NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities

This paper exposes a new vulnerability and introduces a corresponding attack, the NoneXistent Name Server Attack (NXNSAttack), that disrupts and may paralyze the DNS system, making it difficult or impossible for Internet users to access websites, web e-mail, online video chats, or any other online resource. The NXNSAttack generates a storm of packets between DNS resolvers and DNS authoritative name servers. The storm is produced by the response of resolvers to unrestricted referral response messages of authoritative name servers. The attack is significantly more destructive than NXDomain attacks (e.g., the Mirai attack): i) It reaches an amplification factor of more than 1620x on the number of packets exchanged by the recursive resolver. ii) In addition to the negative cache, the attack also saturates the 'NS' section of the resolver caches. To mitigate the attack impact, we propose an enhancement to the recursive resolver algorithm, MaxFetch(k), that prevents unnecessary proactive fetches. We implemented the MaxFetch(1) mitigation enhancement on a BIND resolver and tested it on real-world DNS query datasets. Our results show that MaxFetch(1) degrades neither the recursive resolver throughput nor its latency. Following the discovery of the attack, a responsible disclosure procedure was carried out, and several DNS vendors and public providers have issued a CVE and patched their systems

The Closed Resolver Project: Measuring the Deployment of Source Address Validation of Inbound Traffic

Source Address Validation (SAV) is a standard aimed at discarding packets with spoofed source IP addresses. The absence of SAV for outgoing traffic has been known as a root cause of Distributed Denial-of-Service (DDoS) attacks and received widespread attention. While less obvious, the absence of inbound filtering enables an attacker to appear as an internal host of a network and may reveal valuable information about the network infrastructure. Inbound IP spoofing may amplify other attack vectors such as DNS cache poisoning or the recently discovered NXNSAttack. In this paper, we present the preliminary results of the Closed Resolver Project that aims at mitigating the problem of inbound IP spoofing. We perform the first Internet-wide active measurement study to enumerate networks that filter or do not filter incoming packets by their source address, for both the IPv4 and IPv6 address spaces. To achieve this, we identify closed and open DNS resolvers that accept spoofed requests coming from the outside of their network. The proposed method provides the most complete picture of inbound SAV deployment by network providers. Our measurements cover over 55 % IPv4 and 27 % IPv6 Autonomous Systems (AS) and reveal that the great majority of them are fully or partially vulnerable to inbound spoofing. By identifying dual-stacked DNS resolvers, we additionally show that inbound filtering is less often deployed for IPv6 than it is for IPv4. Overall, we discover 13.9 K IPv6 open resolvers that can be exploited for amplification DDoS attacks - 13 times more than previous work. Furthermore, we enumerate uncover 4.25 M IPv4 and 103 K IPv6 vulnerable closed resolvers that could only be detected thanks to our spoofing technique, and that pose a significant threat when combined with the NXNSAttack.Comment: arXiv admin note: substantial text overlap with arXiv:2002.0044

Monitoring security of enterprise hosts via DNS data analysis

Enterprise Networks are growing in scale and complexity, with heterogeneous connected assets needing to be secured in different ways. Nevertheless, virtually all connected assets use the Domain Name System (DNS) for address resolution. Thus DNS has become a convenient vehicle for attackers to covertly perform Command and Control (C&C) communication, data theft, and service disruption across a wide range of assets. Enterprise security appliances that monitor network traffic typically allow all DNS traffic through as it is vital for accessing any web service; they may at best match against a database of known malicious patterns, and are therefore ineffective against zero-day attacks. This thesis focuses on three high-impact cyber-attacks that leverage DNS, specifically data exfiltration, malware C&C communication, and service disruption. Using big data (over 10B packets) of DNS network traffic collected from a University campus and a Government research organization over six months, we illustrate the anatomy of these attacks, train machines for automatically detecting such attacks, and evaluate their efficacy in the field. The contributions of this thesis are three-fold: Our first contribution tackles data exfiltration using DNS. We analyze outgoing DNS queries to identify many stateless attributes such as the number of characters, the number of labels, and the entropy of the domain name to distinguish malicious data exfiltration queries from legitimate ones. We train our machines using ground-truth obtained from a public list of top 10K legitimate domains and empirically validate and tune our models to achieve over 98% accuracy in correctly distinguish legitimate DNS queries from malicious ones, the latter coming from known malware domains as well as synthetically generated using popular DNS exfiltration tools. Our second contribution tackles malware C&C communication using DNS. We analyze DNS outgoing queries to identify more than twenty families of DGA (Domain Generation Algorithm)-enabled malware when communicating with their C&C servers. We identify attributes of network traffic that commences following the resolution of a DGA-based DNS query. We train three protocol-specific one-class classifier models, for HTTP, HTTPS and UDP flows, using public packet traces of known malware. We develop a monitoring system that uses reactive rules to automatically and selectively mirror TCP/UDP flows (between internal hosts and malware servers) pertinent to DGA queries for diagnosis by the trained models. We deploy our system in the field and evaluate its performance to show that it flags more than 2000 internal assets as potentially infected, generating more than a million suspicious flows, of which more than 97% are verified to be malicious by an off-the-shelf intrusion detection system. Our third contribution studies the use of DNS for service disruption. We analyze incoming DNS messages, with a specific focus on non-existent (NXD) DNS responses, to distinguish benign from malicious NXDs. We highlight two attack scenarios based on their requested domain names. Using NXD behavioral attributes of internal hosts, we develop multi-staged iForest classification models to detect internal hosts launching service disruption attacks. We show how our models can detect infected hosts that generate high-volume and low-volume distributed NXD-based attacks on public resolvers and/or authoritative name servers with an accuracy of over 99% in correctly classifying legitimate hosts. Our work shines a light on a critical vector in enterprise security and equips the enterprise network operator with the means to detect and block sophisticated attackers who use DNS as a vehicle for malware C&C communication, data exfiltration, and service disruption