skip to main content
10.1145/3419394.3423649acmconferencesArticle/Chapter ViewAbstractPublication PagesimcConference Proceedingsconference-collections
research-article

Behind Closed Doors: A Network Tale of Spoofing, Intrusion, and False DNS Security

Published: 27 October 2020 Publication History

Abstract

Networks not employing destination-side source address validation (DSAV) expose themselves to a class of pernicious attacks which could be easily prevented by filtering inbound traffic purporting to originate from within the network. In this work, we survey the pervasiveness of networks vulnerable to infiltration using spoofed addresses internal to the network. We issue recursive Domain Name System (DNS) queries to a large set of known DNS servers worldwide, using various spoofed-source addresses. We classify roughly half of the 62,000 networks (autonomous systems) we tested as vulnerable to infiltration due to lack of DSAV. As an illustration of the dangers these networks expose themselves to, we demonstrate the ability to fingerprint the operating systems of internal DNS servers. Additionally, we identify nearly 4,000 DNS server instances vulnerable to cache poisoning attacks due to insufficient---and often non-existent---source port randomization, a vulnerability widely publicized 12 years ago.

Supplementary Material

MOV File (imc2020-2.mov)
Behind Closed Doors: A Network Tale of Spoofing, Intrusion, and False DNS Security

References

[1]
Baidu. 2020. Baidu. http://www.baidu.com/
[2]
Robert Beverly, Arthur Berger, Young Hyun, and k claffy. 2009. Understanding the Efficacy of Deployed Internet Source Address Validation Filtering. In Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement (Chicago, Illinois, USA) (IMC 09). Association for Computing Machinery, New York, NY, USA, 356--369. https://doi.org/10.1145/1644893.1644936
[3]
S. Bortzmeyer. 2016. RFC 7816: DNS Query Name Minimisation to Improve Privacy.
[4]
S. Bortzmeyer and S. Huque. 2016. RFC 8020: NXDOMAIN: There Really Is Nothing Underneath.
[5]
CAIDA. 2020. Spoofer. https://www.caida.org/projects/spoofer/
[6]
B. Carpenter and S. Brim. 2002. RFC 3234: Middleboxes: Taxonomy and Issues.
[7]
CenturyLink. 2020. CenturyLink Domain Name Server (DNS). https://www.centurylink.com/home/help/internet/dns.html
[8]
Cisco. 2020. OpenDNS. https://www.opendns.com/
[9]
M. Cotton, L. Vegoda, Ed. R. Bonica, and B. Haberman. 2013. RFC 6890: Special-Purpose IP Address Registries.
[10]
J. Damas. 2008. RFC 5358: Preventing Use of Recursive Nameservers in Reflector Attacks.
[11]
K. Davies. 2008. DNS Cache Poisoning Vulnerability: Explanation and Remedies.
[12]
C. Deccio, D. Argueta, and J. Demke. 2019. A Quantitative Study of the Deployment of DNS Rate Limiting. In International Conference on Computing, Networking and Communications (ICNC 2019). IEEE, New York, NY, USA, 442--447.
[13]
J. Dickinson, S. Dickinson, R. Bellis, A. Mankin, and D. Wessels. 2016. RFC 7766: DNS Transport over TCP - Implementation Requirements.
[14]
D. Dittrich and E. Kenneally. 2012. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. Technical Report. U.S. Department of Homeland Security.
[15]
DNS Operations, Analysis, and Research Center (DNS-OARC). 2018. 2018 DITL Data. https://www.dns-oarc.net/oarc/data/ditl/2018
[16]
DNS Operations, Analysis, and Research Center (DNS-OARC). 2019. 2019 DITL Data. https://www.dns-oarc.net/oarc/data/ditl/2019
[17]
Domain Name System Operation, Analysis, and Research Center. 2020. DNS-OARC. https://www.dns-oarc.net/
[18]
Chad Dougherty. 2008. Multiple DNS implementations vulnerable to cache poisoning. https://www.kb.cert.org/vuls/id/800113/
[19]
D. Eastlake and R. van Mook. 2009. RFC 5452: Measures for Making DNS More Resilient against Forged Answers.
[20]
P. Ferguson and D. Senie. 2000. BCP 38: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing.
[21]
Oliver Gasser, Quirin Scheitle, Pawel Foremski, Qasim Lone, Maciej Korczynski, Stephen D. Strowes, Luuk Hendriks, and Georg Carle. 2018. Clusters in the Expanse: Understanding and Unbiasing IPv6 Hitlists. In Proceedings of the 2018 Internet Measurement Conference (Boston, MA, USA). ACM, New York, NY, USA, 15 pages. https://doi.org/10.1145/3278532.3278564
[22]
Google. 2020. Google Public DNS. https://developers.google.com/speed/public-dns/
[23]
Olafur Gudmundsson. 2018. Introducing DNS Resolver, 1.1.1.1 (not a joke). https://blog.cloudflare.com/dns-resolver-1-1-1-1/
[24]
H. Marshall Jarrett and Michael W. Bailie. 2015. Prosecuting Computer Crimes. https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf
[25]
Internet Assigned Numbers Authority. 2020. Service Name and Transport Protocol Port Number Registry. https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
[26]
Lamont Jones. 2008. fix query-source comment in default install. https://salsa.debian.org/dns-team/bind9/commit/ed511a4a1182d4434d6c18b33201ae92d1bbb72f
[27]
Dan Kaminsky. 2008. Black Ops 2008: Its The End Of The Cache As We Know It, Or: '64K Should Be Good Enough For Anyone'. https://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Kaminsky/BlackHat-Japan-08-Kaminsky-DNS08-BlackOps.pdf
[28]
S. Kitterman. 2014. RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1.
[29]
Maciej Korczynski, Michał Król, and Michel van Eeten. 2016. Zone Poisoning: The How and Where of Non-Secure DNS Dynamic Updates. In Proceedings of the 2016 Internet Measurement Conference (Santa Monica, California, USA) (IMC 16). Association for Computing Machinery, New York, NY, USA, 271âĂŞ278. https://doi.org/10.1145/2987443.2987477
[30]
Maciej Korczyński, Yevheniya Nosyk, Qasim Lone, Marcin Skwarek, Baptiste Jonglez, and Andrzej Duda. 2020. Dont Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation on Inbound Traffic. In Passive and Active Measurement (PAM) conference (PAM 2020) (Eugene, OR). ACM, New York, NY, USA, 14 pages.
[31]
Marc Kührer, Thomas Hupperich, Jonas Bushart, Christian Rossow, and Thorsten Holz. 2015. Going Wild: Large-Scale Classification of Open DNS Resolvers. In Proceedings of the 2015 Internet Measurement Conference (Tokyo, Japan) (IMC 15). ACM, New York, NY, USA, 355--368. https://doi.org/10.1145/2815675.2815683
[32]
Matthew Luckie, Robert Beverly, Ryan Koga, Ken Keys, Joshua A. Kroll, and k claffy. 2019. Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS 19). Association for Computing Machinery, New York, NY, USA, 465--480. https://doi.org/10.1145/3319535.3354232
[33]
D. MacFarland, C. Shue, and A. Kalafut. 2015. Characterizing Optimal DNS Amplification Attacks and Effective Mitigation. In Passive and Active Measurement: 16th International Conference, Proceedings. Springer International Publishing, Cham, 15--27. https://doi.org/10.1007/978-3-319-15509-8_2
[34]
D. MacFarland, C. Shue, and A. Kalafut. 2017. The Best Bang for the Byte: Characterizing the Potential of DNS Amplification Attacks. Computer Networks 116 (April 2017), 12--21.
[35]
MaxMind. 2020. MaxMind GeoLite2 data. https://www.maxmind.com/
[36]
Microsoft. 2020. CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
[37]
NANOG. 2020. North American Network Operators Group. https://www.nanog.org/
[38]
Jeman Park, Aminollah Khormali, Manar Mohaisen, and Aziz Mohaisen. 2019. Where Are You Taking Me? Behavioral Analysis of Open DNS Resolvers. In The 49th IEEE/IFIP International Conference on Dependable Systems and Networks. IEEE, Portland, OR, USA, 12 pages.
[39]
Quad9. 2020. Quad9. https://www.quad9.net/
[40]
RIPE NCC. 2020. RIPE Network Coordination Centre. https://www.ripe.net/
[41]
Root Server Operators. 2019. Root DNS. http://root-servers.org/
[42]
Sarah Scheffler, Sean Smith, Yossi Gilad, and Sharon Goldberg. 2018. The Unintended Consequences of Email Spam Prevention. In Passive and Active Measurement. Springer International Publishing, New York, NY, USA, 158--169.
[43]
Lior Shafir, Yehuda Afek, and Anat Bremler-Barr. 2020. NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 631--648.
[44]
R. van Rijswijk-Deij A. Sperotto and A. Pras. 2014. DNSSEC and Its Potential for DDoS Attacks: A Comprehensive Measurement Study. In Proceedings of the 2014 Conference on Internet Measurement (IMC 14). ACM, New York, NY, USA, 449--460. https://doi.org/10.1145/2663716.2663731
[45]
Verisign. 2020. Verisign Public DNS. https://www.verisign.com/en_US/security-services/public-dns/index.xhtml
[46]
P. Vixie. 2013. On the Time Value of Security Features in DNS. http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/.

Cited By

View all
  • (2024)UniSAV: A Unified Framework for Internet-Scale Source Address ValidationProceedings of the 2024 Applied Networking Research Workshop10.1145/3673422.3674888(81-87)Online publication date: 23-Jul-2024
  • (2024)Rumors Stop with the Wise: Unveiling Inbound SAV Deployment through Spoofed ICMP MessagesProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688417(199-213)Online publication date: 4-Nov-2024
  • (2024)Insights into SAV Implementations in the InternetPassive and Active Measurement10.1007/978-3-031-56252-5_4(69-87)Online publication date: 20-Mar-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
IMC '20: Proceedings of the ACM Internet Measurement Conference
October 2020
751 pages
ISBN:9781450381383
DOI:10.1145/3419394
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2020

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

IMC '20
IMC '20: ACM Internet Measurement Conference
October 27 - 29, 2020
Virtual Event, USA

Acceptance Rates

IMC '20 Paper Acceptance Rate 53 of 216 submissions, 25%;
Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)98
  • Downloads (Last 6 weeks)7
Reflects downloads up to 10 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)UniSAV: A Unified Framework for Internet-Scale Source Address ValidationProceedings of the 2024 Applied Networking Research Workshop10.1145/3673422.3674888(81-87)Online publication date: 23-Jul-2024
  • (2024)Rumors Stop with the Wise: Unveiling Inbound SAV Deployment through Spoofed ICMP MessagesProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688417(199-213)Online publication date: 4-Nov-2024
  • (2024)Insights into SAV Implementations in the InternetPassive and Active Measurement10.1007/978-3-031-56252-5_4(69-87)Online publication date: 20-Mar-2024
  • (2023)Fourteen years in the lifeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620415(3171-3186)Online publication date: 9-Aug-2023
  • (2023)Guardians of DNS Integrity: A Remote Method for Identifying DNSSEC Validators Across the Internet2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00201(1470-1479)Online publication date: 1-Nov-2023
  • (2023)The Closed Resolver Project: Measuring the Deployment of Inbound Source Address ValidationIEEE/ACM Transactions on Networking10.1109/TNET.2023.325741331:6(2589-2603)Online publication date: Dec-2023
  • (2022)Mirrors in the Sky: On the Potential of Clouds in DNS Reflection-based Denial-of-Service AttacksProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545959(263-275)Online publication date: 26-Oct-2022
  • (2022)Rusty clusters?Proceedings of the 22nd ACM Internet Measurement Conference10.1145/3517745.3561440(395-409)Online publication date: 25-Oct-2022
  • (2022)Beware of IPs in Sheep’s Clothing: Measurement and Disclosure of IP Spoofing VulnerabilitiesIEEE/ACM Transactions on Networking10.1109/TNET.2022.314901130:4(1659-1673)Online publication date: 14-Feb-2022
  • (2022)A Byte-level Autoencoder-based Method to Detect Malicious Open Resolver2022 IEEE 25th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD54268.2022.9776266(317-322)Online publication date: 4-May-2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media