Security of Alerting Authorities in the WWW: Measuring Namespaces, DNSSEC, and Web PKI

Tehrani, Pouyan Fotouhi; Osterweil, Eric; Schiller, Jochen; Schmidt, Thomas C.; Wählisch, Matthias

doi:10.1145/3442381.3450033

Cited by 6 publications

(3 citation statements)

References 53 publications

(54 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…DNSSEC is a DNS extension that enables verification of DNS content but at the same time significantly increases the potential for amplification due to larger response sizes [6,61]. Consequently, benign .gov names, which are subject to a DNSSEC mandate [58], started being misused in amplification attacks [59].…”

Section: Background and Related Workmentioning

confidence: 99%

The far side of DNS amplification

Nawrocki

Jonker

Schmidt

et al. 2021

Proceedings of the 21st ACM Internet Measurement Conference

Self Cite

View full text Add to dashboard Cite

In this paper, we shed new light on the DNS amplification ecosystem, by studying complementary data sources, bolstered by orthogonal methodologies. First, we introduce a passive attack detection method for the Internet core, i.e., at Internet eXchange Points (IXPs). Surprisingly, IXPs and honeypots observe mostly disjoint sets of attacks: 96% of IXP-inferred attacks were invisible to a sizable honeypot platform. Second, we assess the effectiveness of observed DNS attacks by studying IXP traces jointly with diverse data from independent measurement infrastructures. We find that attackers efficiently detect new reflectors and purposefully rotate between them. At the same time, we reveal that attackers are a small step away from bringing about significantly higher amplification factors (14×). Third, we identify and fingerprint a major attack entity by studying patterns in attack traces. We show that this entity dominates the DNS amplification ecosystem by carrying out 59% of the attacks, and provide an in-depth analysis of its behavior over time. Finally, our results reveal that operators of various .gov names do not adhere to DNSSEC key rollover best practices, which exacerbates amplification potential. We can verifiably connect this operational behavior to misuses and attacker decision-making. CCS CONCEPTS• Security and privacy → Denial-of-service attacks; • Networks → Naming and addressing; Public Internet.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

The far side of DNS amplification

Nawrocki

Jonker

Schmidt

et al. 2021

Proceedings of the 21st ACM Internet Measurement Conference

Self Cite

View full text Add to dashboard Cite

show abstract

“…DNSSEC is a security authentication mechanism recommended by Internet Engineering Task Force 32 . However, Fotouhi Tehrani et al 10 found that less than 4% of unique alerting authority (AA) domain names is secured by DNSSEC due to the lack of security awareness and the complexity of deployment. Müller et al 16 analyzed the DNSSEC key management.…”

Section: Related Workmentioning

confidence: 99%

“…Therefore, client‐side caching requirements continue to rise. Meanwhile, the client‐side cache insulates users from transient DNS server downtime 9 and reduces network traffic load 10 …”

Section: Introductionmentioning

confidence: 99%

An intelligent proactive defense against the client‐side DNS cache poisoning attack via self‐checking deep reinforcement learning

Yang

et al. 2022

Int J of Intelligent Sys

View full text Add to dashboard Cite

A new class of poisoning attacks has recently emerged targeting the client-side Domain Name System (DNS) cache. It allows users to visit fake websites unconsciously, thereby revealing their information, such as passwords. However, the current DNS defense architecture does not include DNS clients. Although relative encryption solutions can mitigate this attack, they require the cooperation of multiple parties, and the deployment speed is slow. Therefore, we propose an intelligent-driven proactive defense strategy. First, we model the offensive and defensive process as a stochastic game based on moving target defense. Second, we adopt and optimize Proximal PolicyOptimization (PPO), a deep reinforcement learning method, to solve problems caused by uncertain attack strategies and unknown state transition probability. Third, we design a self-checking component in PPO to solve the uncertainty of action space caused by game state constraints based on our previous work. Thus the convergence speed and stability of PPO are improved. Finally, to the best of our knowledge, we are the first to game with intelligent attackers besides three conventional ones. Our strategy does not require any

show abstract