Abstract
Researchers have recently noted (14; 27) the potential of fast poisoning attacks against DNS servers, which allows attackers to easily manipulate records in open recursive DNS resolvers. A vendor-wide upgrade mitigated but did not eliminate this attack. Further, existing DNS protection systems, including bailiwick-checking (12) and IDS-style filtration, do not stop this type of DNS poisoning. We therefore propose Anax, a DNS protection system that detects poisoned records in cache.
Our system can observe changes in cached DNS records, and applies machine learning to classify these updates as malicious or benign. We describe our classification features and machine learning model selection process while noting that the proposed approach is easily integrated into existing local network protection systems. To evaluate Anax, we studied cache changes in a geographically diverse set of 300,000 open recursive DNS servers (ORDNSs) over an eight month period. Using hand-verified data as ground truth, evaluation of Anax showed a very low false positive rate (0.6% of all new resource records) and a high detection rate (91.9%).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Nessus: The network vulnerability scanner, http://www.nessus.org/nessus/
OzymanDNS: Kaminsky DNS tunnel (2005), http://www.doxpara.com
DNS multi vendor patch: CVE-2008-1447 (March 2008), http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
CERT Advisory. Vulnerability Note VU-23495 - DNS implementations vulnerable to denial-of-service attacks via malformed DNS queries (August 2001)
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a Dynamic Reputation System for DNS. In: Proceedings of the 19th USENIX Security Symposium (August 2010)
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033 - DNS Security Introduction and Requirements
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4034 - Resource Records for the DNS Security Extensions (2005), http://www.ietf.org/rfc/rfc4034.txt
Bellis, R., Phifer, L.: Test report: DNSSEC impact on broadband routers and firewalls (2008), http://download.nominet.org.uk/dnssec-cpe/DNSSEC-CPE-Report.pdf
Bernstein, D.J.: Introduction to DNSCurve (2008), http://dnscurve.org/
Ccais/RNP (Brazilian Research Network CSIRT) and Vagner Sacramento. Vulnerability in the sending requests control of Bind versions 4 and 8 allows DNS spoofing (November 2002)
Callaway, D.: PorkBind - Recursive multi-threaded nameserver security scanner (2008), http://innu.org/~super/#tools
Computer Academic Underground. bailiwicked_domain.rb (2008), http://www.caughq.org/exploits/CAU-EX-2008-0003.txt
Team Cymru. The Darknet Project (2004), http://www.team-cymru.org/Services/darknets.html
Dagon, D., Antonakakis, M., Day, K., Luo, X., Lee, C., Lee, W.: Recursive DNS Architectures and Vulnerability Implications. In: Proceedings of the 16th NDSS, San Diego, CA (2009)
Dagon, D., Antonakakis, M., Vixie, P., Jinmei, T., Lee, W.: Increased DNS Forgery Resistance Through 0x20-Bit Encoding. In: Proceedings of the 15th ACM CCS, Alexandria, VA (2008)
Dagon, D., Provos, N., Lee, C., Lee, W.: Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority. In: Proceedings of 15th NDSS, San Diego, CA (2008)
DNSstufff. DNS Network Tools: Network Monitoring and DNS Monitoring (2008), http://www.dnsstuff.com/
Duda, R., Hart, P., Stork, D.: Pattern Classification, 2nd edn. Wiley-Interscience, Hoboken (2000)
Elz, R., Bush, R.: (July 1997), http://www.faqs.org/rfcs/rfc2181.html
The Measurement Factory. DNS Survey: Cache Poisoners (2008), http://dns.measurement-factory.com/surveys/poisoners.html
Gummadi, K., Saroiu, S., Gribble, S.: King: Estimating latency between arbitrary internet end hosts. In: Procceding of the 2nd ACM SIGCOMM IMW (2002)
ISC. SIE@ISC, http://sie.isc.org
Kaminsky, D.: Black ops 2008: It’s the end of the cache as we know it or: “64k should be good enough for anyone” (2008), http://www.doxpara.com/DMK_BO2K8.ppt
Karmasphere. The open reputation network (2006), https://dnsparse.insec.auckland.ac.nz/dns
Klein, A.: BIND 9 DNS Cache Poisoning (2008), http://www.trusteer.com/files/BIND_9_DNS_Cache_Poisoning.pdf
Osterweil, E., Massey, D., Zhang, L.: Observations from DNSSEC deployment. In: Proceedings of the 3rd NPSec (2007)
Perdisci, R., Antonakakis, M., Luo, X., Lee, W.: WSEC DNS: Protecting Recursive DNS Resolvers from Poisoning Attacks. In: Proceedings of DSN-DCCS, Estoril, Lispon, July 2 (2009)
The Spamhaus Project. Lasso: The Spamhaus Don’t Route Or Peer List (2008), http://www.spamhaus.org/drop/drop.lasso
The Spamhaus Project. PBL: The Policy Block List (2008), http://www.spamhaus.org/pbl
The Spamhaus Project. XBL: Exploits block list (2008), http://www.spamhaus.org/xbl
WIDE Project. The TOTD (‘trick or treat daemon’) dns proxy (January 2006), http://www.vermicelli.pasta.cs.uit.no
Samosseiko, D.: The PARTNERKA - What is it, and why should you care? In: Proceedings of USENIX, Workshop on Hot Topics in Cloud Computing (2009)
Schuba, C.: Addressing weaknesses in the domain name system protocol. Master’s thesis, Purdue University (1993)
Ulevitch, D.: Phishtank: Out of the Net into the Tank (2009), http://www.phishtank.com/
USDJ. Eugene E. Kashpureff pleaded guilty to unleashing malicious software on the internet (July 1997)
Vixie, P.: RFC 2671 - Extension Mechanisms for DNS, EDNS0 (1999), http://www.faqs.org/rfcs/rfc2671.html
Vixie, P.: DNS complexity. ACM Queue 5(3) (April 2007)
Wendlandt, D., Andersen, D., Perrig, A.: Perspectives: Improving ssh-style host authentication with multi-path probing. In: Proceedings of the Usenix ATC (June 2008)
Wessels, D.: DNS Cache Poisoners Lazy, Stupid, or Evil? (2002), http://www.nanog.org/mtg-0602/pdf/wessels.pdf
Witten, I., Frank, E.: Data mining: practical machine learning tools and techniques. In: Morgan Kaufmann Series in Data Management Systems. Morgan Kaufman, San Francisco (June 2005)
Yuan, L., Kant, K., Mohapatra, P., Chuah, C.: DoX: A Peer-to-Peer Antidote for DNS Cache Poisoning Attacks. In: ICC 2006 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Antonakakis, M., Dagon, D., Luo, X., Perdisci, R., Lee, W., Bellmor, J. (2010). A Centralized Monitoring Infrastructure for Improving DNS Security. In: Jha, S., Sommer, R., Kreibich, C. (eds) Recent Advances in Intrusion Detection. RAID 2010. Lecture Notes in Computer Science, vol 6307. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15512-3_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-15512-3_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15511-6
Online ISBN: 978-3-642-15512-3
eBook Packages: Computer ScienceComputer Science (R0)