1,109 research outputs found
NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities
This paper exposes a new vulnerability and introduces a corresponding attack,
the NoneXistent Name Server Attack (NXNSAttack), that disrupts and may paralyze
the DNS system, making it difficult or impossible for Internet users to access
websites, web e-mail, online video chats, or any other online resource. The
NXNSAttack generates a storm of packets between DNS resolvers and DNS
authoritative name servers. The storm is produced by the response of resolvers
to unrestricted referral response messages of authoritative name servers. The
attack is significantly more destructive than NXDomain attacks (e.g., the Mirai
attack): i) It reaches an amplification factor of more than 1620x on the number
of packets exchanged by the recursive resolver. ii) In addition to the negative
cache, the attack also saturates the 'NS' section of the resolver caches. To
mitigate the attack impact, we propose an enhancement to the recursive resolver
algorithm, MaxFetch(k), that prevents unnecessary proactive fetches. We
implemented the MaxFetch(1) mitigation enhancement on a BIND resolver and
tested it on real-world DNS query datasets. Our results show that MaxFetch(1)
degrades neither the recursive resolver throughput nor its latency. Following
the discovery of the attack, a responsible disclosure procedure was carried
out, and several DNS vendors and public providers have issued a CVE and patched
their systems
The Cracker Patch Choice: An Analysis of Post Hoc Security Techniques
It has long been known that security is easiest to achieve when it is designed in from the start. Unfortunately, it has also become evident that systems built with security as a priority are rarely selected for wide spread deployment, because most consumers choose features, convenience, and performance over security. Thus security officers are often denied the option of choosing a truly secure solution, and instead must choose among a variety of post hoc security adaptations. We classify security enhancing methods, and compare and contrast these methods in terms of their effectiveness vs. cost of deployment. Our analysis provides practitioners with a guide for when to develop and deploy various kinds of post hoc security adaptations
Rigorous and Practical Proportional-fair Allocation for Multi-rate Wi-Fi
Recent experimental studies confirm the prevalence of the widely known performance anomaly
problem in current Wi-Fi networks, and report on the severe network utility degradation caused by
this phenomenon. Although a large body of work addressed this issue, we attribute the refusal of
prior solutions to their poor implementation feasibility with off-the-shelf hardware and their impre-
cise modelling of the 802.11 protocol. Their applicability is further challenged today by very high
throughput enhancements (802.11n/ac) whereby link speeds can vary by two orders of magnitude.
Unlike earlier approaches, in this paper we introduce the first rigorous analytical model of 802.11
stations’ throughput and airtime in multi-rate settings, without sacrificing accuracy for tractability.
We use the proportional-fair allocation criterion to formulate network utility maximisation as a con-
vex optimisation problem for which we give a closed-form solution. We present a fully functional
light-weight implementation of our scheme on commodity access points and evaluate this extensively
via experiments in a real deployment, over a broad range of network conditions. Results demonstrate
that our proposal achieves up to 100% utility gains, can double video streaming goodput and reduces
TCP download times by 8x
Exploring Deployment Strategies for the Tor Network [Extended Version]
In response to upcoming performance and security challenges of anonymity networks like Tor, it will be of crucial importance to be able to develop and deploy performance improvements and state-of-the-art countermeasures. In this paper, we therefore explore different deployment strategies and review their applicability to the Tor network. In particular, we consider flag day, dual stack, translation, and tunneling strategies and discuss their impact on the network, as well as common risks associated with each of them. In a simulation based evaluation, which stems on historical data of Tor, we show that they can practically be applied to realize significant protocol changes in Tor. However, our results also indicate that during the transitional phase a certain degradation of anonymity is unavoidable with current viable deployment strategies
- …