Improving the Stealthiness of DNS-Based Covert Communication

At present, the recommended stance to take regarding Cyber Security is to assume a state of compromise. With the increase in Bring Your Own Device (BYOD), the Internet of Things (IOT) and Advanced Persistent Threats (ATPs), network boundaries have become porous and difficult to defend from external threats. Modern malware is complex and adept at making its presence hard to detect. Recent studies have shown that some malware variants are capable of using multiple covert communication channels for command and control (C2) and data exfiltration activities. Examples of this level of covert communication can be found in malware that targets Point of Sale (POS) systems and it has been hugely successful in exfiltrating large amounts of valuable payment information that can be sold on the black market. In the vast majority of cases, malware needs to communicate with some control mechanism or human controller in order to coordinate attacks, maintain lists of compromised machines and to exfiltrate data. There are many channels that malware can use for its communication. However, in recent times there has been an increase in malware that uses the Domain Name System (DNS) for communications in some shape or form. The work carried out in this paper explores the extent to which DNS can be used as a covert communication channel by examining a number of advanced approaches that can be used to increase the stealthy nature of DNS-based covert channels. Our work describes techniques that can be used to shadow legitimate network traffic by observing network packets leaving a host machine (piggybacking), the use of statistical modelling such as the Poisson distribution and a dynamic Poisson distribution model that can be used to further conceal malicious DNS activity within a network. The results obtained from this work show that current DNS-based C2 and data exfiltration approaches employed by malware have considerable room for improvement which suggests that DNS-based covert communication will remain a realistic threat into the future

Large-scale internet user behavior analysis of a nationwide K-12 education network based on DNS queries

ANII Fondo Sectorial de Investigación a partir de datos (FSDA_1_2018_1_154853)To the best of our knowledge, this paper presents the first Internet Domain Name System (DNS) queries data study from a national K-12 Education Service Provider. This provider, called Plan Ceibal, supports a one-to-one computing program in Uruguay. Additionally, it has deployed an Information and Communications Technology (ICT) infrastructure in all of Uruguay’s public schools and high-schools, in addition to many public spaces. The main development is wireless connectivity, which allows all the students (whose ages range between 6 and 18 years old) to connect to different resources, including Internet access. In this article, we use 9,125,888,714 DNS-query records, collected from March to May 2019, to study Plan Ceibal user’s Internet behavior applying unsupervised machine learning techniques. Firstly, we conducted a statistical analysis aiming at depicting the distribution of the data. Then, to understand users’ Internet behavior, we performed principal component analysis (PCA) and clustering methods. The results show that Internet use behavior is influenced by age-group and time of the day. However, it is independent of the geographical location of the users. Internet use behavior analysis is of paramount importance for evidence-based decision making by any education network provider, not only from the network-operator perspective but also for providing crucial information for learning analytics purposes

Back-Office Web Traffic on The Internet

Although traffic between Web servers and Web browsers is readily apparent to many knowledgeable end users, fewer are aware of the extent of server-to-server Web traffic carried over the public Internet. We refer to the former class of traffic as front-office Internet Web traffic and the latter as back-office Internet Web traffic (or just front-office and back-office traffic, for short). Back-office traffic, which may or may not be triggered by end-user activity, is essential for today's Web as it supports a number of popular but complex Web services including large-scale content delivery, social networking, indexing, searching, advertising, and proxy services. This paper takes a first look at back-office traffic, measuring it from various vantage points, including from within ISPs, IXPs, and CDNs. We describe techniques for identifying back-office traffic based on the roles that this traffic plays in the Web ecosystem. Our measurements show that back-office traffic accounts for a significant fraction not only of core Internet traffic, but also of Web transactions in the terms of requests and responses. Finally, we discuss the implications and opportunities that the presence of back-office traffic presents for the evolution of the Internet ecosystem

On The Impact of Internet Naming Evolution: Deployment, Performance, and Security Implications

As one of the most critical components of the Internet, the Domain Name System (DNS) provides naming services for Internet users, who rely on DNS to perform the translation between the domain names and network entities before establishing an In- ternet connection. In this dissertation, we present our studies on different aspects of the naming infrastructure in today’s Internet, including DNS itself and the network services based on the naming infrastructure such as Content Delivery Networks (CDNs). We first characterize the evolution and features of the DNS resolution in web ser- vices under the emergence of third-party hosting services and cloud platforms. at the bottom level of the DNS hierarchy, the authoritative DNS servers (ADNSes) maintain the actual mapping records and answer the DNS queries. The increasing use of upstream ADNS services (i.e., third-party ADNS-hosting services) and Infrastructure-as-a-Service (IaaS) clouds facilitates the deployment of web services, and has been fostering the evo- lution of the deployment of ADNS servers. to shed light on this trend, we conduct a large-scale measurement to investigate the ADNS deployment patterns of modern web services and examine the characteristics of different deployment styles, such as perfor- mance, life-cycle of servers, and availability. Furthermore, we specifically focus on the DNS deployment for subdomains hosted in IaaS clouds. Then, we examine a pervasive misuse of DNS names and explore a straightforward solution to mitigate the performance penalty in DNS cache. DNS cache plays a critical role in domain name resolution, providing (1) high scalability at Root and Top-level- domain nameservers with reduced workloads and (2) low response latency to clients when the resource records of the queried domains are cached. However, the pervasive misuses of domain names, e.g., the domain names of “one-time-use” pattern, have negative impact on the effectiveness of DNS caching as the cache has been filled with those entries that are highly unlikely to be retrieved. By leveraging the domain name based features that are explicitly available from a domain name itself, we propose simple policies for improving DNS cache performance and validate their efficacy using real traces. Finally, we investigate the security implications of a fundamental vulnerability in DNS- based CDNs. The success of CDNs relies on the mapping system that leverages the dynamically generated DNS records to distribute a client’s request to a proximal server for achieving optimal content delivery. However, the mapping system is vulnerable to malicious hijacks, as it is very difficult to provide pre-computed DNSSEC signatures for dynamically generated records in CDNs. We illustrate that an adversary can deliberately tamper with the resolvers to hijack CDN’s redirection by injecting crafted but legitimate mappings between end-users and edge servers, while remaining undetectable by exist- ing security practices, which can cause serious threats that nullify the benefits offered by CDNs, such as proximal access, load balancing, and DoS protection. We further demonstrate that DNSSEC is ineffective to address this problem, even with the newly adopted ECDSA that is capable of achieving live signing for dynamically generated DNS records. We then discuss countermeasures against this redirection hijacking