Skip to main content
SpringerLink
Log in

A Centralized Monitoring Infrastructure for Improving DNS Security

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6307))

Included in the following conference series:

Abstract

Researchers have recently noted (14; 27) the potential of fast poisoning attacks against DNS servers, which allows attackers to easily manipulate records in open recursive DNS resolvers. A vendor-wide upgrade mitigated but did not eliminate this attack. Further, existing DNS protection systems, including bailiwick-checking (12) and IDS-style filtration, do not stop this type of DNS poisoning. We therefore propose Anax, a DNS protection system that detects poisoned records in cache.

Our system can observe changes in cached DNS records, and applies machine learning to classify these updates as malicious or benign. We describe our classification features and machine learning model selection process while noting that the proposed approach is easily integrated into existing local network protection systems. To evaluate Anax, we studied cache changes in a geographically diverse set of 300,000 open recursive DNS servers (ORDNSs) over an eight month period. Using hand-verified data as ground truth, evaluation of Anax showed a very low false positive rate (0.6% of all new resource records) and a high detection rate (91.9%).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Nessus: The network vulnerability scanner, http://www.nessus.org/nessus/

  2. OzymanDNS: Kaminsky DNS tunnel (2005), http://www.doxpara.com

  3. DNS multi vendor patch: CVE-2008-1447 (March 2008), http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447

  4. CERT Advisory. Vulnerability Note VU-23495 - DNS implementations vulnerable to denial-of-service attacks via malformed DNS queries (August 2001)

    Google Scholar 

  5. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a Dynamic Reputation System for DNS. In: Proceedings of the 19th USENIX Security Symposium (August 2010)

    Google Scholar 

  6. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033 - DNS Security Introduction and Requirements

    Google Scholar 

  7. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4034 - Resource Records for the DNS Security Extensions (2005), http://www.ietf.org/rfc/rfc4034.txt

  8. Bellis, R., Phifer, L.: Test report: DNSSEC impact on broadband routers and firewalls (2008), http://download.nominet.org.uk/dnssec-cpe/DNSSEC-CPE-Report.pdf

  9. Bernstein, D.J.: Introduction to DNSCurve (2008), http://dnscurve.org/

  10. Ccais/RNP (Brazilian Research Network CSIRT) and Vagner Sacramento. Vulnerability in the sending requests control of Bind versions 4 and 8 allows DNS spoofing (November 2002)

    Google Scholar 

  11. Callaway, D.: PorkBind - Recursive multi-threaded nameserver security scanner (2008), http://innu.org/~super/#tools

  12. Computer Academic Underground. bailiwicked_domain.rb (2008), http://www.caughq.org/exploits/CAU-EX-2008-0003.txt

  13. Team Cymru. The Darknet Project (2004), http://www.team-cymru.org/Services/darknets.html

  14. Dagon, D., Antonakakis, M., Day, K., Luo, X., Lee, C., Lee, W.: Recursive DNS Architectures and Vulnerability Implications. In: Proceedings of the 16th NDSS, San Diego, CA (2009)

    Google Scholar 

  15. Dagon, D., Antonakakis, M., Vixie, P., Jinmei, T., Lee, W.: Increased DNS Forgery Resistance Through 0x20-Bit Encoding. In: Proceedings of the 15th ACM CCS, Alexandria, VA (2008)

    Google Scholar 

  16. Dagon, D., Provos, N., Lee, C., Lee, W.: Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority. In: Proceedings of 15th NDSS, San Diego, CA (2008)

    Google Scholar 

  17. DNSstufff. DNS Network Tools: Network Monitoring and DNS Monitoring (2008), http://www.dnsstuff.com/

  18. Duda, R., Hart, P., Stork, D.: Pattern Classification, 2nd edn. Wiley-Interscience, Hoboken (2000)

    Google Scholar 

  19. Elz, R., Bush, R.: (July 1997), http://www.faqs.org/rfcs/rfc2181.html

  20. The Measurement Factory. DNS Survey: Cache Poisoners (2008), http://dns.measurement-factory.com/surveys/poisoners.html

  21. Gummadi, K., Saroiu, S., Gribble, S.: King: Estimating latency between arbitrary internet end hosts. In: Procceding of the 2nd ACM SIGCOMM IMW (2002)

    Google Scholar 

  22. ISC. SIE@ISC, http://sie.isc.org

  23. Kaminsky, D.: Black ops 2008: It’s the end of the cache as we know it or: “64k should be good enough for anyone” (2008), http://www.doxpara.com/DMK_BO2K8.ppt

  24. Karmasphere. The open reputation network (2006), https://dnsparse.insec.auckland.ac.nz/dns

  25. Klein, A.: BIND 9 DNS Cache Poisoning (2008), http://www.trusteer.com/files/BIND_9_DNS_Cache_Poisoning.pdf

  26. Osterweil, E., Massey, D., Zhang, L.: Observations from DNSSEC deployment. In: Proceedings of the 3rd NPSec (2007)

    Google Scholar 

  27. Perdisci, R., Antonakakis, M., Luo, X., Lee, W.: WSEC DNS: Protecting Recursive DNS Resolvers from Poisoning Attacks. In: Proceedings of DSN-DCCS, Estoril, Lispon, July 2 (2009)

    Google Scholar 

  28. The Spamhaus Project. Lasso: The Spamhaus Don’t Route Or Peer List (2008), http://www.spamhaus.org/drop/drop.lasso

  29. The Spamhaus Project. PBL: The Policy Block List (2008), http://www.spamhaus.org/pbl

  30. The Spamhaus Project. XBL: Exploits block list (2008), http://www.spamhaus.org/xbl

  31. WIDE Project. The TOTD (‘trick or treat daemon’) dns proxy (January 2006), http://www.vermicelli.pasta.cs.uit.no

  32. Samosseiko, D.: The PARTNERKA - What is it, and why should you care? In: Proceedings of USENIX, Workshop on Hot Topics in Cloud Computing (2009)

    Google Scholar 

  33. Schuba, C.: Addressing weaknesses in the domain name system protocol. Master’s thesis, Purdue University (1993)

    Google Scholar 

  34. Ulevitch, D.: Phishtank: Out of the Net into the Tank (2009), http://www.phishtank.com/

  35. USDJ. Eugene E. Kashpureff pleaded guilty to unleashing malicious software on the internet (July 1997)

    Google Scholar 

  36. Vixie, P.: RFC 2671 - Extension Mechanisms for DNS, EDNS0 (1999), http://www.faqs.org/rfcs/rfc2671.html

  37. Vixie, P.: DNS complexity. ACM Queue 5(3) (April 2007)

    Google Scholar 

  38. Wendlandt, D., Andersen, D., Perrig, A.: Perspectives: Improving ssh-style host authentication with multi-path probing. In: Proceedings of the Usenix ATC (June 2008)

    Google Scholar 

  39. Wessels, D.: DNS Cache Poisoners Lazy, Stupid, or Evil? (2002), http://www.nanog.org/mtg-0602/pdf/wessels.pdf

  40. Witten, I., Frank, E.: Data mining: practical machine learning tools and techniques. In: Morgan Kaufmann Series in Data Management Systems. Morgan Kaufman, San Francisco (June 2005)

    Google Scholar 

  41. Yuan, L., Kant, K., Mohapatra, P., Chuah, C.: DoX: A Peer-to-Peer Antidote for DNS Cache Poisoning Attacks. In: ICC 2006 (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Georgia Institute of Technology, College of Computing, Atlanta, GA, 30332, USA

    Manos Antonakakis, David Dagon, Xiapu Luo, Roberto Perdisci, Wenke Lee & Justin Bellmor

Authors
  1. Manos Antonakakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Dagon
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiapu Luo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Roberto Perdisci
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Wenke Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Justin Bellmor
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Sciences Department, University of Wisconsin, 53706, Madison, WI, USA

    Somesh Jha

  2. International Computer Science Institute, 1947 Center Street, Suite 600, 94704, Berkeley, CA, USA

    Robin Sommer  & Christian Kreibich  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Antonakakis, M., Dagon, D., Luo, X., Perdisci, R., Lee, W., Bellmor, J. (2010). A Centralized Monitoring Infrastructure for Improving DNS Security. In: Jha, S., Sommer, R., Kreibich, C. (eds) Recent Advances in Intrusion Detection. RAID 2010. Lecture Notes in Computer Science, vol 6307. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15512-3_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-15512-3_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-15511-6

  • Online ISBN: 978-3-642-15512-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation