Advertisement

A Centralized Monitoring Infrastructure for Improving DNS Security

  • Manos Antonakakis
  • David Dagon
  • Xiapu Luo
  • Roberto Perdisci
  • Wenke Lee
  • Justin Bellmor
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6307)

Abstract

Researchers have recently noted (14; 27) the potential of fast poisoning attacks against DNS servers, which allows attackers to easily manipulate records in open recursive DNS resolvers. A vendor-wide upgrade mitigated but did not eliminate this attack. Further, existing DNS protection systems, including bailiwick-checking (12) and IDS-style filtration, do not stop this type of DNS poisoning. We therefore propose Anax, a DNS protection system that detects poisoned records in cache.

Our system can observe changes in cached DNS records, and applies machine learning to classify these updates as malicious or benign. We describe our classification features and machine learning model selection process while noting that the proposed approach is easily integrated into existing local network protection systems. To evaluate Anax, we studied cache changes in a geographically diverse set of 300,000 open recursive DNS servers (ORDNSs) over an eight month period. Using hand-verified data as ground truth, evaluation of Anax showed a very low false positive rate (0.6% of all new resource records) and a high detection rate (91.9%).

Keywords

DNS Poisoning Attack Detection Local Network Protection 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Nessus: The network vulnerability scanner, http://www.nessus.org/nessus/
  2. 2.
    OzymanDNS: Kaminsky DNS tunnel (2005), http://www.doxpara.com
  3. 3.
    DNS multi vendor patch: CVE-2008-1447 (March 2008), http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
  4. 4.
    CERT Advisory. Vulnerability Note VU-23495 - DNS implementations vulnerable to denial-of-service attacks via malformed DNS queries (August 2001)Google Scholar
  5. 5.
    Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a Dynamic Reputation System for DNS. In: Proceedings of the 19th USENIX Security Symposium (August 2010)Google Scholar
  6. 6.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033 - DNS Security Introduction and RequirementsGoogle Scholar
  7. 7.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4034 - Resource Records for the DNS Security Extensions (2005), http://www.ietf.org/rfc/rfc4034.txt
  8. 8.
    Bellis, R., Phifer, L.: Test report: DNSSEC impact on broadband routers and firewalls (2008), http://download.nominet.org.uk/dnssec-cpe/DNSSEC-CPE-Report.pdf
  9. 9.
    Bernstein, D.J.: Introduction to DNSCurve (2008), http://dnscurve.org/
  10. 10.
    Ccais/RNP (Brazilian Research Network CSIRT) and Vagner Sacramento. Vulnerability in the sending requests control of Bind versions 4 and 8 allows DNS spoofing (November 2002)Google Scholar
  11. 11.
    Callaway, D.: PorkBind - Recursive multi-threaded nameserver security scanner (2008), http://innu.org/~super/#tools
  12. 12.
    Computer Academic Underground. bailiwicked_domain.rb (2008), http://www.caughq.org/exploits/CAU-EX-2008-0003.txt
  13. 13.
    Team Cymru. The Darknet Project (2004), http://www.team-cymru.org/Services/darknets.html
  14. 14.
    Dagon, D., Antonakakis, M., Day, K., Luo, X., Lee, C., Lee, W.: Recursive DNS Architectures and Vulnerability Implications. In: Proceedings of the 16th NDSS, San Diego, CA (2009)Google Scholar
  15. 15.
    Dagon, D., Antonakakis, M., Vixie, P., Jinmei, T., Lee, W.: Increased DNS Forgery Resistance Through 0x20-Bit Encoding. In: Proceedings of the 15th ACM CCS, Alexandria, VA (2008)Google Scholar
  16. 16.
    Dagon, D., Provos, N., Lee, C., Lee, W.: Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority. In: Proceedings of 15th NDSS, San Diego, CA (2008)Google Scholar
  17. 17.
    DNSstufff. DNS Network Tools: Network Monitoring and DNS Monitoring (2008), http://www.dnsstuff.com/
  18. 18.
    Duda, R., Hart, P., Stork, D.: Pattern Classification, 2nd edn. Wiley-Interscience, Hoboken (2000)Google Scholar
  19. 19.
    Elz, R., Bush, R.: (July 1997), http://www.faqs.org/rfcs/rfc2181.html
  20. 20.
    The Measurement Factory. DNS Survey: Cache Poisoners (2008), http://dns.measurement-factory.com/surveys/poisoners.html
  21. 21.
    Gummadi, K., Saroiu, S., Gribble, S.: King: Estimating latency between arbitrary internet end hosts. In: Procceding of the 2nd ACM SIGCOMM IMW (2002)Google Scholar
  22. 22.
    ISC. SIE@ISC, http://sie.isc.org
  23. 23.
    Kaminsky, D.: Black ops 2008: It’s the end of the cache as we know it or: “64k should be good enough for anyone” (2008), http://www.doxpara.com/DMK_BO2K8.ppt
  24. 24.
    Karmasphere. The open reputation network (2006), https://dnsparse.insec.auckland.ac.nz/dns
  25. 25.
    Klein, A.: BIND 9 DNS Cache Poisoning (2008), http://www.trusteer.com/files/BIND_9_DNS_Cache_Poisoning.pdf
  26. 26.
    Osterweil, E., Massey, D., Zhang, L.: Observations from DNSSEC deployment. In: Proceedings of the 3rd NPSec (2007)Google Scholar
  27. 27.
    Perdisci, R., Antonakakis, M., Luo, X., Lee, W.: WSEC DNS: Protecting Recursive DNS Resolvers from Poisoning Attacks. In: Proceedings of DSN-DCCS, Estoril, Lispon, July 2 (2009)Google Scholar
  28. 28.
    The Spamhaus Project. Lasso: The Spamhaus Don’t Route Or Peer List (2008), http://www.spamhaus.org/drop/drop.lasso
  29. 29.
    The Spamhaus Project. PBL: The Policy Block List (2008), http://www.spamhaus.org/pbl
  30. 30.
    The Spamhaus Project. XBL: Exploits block list (2008), http://www.spamhaus.org/xbl
  31. 31.
    WIDE Project. The TOTD (‘trick or treat daemon’) dns proxy (January 2006), http://www.vermicelli.pasta.cs.uit.no
  32. 32.
    Samosseiko, D.: The PARTNERKA - What is it, and why should you care? In: Proceedings of USENIX, Workshop on Hot Topics in Cloud Computing (2009)Google Scholar
  33. 33.
    Schuba, C.: Addressing weaknesses in the domain name system protocol. Master’s thesis, Purdue University (1993)Google Scholar
  34. 34.
    Ulevitch, D.: Phishtank: Out of the Net into the Tank (2009), http://www.phishtank.com/
  35. 35.
    USDJ. Eugene E. Kashpureff pleaded guilty to unleashing malicious software on the internet (July 1997)Google Scholar
  36. 36.
    Vixie, P.: RFC 2671 - Extension Mechanisms for DNS, EDNS0 (1999), http://www.faqs.org/rfcs/rfc2671.html
  37. 37.
    Vixie, P.: DNS complexity. ACM Queue 5(3) (April 2007)Google Scholar
  38. 38.
    Wendlandt, D., Andersen, D., Perrig, A.: Perspectives: Improving ssh-style host authentication with multi-path probing. In: Proceedings of the Usenix ATC (June 2008)Google Scholar
  39. 39.
    Wessels, D.: DNS Cache Poisoners Lazy, Stupid, or Evil? (2002), http://www.nanog.org/mtg-0602/pdf/wessels.pdf
  40. 40.
    Witten, I., Frank, E.: Data mining: practical machine learning tools and techniques. In: Morgan Kaufmann Series in Data Management Systems. Morgan Kaufman, San Francisco (June 2005)Google Scholar
  41. 41.
    Yuan, L., Kant, K., Mohapatra, P., Chuah, C.: DoX: A Peer-to-Peer Antidote for DNS Cache Poisoning Attacks. In: ICC 2006 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Manos Antonakakis
    • 1
  • David Dagon
    • 1
  • Xiapu Luo
    • 1
  • Roberto Perdisci
    • 1
  • Wenke Lee
    • 1
  • Justin Bellmor
    • 1
  1. 1.Georgia Institute of TechnologyCollege of ComputingAtlantaUSA

Personalised recommendations