Assessing DNS Vulnerability to Record Injection

Schomp, Kyle; Callahan, Tom; Rabinovich, Michael; Allman, Mark

doi:10.1007/978-3-319-04918-2_21

Cited by 32 publications

(23 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Open DNS resolvers are problematic for two reasons. First, open resolvers can be susceptible to cache poisoning attacks [31], [48]. These, in turn, leave the users of subverted resolvers vulnerable to being re-directed to malicious services.…”

Section: Dns and Ntpmentioning

confidence: 99%

Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy

Czyz¹,

Luckie²,

Allman³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

There is growing operational awareness of the challenges in securely operating IPv6 networks. Through a measurement study of 520,000 dual-stack servers and 25,000 dual-stack routers, we examine the extent to which security policy codified in IPv4 has also been deployed in IPv6. We find several high-value target applications with a comparatively open security policy in IPv6 including: (i) SSH, Telnet, SNMP, are more than twice as open on routers in IPv6 as they are in IPv4; (ii) nearly half of routers with BGP open were only open in IPv6; and (iii) in the server dataset, SNMP was twice as open in IPv6 as in IPv4. We conduct a detailed study of where port blocking policy is being applied and find that protocol openness discrepancies are consistent within network boundaries, suggesting a systemic failure in organizations to deploy consistent security policy. We successfully communicate our findings with twelve network operators and all twelve confirm that the relative openness was unintentional. Ten of the twelve immediately moved to deploy a congruent IPv6 security policy, reflecting real operational concern. Finally, we revisit the belief that the security impact of this comparative openness in IPv6 is mitigated by the infeasibility of IPv6 network-wide scanning-we find that, for both of our datasets, host addressing practices make discovering these high-value hosts feasible by scanning alone. To help operators accurately measure their own IPv6 security posture, we make our probing system publicly available. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

Section: Dns and Ntpmentioning

confidence: 99%

Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy

Czyz¹,

Luckie²,

Allman³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

show abstract

“…When S1i of one source is very large, the percentage of '0' bits of its virtual array is 0 in connectivity estimation model. Then S2i of this source is inf according to formula (6). If S1i is in the top 1% of all sources' accurate value, the error between S1i and S2i is approximately equal to 0.…”

Section: Error Analysis For Connectivity Estimationmentioning

confidence: 99%

“…(2) ADNS Listening: as RDNS only interacts with ADNS directly, any IP address that sends domain requests to ADNS can be identified as a RDNS. By deploying a ADNS in advance [1,5,6], D. Dagon et al collect the IP addresses that send domain requests with random hosts in the same secondary domain to the ADNS. Domain requests with random hosts in the same secondary domain are sent by PlantLab nodes [7].…”

Section: Identification Of Rdnsmentioning

confidence: 99%

Fast and Accurate Identification of Active Recursive Domain Name Servers in high-speed Network

Liu

Sun

Huang

et al. 2016

Proceedings of the 2016 ACM International on Workshop on Traffic Measurements for Cybersecurity

View full text Add to dashboard Cite

Fast and accurate identification of active recursive domain name servers (RDNS) is a fundamental step to evaluate security risk degrees of DNS systems. Much identification work have been proposed based on network traffic measurement technology. Even though identifying RDNS accurately, they waste huge network resources, and fail to obtain host activity and distinguish between direct and indirect RDNS. In this paper, we proposed an approach to identify direct and forward RDNS based on our three key insights on their request-response behaviors, and proposed an approach to identify indirect RDNS based on CNAME redirect behaviors. To work in high-speed backbone networks, we further proposed an online connectivity estimation algorithm to obtain estimated values used in our identification approaches. According to our experiments, we can identify RDNS with a high accuracy by selecting the reasonable thresholds. The accuracy of identifying direct and forward RDNS can reach 89%. The accuracy of identifying indirect RDNS can reach 90%. Moreover, our work is capable of real-time analyzing high speed backbone traffics.

show abstract

“…These attacks might target the integrity of the stored records and/or the availability of the DNS server itself. The attacks include Cache poisoning [22], TCP SYN floods [23], DNS hijacking [24], Phantom Domain attack [25], etc. In the following section we describe our proposed system and we evaluate how it mitigates all the aforementioned attacks.…”

Section: ) Attacks and Adversary Modelmentioning

confidence: 99%

Decentralized Distribution of PCP Mappings Over Blockchain for End-to-End Secure Direct Communications

et al. 2019

View full text Add to dashboard Cite

Network Address Translation (NAT) is a method that enables devices with private IP addresses to connect to the Internet by sharing a public IP address. Traversing the NAT device remains a challenge for a wide range of applications such as Voice over IP (VoIP) and Internet of Things (IoT). The Port Control Protocol (PCP) is a relatively new protocol standardized by the Internet Engineering Task Force (IETF) to solve the NAT traversal issues. It allows a NATed device to request and manage a mapping between its private IP address and transport-layer port to a public IP address and port. As PCP requires an application-dependent method for distributing the mappings to remote hosts, several attacks can target the distributing server and render the communication channel vulnerable. In this paper, we propose and implement a decentralized Blockchain-based approach for distributing PCP-mappings, enabling secure endto-end (e2e) direct communications without any trusted third party server. NATed devices register their PCP mappings and public keys into the Blockchain, and other peers can then learn about these mappings to establish end-to-end secure direct communications. The implementation verifies that the system is feasible in terms of transactions fees, can simplify and secure end-to-end direct communications, and can interwork with conventional security methods.

show abstract

Assessing DNS Vulnerability to Record Injection

Cited by 32 publications

References 8 publications

Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy

Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy

Fast and Accurate Identification of Active Recursive Domain Name Servers in high-speed Network

Decentralized Distribution of PCP Mappings Over Blockchain for End-to-End Secure Direct Communications

Contact Info

Product

Resources

About