43 research outputs found
K-resolver: Towards Decentralizing Encrypted DNS Resolution
Centralized DNS over HTTPS/TLS (DoH/DoT) resolution, which has started being
deployed by major hosting providers and web browsers, has sparked controversy
among Internet activists and privacy advocates due to several privacy concerns.
This design decision causes the trace of all DNS resolutions to be exposed to a
third-party resolver, different than the one specified by the user's access
network. In this work we propose K-resolver, a DNS resolution mechanism that
disperses DNS queries across multiple DoH resolvers, reducing the amount of
information about a user's browsing activity exposed to each individual
resolver. As a result, none of the resolvers can learn a user's entire web
browsing history. We have implemented a prototype of our approach for Mozilla
Firefox, and used it to evaluate the performance of web page load time compared
to the default centralized DoH approach. While our K-resolver mechanism has
some effect on DNS resolution time and web page load time, we show that this is
mainly due to the geographical location of the selected DoH servers. When more
well-provisioned anycast servers are available, our approach incurs negligible
overhead while improving user privacy.Comment: NDSS Workshop on Measurements, Attacks, and Defenses for the Web
(MADWeb) 202
On Performance Impact of DoH and DoT in Africa: Why a User’s DNS choice matters
Internet security and Quality of Experience (QoE) are two antagonistic concepts that the research community has been attempting to reconcile. Internet security has of late received attention due to users' online privacy and security concerns. One example is the introduction of encrypted Domain Name System (DNS) protocols. These protocols, combined with suboptimal routing paths and offshore hosting, have the potential to negatively impact the quality of web browsing experience for users in Africa. This is particularly the case in edge access networks that are far away from essential infrastructures such as DNS and content servers. In this paper, we analyse the QoE impact of using open public DoH and DoT resolvers when resolving websites that are hosted in Africa versus those hosted offshore. The study further compares the performance of DoT and DoH under different network conditions (mobile, community network, Eduroam and Campus wired network). Our results show that high latency and circuitous DNS resolution paths amplify the performance impact of secure DNS protocols on DNS resolution time and page load time. The study further shows that users' DNS resolver preferences hugely determine the level of QoE. This study proposes wider adoption of Transport Layer Security version 1.3 (TLSv1.3) to leverage its latency-reduction features such as false start and Zero or One Round Trip Time (0/1-RTT). The study further proposes the localisation of content and secure DNS infrastructure. This, coupled with peering and cache sharing recommended by other works, will further minimise the impact of secure DNS protocols on Quality of Experience
DNS over Https (DoH)
DNS over HTTPS (DoH) is a new form of DNS encryption where DNS requests are no
longer in plaintext but are sent over Port 443, which is the port meant for HTTPS. The focus of
this paper is mainly on determining if fingerprinting can decrypt DoH queries because DoH is
built to protect and allow for DNS queries to be confidential and secure meaning not be left in
plaintext. If fingerprinting methods can decrypt DoH queries, the whole premise would be
invalid since an adversary could easily use fingerprinting to extract the DoH query data and
make it just as weak as the current role of DNS queries now. The use of Fingerprinting methods
such as ja3 and ja3s allows for the testing of fingerprinting techniques. Determining whether
there are clear signs to differentiate web pages hosted on the same server is essential. Under
DoH, there is enough obfuscation that differentiating web pages should not be possible. Leading
to protecting the confidentiality of the specific web page a client is trying to reach. We are using
the fingerprinting methods of ja3 and ja3s because all DoH requests require a TLS handshake,
and even under the new TLS standard TLS 1.3, the initial handshake is in plaintext meaning the
initial handshake is readable while the other handshakes after are not. The analysis will see if the
specific content and web pages are readable rather than just the generic server information
detailed during the initial handshake. The study will see how easy or difficult it is to identify
each set of requests and compare it to other requests that are made. Using ja3 and ja3s and the
results will help determine if minimal fingerprinting methods are valid in identifying and
differentiating between certain web pages hosted on the same server. From the analysis, though
the connected server information is public, there is no definite way to identify precisely which
web page on the server a client is visiting using the MD5 hash. Since DoH only connects the web
browser to the server, no specific information regarding the web page and its contents will be
available to view.Undergraduat
PowerQoPE: A Personal Quality of Internet Protection and Experience Configurator
Security configuration remains obscure for many Internet users, especially those with limited computing skills. This obscurity exposes such users to various Internet attacks.
Recently, there has been an increase in cyberattacks targeted at individuals due to the remote workforce imposed by the COVID 19 pandemic. These attacks have exposed the inefficiencies of the non-human-centric implementation of Internet security mechanisms and protocols. Security research usually positions users as the weakest link in the security ecosystem, making system and protocol developers exclude the users in the development process. This stereotypical approach has negatively affected users’ security uptake. Mostly, security systems are not comprehensible for an average user, negatively affecting performance and Quality of Experience. This causes the users to shun using security mechanisms. Building on human-centric cybersecurity research, we present a tool that aids in configuring Internet Quality of protection and Experience (referred to as PowerQoPE in this paper). We describe its architecture and design methodology and finally present evaluation results. Preliminary evaluation results show that user-centric and data-driven approaches in the design of Internet security systems improve users’ Quality of Experience. The controlled experiment results show that users are not really stupid; they know what they want and that given proper security configuration platforms with proper framing of components and information, they can make optimal security decisions
Attacking DoH and ECH: Does Server Name Encryption Protect Users’ Privacy?
Privacy on the Internet has become a priority, and several efforts have been devoted to limit the leakage of personal information. Domain names, both in the TLS Client Hello and DNS traffic, are among the last pieces of information still visible to an observer in the network. The Encrypted Client Hello extension for TLS, DNS over HTTPS or over QUIC protocols aim to further increase network confidentiality by encrypting the domain names of the visited servers. In this article, we check whether an attacker able to passively observe the traffic of users could still recover the domain name of websites they visit even if names are encrypted. By relying on large-scale network traces, we show that simplistic features and off-the-shelf machine learning models are sufficient to achieve surprisingly high precision and recall when recovering encrypted domain names. We consider three attack scenarios, i.e., recovering the per-flow name, rebuilding the set of visited websites by a user, and checking which users visit a given target website. We next evaluate the efficacy of padding-based mitigation, finding that all three attacks are still effective, despite resources wasted with padding. We conclude that current proposals for domain encryption may produce a false sense of privacy, and more robust techniques should be envisioned to offer protection to end users
TorSH: Obfuscating consumer Internet-of-Things traffic with a collaborative smart-home router network
When consumers install Internet-connected smart devices in their homes, metadata arising from the communications between these devices and their cloud-based service providers enables adversaries privy to this traffic to profile users, even when adequate encryption is used. Internet service providers (ISPs) are one potential adversary privy to users’ incom- ing and outgoing Internet traffic and either currently use this insight to assemble and sell consumer advertising profiles or may in the future do so. With existing defenses against such profiling falling short of meeting user preferences and abilities, there is a need for a novel solution that empowers consumers to defend themselves against profiling by ISP-like actors and that is more in tune with their wishes. In this thesis, we present The Onion Router for Smart Homes (TorSH), a network of smart-home routers working collaboratively to defend smart-device traffic from analysis by ISP-like adversaries. We demonstrate that TorSH succeeds in deterring such profiling while preserving smart-device experiences and without encumbering latency-sensitive, non-smart-device experiences like web browsing
Deteção de atividades ilícitas de software Bots através do DNS
DNS is a critical component of the Internet where almost all Internet applications
and organizations rely on. Its shutdown can deprive them from being part of the
Internet, and hence, DNS is usually the only protocol to be allowed when Internet
access is firewalled. The constant exposure of this protocol to external entities force
corporations to always be observant of external rogue software that may misuse
the DNS to establish covert channels and perform multiple illicit activities, such as
command and control and data exfiltration.
Most current solutions for bot malware and botnet detection are based on Deep
Packet Inspection techniques, such as analyzing DNS query payloads, which may
reveal private and sensitive information. In addiction, the majority of existing solutions
do not consider the usage of licit and encrypted DNS traffic, where Deep
Packet Inspection techniques are impossible to be used.
This dissertation proposes mechanisms to detect malware bots and botnet behaviors
on DNS traffic that are robust to encrypted DNS traffic and that ensure the
privacy of the involved entities by analyzing instead the behavioral patterns of DNS
communications using descriptive statistics over collected network metrics such as
packet rates, packet lengths, and silence and activity periods. After characterizing
DNS traffic behaviors, a study of the processed data is conducted, followed by the
training of Novelty Detection algorithms with the processed data.
Models are trained with licit data gathered from multiple licit activities, such as
reading the news, studying, and using social networks, in multiple operating systems,
browsers, and configurations. Then, the models were tested with similar
data, but containing bot malware traffic. Our tests show that our best performing
models achieve detection rates in the order of 99%, and 92% for malware bots
using low throughput rates.
This work ends with some ideas for a more realistic generation of bot malware
traffic, as the current DNS Tunneling tools are limited when mimicking licit DNS
usages, and for a better detection of malware bots that use low throughput rates.O DNS é um componente crítico da Internet, já que quase todas as aplicações
e organizações que a usam dependem dele para funcionar. A sua privação pode
deixá-las de fazerem parte da Internet, e por causa disso, o DNS é normalmente
o único protocolo permitido quando o acesso à Internet está restrito. A exposição
constante deste protocolo a entidades externas obrigam corporações a estarem
sempre atentas a software externo ilícito que pode fazer uso indevido do DNS para
estabelecer canais secretos e realizar várias atividades ilícitas, como comando e
controlo e exfiltração de dados.
A maioria das soluções atuais para detecção de malware bots e de botnets são
baseadas em técnicas inspeção profunda de pacotes, como analizar payloads de
pedidos de DNS, que podem revelar informação privada e sensitiva. Além disso,
a maioria das soluções existentes não consideram o uso lícito e cifrado de tráfego
DNS, onde técnicas como inspeção profunda de pacotes são impossíveis de serem
usadas.
Esta dissertação propõe mecanismos para detectar comportamentos de malware
bots e botnets que usam o DNS, que são robustos ao tráfego DNS cifrado e
que garantem a privacidade das entidades envolvidas ao analizar, em vez disso,
os padrões comportamentais das comunicações DNS usando estatística descritiva
em métricas recolhidas na rede, como taxas de pacotes, o tamanho dos pacotes,
e os tempos de atividade e silêncio. Após a caracterização dos comportamentos
do tráfego DNS, um estudo sobre os dados processados é realizado, sendo depois
usados para treinar os modelos de Detecção de Novidades.
Os modelos são treinados com dados lícitos recolhidos de multiplas atividades
lícitas, como ler as notícias, estudar, e usar redes sociais, em multiplos sistemas
operativos e com multiplas configurações. De seguida, os modelos são testados
com dados lícitos semelhantes, mas contendo também tráfego de malware bots.
Os nossos testes mostram que com modelos de Detecção de Novidades é possível
obter taxas de detecção na ordem dos 99%, e de 98% para malware bots que geram
pouco tráfego.
Este trabalho finaliza com algumas ideas para uma geração de tráfego ilícito mais
realista, já que as ferramentas atuais de DNS tunneling são limitadas quando
usadas para imitar usos de DNS lícito, e para uma melhor deteção de situações
onde malware bots geram pouco tráfego.Mestrado em Engenharia de Computadores e Telemátic
Segurança e privacidade em terminologia de rede
Security and Privacy are now at the forefront of modern concerns, and drive
a significant part of the debate on digital society. One particular aspect that
holds significant bearing in these two topics is the naming of resources in the
network, because it directly impacts how networks work, but also affects how
security mechanisms are implemented and what are the privacy implications
of metadata disclosure. This issue is further exacerbated by interoperability
mechanisms that imply this information is increasingly available regardless of
the intended scope.
This work focuses on the implications of naming with regards to security and
privacy in namespaces used in network protocols. In particular on the imple-
mentation of solutions that provide additional security through naming policies
or increase privacy. To achieve this, different techniques are used to either
embed security information in existing namespaces or to minimise privacy ex-
posure. The former allows bootstraping secure transport protocols on top of
insecure discovery protocols, while the later introduces privacy policies as part
of name assignment and resolution.
The main vehicle for implementation of these solutions are general purpose
protocols and services, however there is a strong parallel with ongoing re-
search topics that leverage name resolution systems for interoperability such
as the Internet of Things (IoT) and Information Centric Networks (ICN), where
these approaches are also applicable.Segurança e Privacidade são dois topicos que marcam a agenda na discus-
são sobre a sociedade digital. Um aspecto particularmente subtil nesta dis-
cussão é a forma como atribuímos nomes a recursos na rede, uma escolha
com consequências práticas no funcionamento dos diferentes protocols de
rede, na forma como se implementam diferentes mecanismos de segurança
e na privacidade das várias partes envolvidas. Este problema torna-se ainda
mais significativo quando se considera que, para promover a interoperabili-
dade entre diferentes redes, mecanismos autónomos tornam esta informação
acessível em contextos que vão para lá do que era pretendido.
Esta tese foca-se nas consequências de diferentes políticas de atribuição de
nomes no contexto de diferentes protocols de rede, para efeitos de segurança
e privacidade. Com base no estudo deste problema, são propostas soluções
que, através de diferentes políticas de atribuição de nomes, permitem introdu-
zir mecanismos de segurança adicionais ou mitigar problemas de privacidade
em diferentes protocolos. Isto resulta na implementação de mecanismos de
segurança sobre protocolos de descoberta inseguros, assim como na intro-
dução de mecanismos de atribuiçao e resolução de nomes que se focam na
protecçao da privacidade.
O principal veículo para a implementação destas soluções é através de ser-
viços e protocolos de rede de uso geral. No entanto, a aplicabilidade destas
soluções extende-se também a outros tópicos de investigação que recorrem
a mecanismos de resolução de nomes para implementar soluções de intero-
perabilidade, nomedamente a Internet das Coisas (IoT) e redes centradas na
informação (ICN).Programa Doutoral em Informátic