81 research outputs found
NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities
This paper exposes a new vulnerability and introduces a corresponding attack,
the NoneXistent Name Server Attack (NXNSAttack), that disrupts and may paralyze
the DNS system, making it difficult or impossible for Internet users to access
websites, web e-mail, online video chats, or any other online resource. The
NXNSAttack generates a storm of packets between DNS resolvers and DNS
authoritative name servers. The storm is produced by the response of resolvers
to unrestricted referral response messages of authoritative name servers. The
attack is significantly more destructive than NXDomain attacks (e.g., the Mirai
attack): i) It reaches an amplification factor of more than 1620x on the number
of packets exchanged by the recursive resolver. ii) In addition to the negative
cache, the attack also saturates the 'NS' section of the resolver caches. To
mitigate the attack impact, we propose an enhancement to the recursive resolver
algorithm, MaxFetch(k), that prevents unnecessary proactive fetches. We
implemented the MaxFetch(1) mitigation enhancement on a BIND resolver and
tested it on real-world DNS query datasets. Our results show that MaxFetch(1)
degrades neither the recursive resolver throughput nor its latency. Following
the discovery of the attack, a responsible disclosure procedure was carried
out, and several DNS vendors and public providers have issued a CVE and patched
their systems
Automatic detection of DNS manipulations
The DNS is a fundamental service that has been repeatedly attacked and abused. DNS manipulation is a prominent case: Recursive DNS resolvers are deployed to explicitly return manipulated answers to users' queries. While DNS manipulation is used for legitimate reasons too (e.g., parental control), rogue DNS resolvers support malicious activities, such as malware and viruses, exposing users to phishing and content injection. We introduce REMeDy, a system that assists operators to identify the use of rogue DNS resolvers in their networks. REMeDy is a completely automatic and parameter-free system that evaluates the consistency of responses across the resolvers active in the network. It operates by passively analyzing DNS traffic and, as such, requires no active probing of third-party servers. REMeDy is able to detect resolvers that manipulate answers, including resolvers that affect unpopular domains. We validate REMeDy using large-scale DNS traces collected in ISP networks where more than 100 resolvers are regularly used by customers. REMeDy automatically identifies regular resolvers, and pinpoint manipulated responses. Among those, we identify both legitimate services that offer additional protection to clients, and resolvers under the control of malwares that steer traffic with likely malicious goals
Understanding the Impact of Encrypted DNS on Internet Censorship
DNS traffic is transmitted in plaintext, resulting in privacy leakage. To combat this problem, secure protocols have been used to encrypt DNS messages. Existing studies have investigated the performance overhead and privacy benefits of encrypted DNS communications, yet little has been done from the perspective of censorship. In this paper, we study the impact of the encrypted DNS on Internet censorship in two aspects. On one hand, we explore the severity of DNS manipulation, which could be leveraged for Internet censorship, given the use of encrypted DNS resolvers. In particular, we perform 7.4 million DNS lookup measurements on 3,813 DoT and 75 DoH resolvers and identify that 1.66% of DoT responses and 1.42% of DoH responses undergo DNS manipulation. More importantly, we observe that more than two-thirds of the DoT and DoH resolvers manipulate DNS responses from at least one domain, indicating that the DNS manipulation is prevalent in encrypted DNS, which can be further exploited for enhancing Internet censorship. On the other hand, we evaluate the effectiveness of using encrypted DNS resolvers for censorship circumvention. Specifically, we first discover those vantage points that involve DNS manipulation through on-path devices, and then we apply encrypted DNS resolvers at these vantage points to access the censored domains. We reveal that 37% of the domains are accessible from the vantage points in China, but none of the domains is accessible from the vantage points in Iran, indicating that the censorship circumvention of using encrypted DNS resolvers varies from country to country. Moreover, for a vantage point, using a different encrypted DNS resolver does not lead to a noticeable difference in accessing the censored domains
Improving the Security of Critical Infrastructure: Metrics, Measurements, and Analysis
In this work, we propose three important contributions needed in the process of improving the security of the critical infrastructure: metrics, measurement, and analysis. To improve security, metrics are key to ensuring the accuracy of the assessment and evaluation. Measurements are the core of the process of identifying the causality and effectiveness of various behaviors, and accurate measurement with the right assumptions is a cornerstone for accurate analysis. Finally, contextualized analysis essential for understanding measurements. Different results can be derived for the same data according to the analysis method, and it can serve as a basis for understanding and improving systems security. In this dissertation, we look at whether these key concepts are well demonstrated in existing (networked) systems and research products. In the first thrust, we verified the validity of volume-based contribution evaluation metrics used in threat information sharing systems. Further, we proposed a qualitative evaluation as an alternative to supplement the shortcomings of the volume-based evaluation method. In the second thrust, we measured the effectiveness of the low-rate DDoS attacks in a realistic environment to highlight the importance of establishing assumptions grounded in reality for measurements. Moreover, we theoretically analyzed the low-rate DDoS attacks and conducted additional experiments to validate them. In the last thrust, we conducted a large-scale measurement and analyzed the behaviors of open resolvers, to estimate the potential threats of them. We then went beyond just figuring out the number of open resolvers and explored new implications that the behavioral analysis could provide. We also experimentally shown the existence of forwarding resolvers and their behavior by precisely analyzing DNS resolution packets
How India Censors the Web
One of the primary ways in which India engages in online censorship is by
ordering Internet Service Providers (ISPs) operating in its jurisdiction to
block access to certain websites for its users. This paper reports the
different techniques Indian ISPs are using to censor websites, and investigates
whether website blocklists are consistent across ISPs. We propose a suite of
tests that prove more robust than previous work in detecting DNS and HTTP based
censorship. Our tests also discern the use of SNI inspection for blocking
websites, which is previously undocumented in the Indian context. Using
information from court orders, user reports, and public and leaked government
orders, we compile the largest known list of potentially blocked websites in
India. We pass this list to our tests and run them from connections of six
different ISPs, which together serve more than 98% of Internet users in India.
Our findings not only confirm that ISPs are using different techniques to block
websites, but also demonstrate that different ISPs are not blocking the same
websites
Measuring and Evading Turkmenistan's Internet Censorship: A Case Study in Large-Scale Measurements of a Low-Penetration Country
Since 2006, Turkmenistan has been listed as one of the few Internet enemies
by Reporters without Borders due to its extensively censored Internet and
strictly regulated information control policies. Existing reports of filtering
in Turkmenistan rely on a small number of vantage points or test a small number
of websites. Yet, the country's poor Internet adoption rates and small
population can make more comprehensive measurement challenging. With a
population of only six million people and an Internet penetration rate of only
38%, it is challenging to either recruit in-country volunteers or obtain
vantage points to conduct remote network measurements at scale.
We present the largest measurement study to date of Turkmenistan's Web
censorship. To do so, we developed TMC, which tests the blocking status of
millions of domains across the three foundational protocols of the Web (DNS,
HTTP, and HTTPS). Importantly, TMC does not require access to vantage points in
the country. We apply TMC to 15.5M domains, our results reveal that
Turkmenistan censors more than 122K domains, using different blocklists for
each protocol. We also reverse-engineer these censored domains, identifying 6K
over-blocking rules causing incidental filtering of more than 5.4M domains.
Finally, we use Geneva, an open-source censorship evasion tool, to discover
five new censorship evasion strategies that can defeat Turkmenistan's
censorship at both transport and application layers. We will publicly release
both the data collected by TMC and the code for censorship evasion.Comment: To appear in Proceedings of The 2023 ACM Web Conference (WWW 2023
- …