More Like this

1. Query-Crafting DoS Threats Against Internet DNS

   https://doi.org/10.1109/CNS48642.2020.9162166  

   Chang, Sang-Yoon; Park, Younghee; Kengalahalli, Nikhil Vijayakumar; Zhou, Xiaobo (June 2020, IEEE Conference on Communications and Network Security (CNS))

   null (Ed.)

   Domain name system (DNS) resolves the IP addresses of domain names and is critical for IP networking. Recent denial-of-service (DoS) attacks on the Internet targeted the DNS system (e.g., Dyn), which has the cascading effect of denying the availability of the services and applications relying on the targeted DNS. In view of these attacks, we investigate the DoS on the DNS system and introduce the query-crafting threats where the attacker controls the DNS query payload (the domain name) to maximize the threat impact per query (increasing the communications between the DNS servers and the threat time duration), which is orthogonal to other DoS approaches to increase the attack impact such as flooding and DNS amplification. We model the DNS system using a state diagram and comprehensively analyze the threat space, identifying the threat vectors which include not only the random/invalid domains but also those using the domain name structure to combine valid strings and random strings. Query-crafting DoS threats generate new domain-name payloads for each query and force increased complexity in the DNS query resolution. We test the query-crafting DoS threats by taking empirical measurements on the Internet and show that they amplify the DoS impact on the DNS system (recursive resolver) by involving more communications and taking greater time duration. To defend against such DoS or DDoS threats, we identify the relevant detection features specific to query-crafting threats and evaluate the defense using our prototype in CloudLab. 

   more » « less
2. Retroactive Identification of Targeted DNS Infrastructure Hijacking

   https://doi.org/10.1145/3517745.3561425  

   Akiwate, Gautam; Sommese, Raffaele; Jonker, Mattijs; Durumeric, Zakir; Claffy, KC; Voelker, Geoffrey M.; Savage, Stefan (October 2022, Proceedings of the 22nd ACM Internet Measurement Conference)

   In 2019, the US Department of Homeland Security issued an emergency warning about DNS infrastructure tampering. This alert, in response to a series of attacks against foreign government websites, highlighted how a sophisticated attacker could leverage access to key DNS infrastructure to then hijack traffic and harvest valid login credentials for target organizations. However, even armed with this knowledge, identifying the existence of such incidents has been almost entirely via post hoc forensic reports (i.e., after a breach was found via some other method). Indeed, such attacks are particularly challenging to detect because they can be very short lived, bypass the protections of TLS and DNSSEC, and are imperceptible to users. Identifying them retroactively is even more complicated by the lack of fine-grained Internet-scale forensic data. This paper is a first attempt to make progress at this latter goal. Combining a range of longitudinal data from Internet-wide scans, passive DNS records, and Certificate Transparency logs, we have constructed a methodology for identifying potential victims of sophisticated DNS infrastructure hijacking and have used it to identify a range of victims (primarily government agencies), both those named in prior reporting, and others previously unknown. 

   more » « less
3. An Elemental Decomposition of DNS Name-to-IP Graphs

   https://doi.org/10.1109/INFOCOM52122.2024.10621147  

   Anderson, Alex; Mondal, Aadi Swadipto; Barford, Paul; Crovella, Mark; Sommers, Joel (May 2024, IEEE)

   The Domain Name System (DNS) is a critical piece of Internet infrastructure with remarkably complex properties and uses, and accordingly has been extensively studied. In this study we contribute to that body of work by organizing and analyzing records maintained within the DNS as a bipartite graph. We find that relating names and addresses in this way uncovers a surprisingly rich structure. In order to characterize that structure, we introduce a new graph decomposition for DNS name-to-IP mappings, which we term elemental decomposition. In particular, we argue that (approximately) decomposing this graph into bicliques — maximally connected components — exposes this rich structure. We utilize large-scale censuses of the DNS to investigate the characteristics of the resulting decomposition, and illustrate how the exposed structure sheds new light on a number of questions about how the DNS is used in practice and suggests several new directions for future research. 

   more » « less
4. Trufflehunter: Cache Snooping Rare Domains at Large Public DNS Resolvers

   https://doi.org/10.1145/3419394.3423640  

   Randall, Audrey; Liu, Enze; Akiwate, Gautam; Padmanabhan, Ramakrishna; Voelker, Geoffrey M.; Savage, Stefan; Schulman, Aaron (October 2020, Proceedings of the Internet Measurement Conference (IMC'20))

   null (Ed.)

   This paper presents and evaluates Trufflehunter, a DNS cache snooping tool for estimating the prevalence of rare and sensitive Internet applications. Unlike previous efforts that have focused on small, misconfigured open DNS resolvers, Trufflehunter models the complex behavior of large multi-layer distributed caching infrastructures (e.g., such as Google Public DNS). In particular, using controlled experiments, we have inferred the caching strategies of the four most popular public DNS resolvers (Google Public DNS, Cloudflare Quad1, OpenDNS and Quad9). The large footprint of such resolvers presents an opportunity to observe rare domain usage, while preserving the privacy of the users accessing them. Using a controlled testbed, we evaluate how accurately Trufflehunter can estimate domain name usage across the U.S. Applying this technique in the wild, we provide a lower-bound estimate of the popularity of several rare and sensitive applications (most notably smartphone stalkerware) which are otherwise challenging to survey. 

   more » « less
5. Differences in Monitoring the DNS Root Over IPv4 and IPv6

   https://doi.org/10.1109/BDCAT56447.2022.00036  

   Saluja, Tarang; Heidemann, John; Pradkin, Yuri (December 2022, 2022 IEEE/ACM International Conference on Big Data Computing, Applications and Technologies (BDCAT))

   The Domain Name System (DNS) is an essential service for the Internet which maps host names to IP addresses. The DNS Root Sever System operates the top of this namespace. RIPE Atlas observes DNS from more than 11k vantage points (VPs) around the world, reporting the reliability of the DNS Root Server System in DNSmon. DNSmon shows that loss rates for queries to the DNS Root are nearly 10\% for IPv6, much higher than the approximately 2\% loss seen for IPv4. Although IPv6 is ``new,'' as an operational protocol available to a third of Internet users, it ought to be just as reliable as IPv4. We examine this difference at a finer granularity by investigating loss at individual VPs. We confirm that specific VPs are the source of this difference and identify two root causes: VP \emph{islands} with routing problems at the edge which leave them unable to access IPv6 outside their LAN, and VP \emph{peninsulas} which indicate routing problems in the core of the network. These problems account for most of the loss and nearly all of the difference between IPv4 and IPv6 query loss rates. Islands account for most of the loss (half of IPv4 failures and 5/6ths of IPv6 failures), and we suggest these measurement devices should be filtered out to get a more accurate picture of loss rates. Peninsulas account for the main differences between root identifiers, suggesting routing disagreements root operators need to address. We believe that filtering out both of these known problems provides a better measure of underlying network anomalies and loss and will result in more actionable alerts. 

   more » « less