ABSTRACT
The core protocols in the Internet infrastructure play a central role in delivering packets to their destination. The inter-domain routing with BGP (Border Gateway Protocol) computes the correct paths in the global Internet, and DNS (Domain Name System) looks up the destination addresses. Due to their critical function they are often attacked: the adversaries redirect victims to malicious servers or networks by making them traverse incorrect routes or reach incorrect destinations, e.g., for cyber-espionage, for spam distribution, for theft of crypto-currency, for censorship [1, 4-6]. This results in relatively stealthy attacks which cannot be immediately detected and prevented [2, 3]. By the time the attacks are detected, damage was already done.
The frequent attacks along with the devastating damages that they incur, motivates the deployment of cryptographic defences to secure the Internet infrastructure. Multiple efforts are devoted to protecting the core Internet protocols with cryptographic mechanisms, BGP with RPKI and DNS with DNSSEC. Recently the deployment of these defences took off, and many networks and DNS servers in the Internet already adopted them. We review the deployed defences and show that the tradeoffs made by the operators or developers can be exploited to disable the cryptographic defences. We also provide mitigations and discuss challenges in their adoption.
- Tianxiang Dai, Philipp Jeitner, Haya Shulman, and Michael Waidner. 2021 a. The Hijackers Guide To The Galaxy: Off-Path Taking Over Internet Resources. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association. https://www.usenix.org/conference/usenixsecurity21/presentation/daiGoogle Scholar
- Tianxiang Dai, Haya Shulman, and Michael Waidner. 2021 b. Let's Downgrade Let's Encrypt. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 1421--1440.Google ScholarDigital Library
- Mike Masnick. 2022. Massive Man-in-the-Middle Attacks Have Been Hijacking Huge Amounts Of Internet Traffic And Almost No One Noticed . https://www.techdirt.com/articles/Google Scholar
- Anirudh Ramachandran and Nick Feamster. 2006. Understanding the network-level behavior of spammers. In Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications. 291--302.Google ScholarDigital Library
- Xueyang Xu, Z Morley Mao, and J Alex Halderman. 2011. Internet censorship in China: Where does the filtering occur?. In International Conference on Passive and Active Network Measurement. Springer, 133--142.Google ScholarCross Ref
Index Terms
- How (Not) to Deploy Cryptography on the Internet
Recommendations
Behind the Scenes of RPKI
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications SecurityBest practices for making RPKI resilient to failures and attacks recommend using multiple URLs and certificates for publication points as well as multiple relying parties. We find that these recommendations are already supported by 63% of the ASes with ...
Let's Downgrade Let's Encrypt
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityFollowing the recent off-path attacks against PKI, Let's Encrypt deployed in 2020 domain validation from multiple vantage points to ensure security even against the stronger on-path MitM adversaries. The idea behind such distributed domain validation is ...
From IP to transport and beyond: cross-layer attacks against applications
SIGCOMM '21: Proceedings of the 2021 ACM SIGCOMM 2021 ConferenceWe perform the first analysis of methodologies for launching DNS cache poisoning: manipulation at the IP layer, hijack of the inter-domain routing and probing open ports via side channels. We evaluate these methodologies against DNS resolvers in the ...
Comments