Skip to main content
Article thumbnail
Location of Repository

Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority

By David Dagon, Niels Provos, Christopher P. Lee and Wenke Lee

Abstract

We study and document an important development in how attackers are using Internet resources: the creation of malicious DNS resolution paths. In this growing form of attack, victims are forced to use rogue DNS servers for all resolution. To document the rise of this “second secret authority” on the Internet, we studied instances of aberrant DNS resolution on a university campus. We found dozens of viruses that corrupt resolution paths, and noted that hundreds of URLs discovered per week performed drive-by alterations of host DNS settings. We used the rogue servers discovered in this analysis to document numerous live incidents on the university network. To measure this problem on the larger Internet, we generated DNS requests to most of IPv4, using a unique label query for each request. We found 17 million hosts responding, and further tracked the resolution path they used to reach our NS. Unable to find plausible harmless explanations for such a large number of open recursive hosts, we queried 600,000 of these open resolvers for “phishable ” domains, such as banks and anti-virus companies. We found that 2.4 % of this subsample would reply with incorrect answers, which extrapolates to 291,528 hosts on the Internet performing either incorrect or malicious DNS service. With DNS resolution behavior so trivially changed, numerous malware instances in the wild, and so many other hosts providing incorrect and misleading answers, we urge the security community to consider the corruption of the resolution path as an important problem.

Year: 2009
OAI identifier: oai:CiteSeerX.psu:10.1.1.135.7959
Provided by: CiteSeerX
Download PDF:
Sorry, we are unable to provide the full text but you may find it at the following location(s):
  • http://citeseerx.ist.psu.edu/v... (external link)
  • http://www.isoc.org/isoc/confe... (external link)
  • Suggested articles


    To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.