research-article

Behind Closed Doors: A Network Tale of Spoofing, Intrusion, and False DNS Security

Authors:

Michael Briggs,

Robert RichardsonAuthors Info & Claims

IMC '20: Proceedings of the ACM Internet Measurement Conference

Pages 65 - 77

https://doi.org/10.1145/3419394.3423649

Published: 27 October 2020 Publication History

Abstract

Networks not employing destination-side source address validation (DSAV) expose themselves to a class of pernicious attacks which could be easily prevented by filtering inbound traffic purporting to originate from within the network. In this work, we survey the pervasiveness of networks vulnerable to infiltration using spoofed addresses internal to the network. We issue recursive Domain Name System (DNS) queries to a large set of known DNS servers worldwide, using various spoofed-source addresses. We classify roughly half of the 62,000 networks (autonomous systems) we tested as vulnerable to infiltration due to lack of DSAV. As an illustration of the dangers these networks expose themselves to, we demonstrate the ability to fingerprint the operating systems of internal DNS servers. Additionally, we identify nearly 4,000 DNS server instances vulnerable to cache poisoning attacks due to insufficient---and often non-existent---source port randomization, a vulnerability widely publicized 12 years ago.

Supplementary Material

MOV File (imc2020-2.mov)

Behind Closed Doors: A Network Tale of Spoofing, Intrusion, and False DNS Security

Download
127.08 MB

References

[1]

Baidu. 2020. Baidu. http://www.baidu.com/

[2]

Robert Beverly, Arthur Berger, Young Hyun, and k claffy. 2009. Understanding the Efficacy of Deployed Internet Source Address Validation Filtering. In Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement (Chicago, Illinois, USA) (IMC 09). Association for Computing Machinery, New York, NY, USA, 356--369. https://doi.org/10.1145/1644893.1644936

Digital Library

[3]

S. Bortzmeyer. 2016. RFC 7816: DNS Query Name Minimisation to Improve Privacy.

[4]

S. Bortzmeyer and S. Huque. 2016. RFC 8020: NXDOMAIN: There Really Is Nothing Underneath.

[5]

CAIDA. 2020. Spoofer. https://www.caida.org/projects/spoofer/

[6]

B. Carpenter and S. Brim. 2002. RFC 3234: Middleboxes: Taxonomy and Issues.

Digital Library

[7]

CenturyLink. 2020. CenturyLink Domain Name Server (DNS). https://www.centurylink.com/home/help/internet/dns.html

[8]

Cisco. 2020. OpenDNS. https://www.opendns.com/

[9]

M. Cotton, L. Vegoda, Ed. R. Bonica, and B. Haberman. 2013. RFC 6890: Special-Purpose IP Address Registries.

[10]

J. Damas. 2008. RFC 5358: Preventing Use of Recursive Nameservers in Reflector Attacks.

[11]

K. Davies. 2008. DNS Cache Poisoning Vulnerability: Explanation and Remedies.

[12]

C. Deccio, D. Argueta, and J. Demke. 2019. A Quantitative Study of the Deployment of DNS Rate Limiting. In International Conference on Computing, Networking and Communications (ICNC 2019). IEEE, New York, NY, USA, 442--447.

[13]

J. Dickinson, S. Dickinson, R. Bellis, A. Mankin, and D. Wessels. 2016. RFC 7766: DNS Transport over TCP - Implementation Requirements.

[14]

D. Dittrich and E. Kenneally. 2012. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. Technical Report. U.S. Department of Homeland Security.

[15]

DNS Operations, Analysis, and Research Center (DNS-OARC). 2018. 2018 DITL Data. https://www.dns-oarc.net/oarc/data/ditl/2018

[16]

DNS Operations, Analysis, and Research Center (DNS-OARC). 2019. 2019 DITL Data. https://www.dns-oarc.net/oarc/data/ditl/2019

[17]

Domain Name System Operation, Analysis, and Research Center. 2020. DNS-OARC. https://www.dns-oarc.net/

[18]

Chad Dougherty. 2008. Multiple DNS implementations vulnerable to cache poisoning. https://www.kb.cert.org/vuls/id/800113/

[19]

D. Eastlake and R. van Mook. 2009. RFC 5452: Measures for Making DNS More Resilient against Forged Answers.

[20]

P. Ferguson and D. Senie. 2000. BCP 38: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing.

[21]

Oliver Gasser, Quirin Scheitle, Pawel Foremski, Qasim Lone, Maciej Korczynski, Stephen D. Strowes, Luuk Hendriks, and Georg Carle. 2018. Clusters in the Expanse: Understanding and Unbiasing IPv6 Hitlists. In Proceedings of the 2018 Internet Measurement Conference (Boston, MA, USA). ACM, New York, NY, USA, 15 pages. https://doi.org/10.1145/3278532.3278564

Digital Library

[22]

Google. 2020. Google Public DNS. https://developers.google.com/speed/public-dns/

[23]

Olafur Gudmundsson. 2018. Introducing DNS Resolver, 1.1.1.1 (not a joke). https://blog.cloudflare.com/dns-resolver-1-1-1-1/

[24]

H. Marshall Jarrett and Michael W. Bailie. 2015. Prosecuting Computer Crimes. https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf

[25]

Internet Assigned Numbers Authority. 2020. Service Name and Transport Protocol Port Number Registry. https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

[26]

Lamont Jones. 2008. fix query-source comment in default install. https://salsa.debian.org/dns-team/bind9/commit/ed511a4a1182d4434d6c18b33201ae92d1bbb72f

[27]

Dan Kaminsky. 2008. Black Ops 2008: Its The End Of The Cache As We Know It, Or: '64K Should Be Good Enough For Anyone'. https://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Kaminsky/BlackHat-Japan-08-Kaminsky-DNS08-BlackOps.pdf

[28]

S. Kitterman. 2014. RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1.

[29]

Maciej Korczynski, Michał Król, and Michel van Eeten. 2016. Zone Poisoning: The How and Where of Non-Secure DNS Dynamic Updates. In Proceedings of the 2016 Internet Measurement Conference (Santa Monica, California, USA) (IMC 16). Association for Computing Machinery, New York, NY, USA, 271âĂŞ278. https://doi.org/10.1145/2987443.2987477

Digital Library

[30]

Maciej Korczyński, Yevheniya Nosyk, Qasim Lone, Marcin Skwarek, Baptiste Jonglez, and Andrzej Duda. 2020. Dont Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation on Inbound Traffic. In Passive and Active Measurement (PAM) conference (PAM 2020) (Eugene, OR). ACM, New York, NY, USA, 14 pages.

[31]

Marc Kührer, Thomas Hupperich, Jonas Bushart, Christian Rossow, and Thorsten Holz. 2015. Going Wild: Large-Scale Classification of Open DNS Resolvers. In Proceedings of the 2015 Internet Measurement Conference (Tokyo, Japan) (IMC 15). ACM, New York, NY, USA, 355--368. https://doi.org/10.1145/2815675.2815683

Digital Library

[32]

Matthew Luckie, Robert Beverly, Ryan Koga, Ken Keys, Joshua A. Kroll, and k claffy. 2019. Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS 19). Association for Computing Machinery, New York, NY, USA, 465--480. https://doi.org/10.1145/3319535.3354232

Digital Library

[33]

D. MacFarland, C. Shue, and A. Kalafut. 2015. Characterizing Optimal DNS Amplification Attacks and Effective Mitigation. In Passive and Active Measurement: 16th International Conference, Proceedings. Springer International Publishing, Cham, 15--27. https://doi.org/10.1007/978-3-319-15509-8_2

[34]

D. MacFarland, C. Shue, and A. Kalafut. 2017. The Best Bang for the Byte: Characterizing the Potential of DNS Amplification Attacks. Computer Networks 116 (April 2017), 12--21.

[35]

MaxMind. 2020. MaxMind GeoLite2 data. https://www.maxmind.com/

[36]

Microsoft. 2020. CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

[37]

NANOG. 2020. North American Network Operators Group. https://www.nanog.org/

[38]

Jeman Park, Aminollah Khormali, Manar Mohaisen, and Aziz Mohaisen. 2019. Where Are You Taking Me? Behavioral Analysis of Open DNS Resolvers. In The 49th IEEE/IFIP International Conference on Dependable Systems and Networks. IEEE, Portland, OR, USA, 12 pages.

[39]

Quad9. 2020. Quad9. https://www.quad9.net/

[40]

RIPE NCC. 2020. RIPE Network Coordination Centre. https://www.ripe.net/

[41]

Root Server Operators. 2019. Root DNS. http://root-servers.org/

[42]

Sarah Scheffler, Sean Smith, Yossi Gilad, and Sharon Goldberg. 2018. The Unintended Consequences of Email Spam Prevention. In Passive and Active Measurement. Springer International Publishing, New York, NY, USA, 158--169.

[43]

Lior Shafir, Yehuda Afek, and Anat Bremler-Barr. 2020. NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 631--648.

[44]

R. van Rijswijk-Deij A. Sperotto and A. Pras. 2014. DNSSEC and Its Potential for DDoS Attacks: A Comprehensive Measurement Study. In Proceedings of the 2014 Conference on Internet Measurement (IMC 14). ACM, New York, NY, USA, 449--460. https://doi.org/10.1145/2663716.2663731

[45]

Verisign. 2020. Verisign Public DNS. https://www.verisign.com/en_US/security-services/public-dns/index.xhtml

[46]

P. Vixie. 2013. On the Time Value of Security Features in DNS. http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/.

Cited By

Qin LLiu LChen LLi DShi YYang H(2024)UniSAV: A Unified Framework for Internet-Scale Source Address ValidationProceedings of the 2024 Applied Networking Research Workshop10.1145/3673422.3674888(81-87)Online publication date: 23-Jul-2024
https://dl.acm.org/doi/10.1145/3673422.3674888
Yu SZhuang SYu TAn CWang JVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Rumors Stop with the Wise: Unveiling Inbound SAV Deployment through Spoofed ICMP MessagesProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688417(199-213)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688417
Schulmann HZhao S(2024)Insights into SAV Implementations in the InternetPassive and Active Measurement10.1007/978-3-031-56252-5_4(69-87)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-56252-5_4
Show More Cited By

Index Terms

Behind Closed Doors: A Network Tale of Spoofing, Intrusion, and False DNS Security
1. Networks

Recommendations

Ethics behind cyber warfare: a study of arab citizens awareness
ETHICS '14: Proceedings of the IEEE 2014 International Symposium on Ethics in Engineering, Science, and Technology

Persisting to ignore the consequences of Cyber Warfare will bring severe concerns to all people. Hackers and governments alike should understand the barriers of which their methods take them. Governments use Cyber Warfare to give them a tactical ...
Shadows Behind the Keyboard: Dark Personalities and Deception in Cyberattacks
IWSPA '22: Proceedings of the 2022 ACM on International Workshop on Security and Privacy Analytics

Understanding the psychology of cyberattacks is critical for finding ways to minimize their efficacy and harm. Specifically, there are multiple types of attackers, and different attackers have different goals and varied approaches. Through the study of ...
Capturing DDoS Attack Dynamics Behind the Scenes
DIMVA 2015: Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9148

Despite continuous defense efforts, DDoS attacks are still very prevalent on the Internet. In such arms races, attackers are becoming more agile and their strategies are more sophisticated to escape from detection. Effective defenses demand in-depth ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '20: Proceedings of the ACM Internet Measurement Conference

October 2020

751 pages

ISBN:9781450381383

DOI:10.1145/3419394

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

IMC '20

Sponsor:

IMC '20: ACM Internet Measurement Conference

October 27 - 29, 2020

Virtual Event, USA

Acceptance Rates

IMC '20 Paper Acceptance Rate 53 of 216 submissions, 25%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
700
Total Downloads

Downloads (Last 12 months)98
Downloads (Last 6 weeks)7

Reflects downloads up to 10 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Qin LLiu LChen LLi DShi YYang H(2024)UniSAV: A Unified Framework for Internet-Scale Source Address ValidationProceedings of the 2024 Applied Networking Research Workshop10.1145/3673422.3674888(81-87)Online publication date: 23-Jul-2024
https://dl.acm.org/doi/10.1145/3673422.3674888
Yu SZhuang SYu TAn CWang JVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Rumors Stop with the Wise: Unveiling Inbound SAV Deployment through Spoofed ICMP MessagesProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688417(199-213)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688417
Schulmann HZhao S(2024)Insights into SAV Implementations in the InternetPassive and Active Measurement10.1007/978-3-031-56252-5_4(69-87)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-56252-5_4
Hilton ADeccio CDavis JCalandrino JTroncoso C(2023)Fourteen years in the lifeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620415(3171-3186)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620415
Nosyk YKorczyński MDuda A(2023)Guardians of DNS Integrity: A Remote Method for Identifying DNSSEC Validators Across the Internet2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00201(1470-1479)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00201
Nosyk YKorczyński MLone QSkwarek MJonglez BDuda A(2023)The Closed Resolver Project: Measuring the Deployment of Inbound Source Address ValidationIEEE/ACM Transactions on Networking10.1109/TNET.2023.325741331:6(2589-2603)Online publication date: Dec-2023
https://doi.org/10.1109/TNET.2023.3257413
Yazdani RHilton Avan der Ham Jvan Rijswijk-Deij RDeccio CSperotto AJonker M(2022)Mirrors in the Sky: On the Potential of Clouds in DNS Reflection-based Denial-of-Service AttacksProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545959(263-275)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545959
Zirngibl JSteger LSattler PGasser OCarle GBarakat CPelsser CBenson TChoffnes D(2022)Rusty clusters?Proceedings of the 22nd ACM Internet Measurement Conference10.1145/3517745.3561440(395-409)Online publication date: 25-Oct-2022
https://dl.acm.org/doi/10.1145/3517745.3561440
Hilton AHirschmann JDeccio C(2022)Beware of IPs in Sheep’s Clothing: Measurement and Disclosure of IP Spoofing VulnerabilitiesIEEE/ACM Transactions on Networking10.1109/TNET.2022.314901130:4(1659-1673)Online publication date: 14-Feb-2022
https://dl.acm.org/doi/10.1109/TNET.2022.3149011
Li CDai LKong DXu ZHan Y(2022)A Byte-level Autoencoder-based Method to Detect Malicious Open Resolver2022 IEEE 25th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD54268.2022.9776266(317-322)Online publication date: 4-May-2022
https://doi.org/10.1109/CSCWD54268.2022.9776266
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten