Cham, 15--27. https://doi.org/10.1007/978-3-319-15509-8_2Google Scholar
- D. MacFarland, C. Shue, and A. Kalafut. 2017. The Best Bang for the Byte: Characterizing the Potential of DNS Amplification Attacks. Computer Networks 116 (April 2017), 12--21.Google Scholar
- MaxMind. 2020. MaxMind GeoLite2 data. https://www.maxmind.com/Google Scholar
- Microsoft. 2020. CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350Google Scholar
- NANOG. 2020. North American Network Operators Group. https://www.nanog.org/Google Scholar
- Jeman Park, Aminollah Khormali, Manar Mohaisen, and Aziz Mohaisen. 2019. Where Are You Taking Me? Behavioral Analysis of Open DNS Resolvers. In The 49th IEEE/IFIP International Conference on Dependable Systems and Networks. IEEE, Portland, OR, USA, 12 pages.Google Scholar
- Quad9. 2020. Quad9. https://www.quad9.net/Google Scholar
- RIPE NCC. 2020. RIPE Network Coordination Centre. https://www.ripe.net/Google Scholar
- Root Server Operators. 2019. Root DNS. http://root-servers.org/Google Scholar
- Sarah Scheffler, Sean Smith, Yossi Gilad, and Sharon Goldberg. 2018. The Unintended Consequences of Email Spam Prevention. In Passive and Active Measurement. Springer International Publishing, New York, NY, USA, 158--169.Google Scholar
- Lior Shafir, Yehuda Afek, and Anat Bremler-Barr. 2020. NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 631--648.Google Scholar
- R. van Rijswijk-Deij A. Sperotto and A. Pras. 2014. DNSSEC and Its Potential for DDoS Attacks: A Comprehensive Measurement Study. In Proceedings of the 2014 Conference on Internet Measurement (IMC 14). ACM, New York, NY, USA, 449--460. https://doi.org/10.1145/2663716.2663731Google Scholar
- Verisign. 2020. Verisign Public DNS. https://www.verisign.com/en_US/security-services/public-dns/index.xhtmlGoogle Scholar
- P. Vixie. 2013. On the Time Value of Security Features in DNS. http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/.Google Scholar
Index Terms
- Behind Closed Doors: A Network Tale of Spoofing, Intrusion, and False DNS Security
Recommendations
Ethics behind cyber warfare: a study of arab citizens awareness
ETHICS '14: Proceedings of the IEEE 2014 International Symposium on Ethics in Engineering, Science, and TechnologyPersisting to ignore the consequences of Cyber Warfare will bring severe concerns to all people. Hackers and governments alike should understand the barriers of which their methods take them. Governments use Cyber Warfare to give them a tactical ...
Shadows Behind the Keyboard: Dark Personalities and Deception in Cyberattacks
IWSPA '22: Proceedings of the 2022 ACM on International Workshop on Security and Privacy AnalyticsUnderstanding the psychology of cyberattacks is critical for finding ways to minimize their efficacy and harm. Specifically, there are multiple types of attackers, and different attackers have different goals and varied approaches. Through the study of ...
Capturing DDoS Attack Dynamics Behind the Scenes
DIMVA 2015: Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9148Despite continuous defense efforts, DDoS attacks are still very prevalent on the Internet. In such arms races, attackers are becoming more agile and their strategies are more sophisticated to escape from detection. Effective defenses demand in-depth ...
Comments