Abstract
The domain name system (DNS) provides a translation between readable domain names and IP addresses. The DNS is a key infrastructure component of the Internet and a prime target for a variety of attacks. One of the most significant threats to DNS’ well-being is a DNS poisoning attack in which the DNS responses are maliciously replaced, or poisoned, by an attacker. To identify this kind of attack, we start by an analysis of different kinds of response times. We present an analysis of typical and atypical response times, while differentiating between the different levels of DNS servers’ response times, from root servers down to internal caching servers. We successfully identify empirical DNS poisoning attacks based on a novel method for DNS response timing analysis. We then present a system we developed to validate our technique that does not require any changes to the DNS protocol or any existing network equipment. Our validation system tested data from different architectures including LAN and cloud environments and real data from an internet service provider. Our method and system differ from most other DNS poisoning detection methods and achieved high detection rates exceeding 98%. These findings suggest that when used in conjunction with other methods, they can considerably enhance the accuracy of these methods.
Similar content being viewed by others
References
Mockapetris, P.: RFC 1034 Domain Names-Concepts and Facilities (1987). http://tools.ietf.org/html/rfc1034
Mockapetris, P.: Domain names-implementation and specification. STD 13, RFC Editor (1987). http://www.rfc-editor.org/rfc/rfc1035.txt
BT global services. DNS Security Survey Report. BT global services (2017). https://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=1&r=1&w=7&g=0
Kambourakis, G., Moschos, T., Geneiatakis, D., Gritzalis, SD.: Detecting DNS amplification attacks. In: Critical Information Infrastructures Security, pp. 185–196. Springer, Berlin, Heidelberg (2007)
Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting browsers from dns rebinding attacks. ACM Trans. Web (TWEB) 3(1), 2 (2009)
Cheshire, S., Krochmal, M.: DNS-based service discovery. RFC 6763, RFC Editor (2013). http://www.rfc-editor.org/rfc/rfc6763.txt
Ballani, H., Francis, P.: Mitigating DNS dos attacks. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 189–198. ACM (2008)
Son, S., Shmatikov, V.: The Hitchhiker’s guide to DNS cache poisoning. In: Security and Privacy in Communication Networks, pp. 466–483. Springer, Berlin, Heidelberg (2010)
Nazreen Banu, M., Munawara Banu, S.: A comprehensive study of phishing attacks. Int. J. Comput. Sci. Inf. Technol. 4(6), 783–786 (2013)
Amazon. Alexa top sites. Alexa top sites (2018). https://www.alexa.com/topsites
IUCC. Inter-University Computation Center. IUCC website (2018). https://www.iucc.ac.il/
van Rijswijk-Deij, R., Jonker, M., Sperotto, A., Pras, A.: A high-performance, scalable infrastructure for large-scale active DNS measurements. IEEE J. Sel. Areas Commun. 34(6), 1877–1888 (2016)
Ager, B., Mühlbauer, W., Smaragdakis, G., Uhlig, S.: Comparing DNS resolvers in the wild. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, pp. 15–21. ACM (2010)
Google. Google Public DNS. Google website (2018). https://developers.google.com/speed/public-dns/
OpenDNS. OpenDNS. Cisco website (2018). https://www.opendns.com/
Callejo, P., Cuevas, R., Vallina-Rodriguez, N., Rumin, A.C.: Measuring the global recursive DNS infrastructure: a view from the edge. IEEE Access 7, 168020–168028 (2019)
Callejo, P., Kelton, C., Vallina-Rodriguez, N., Cuevas, R., Gasser, O., Kreibich, C., Wohlfart, F., Cuevas, A.: Opportunities and challenges of AD-based measurements from the edge of the network. In: Proceedings of the 16th ACM Workshop on Hot Topics in Networks, pp. 87–93 (2017)
Rose, S., Larson, M., Massey, D., Austein, R., Arends, R.: DNS Security Introduction and Requirements. RFC 4033 (2005)
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Resource records for the DNS security extensions. In: Internet Requests for Comments (2005). http://www.rfc-editor.org/rfc/rfc4034.txt
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Protocol modifications for the DNS security extensions. In: Internet Requests for Comments (2005). http://www.rfc-editor.org/rfc/rfc4035.txt
Silva, P.: Dnssec: the antidote to DNS cache poisoning and other DNS a ACKS. White paper, F5 (2009)
stats.labs.apnic.net. DNSSEC deploy rate. stats.labs.apnic.net (2018). https://www.globalservices.bt.com/static/assets/pdf/products/diamond_ip/DNS-Security-Survey-Report-2017.pdf
Dai, T., Shulman, H., Waidner, M.: Dnssec misconfigurations in popular domains. In: International Conference on Cryptology and Network Security, pp. 651–660. Springer (2016)
Ariyapperuma, S., Mitchell, C.J.: Security vulnerabilities in DNS and DNSSEC. In: The Second International Conference on Availability, Reliability and Security (ARES’07), pp. 335–342. IEEE (2007)
Anu, P., Vimala, S.: A survey on sniffing attacks on computer networks. In: 2017 International Conference on Intelligent Computing and Control (I2C2), pp. 1–5. IEEE (2017)
van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDOS attacks: a comprehensive measurement study. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 449–460. ACM (2014)
van Rijswijk-Deij, R., Jonker, M., Sperotto, A.: On the adoption of the elliptic curve digital signature algorithm (ECDSA) in DNSSEC. In: 12th International Conference on Network and Service Management (CNSM), pp. 258–262. IEEE (2016)
Bernstein, D.J.: Dnscurve: usable security for DNS. dnscurve.org (2009)
Bernstein, D.J.: Dnscurve: usable security for DNS, 2009 (2011)
DNScrypt. DNScrypt. DNScrypt website (2013). https://dnscrypt.info/
Zhong, Y., Xue, D., Fan, J., Guo, C.: Dnstsm: DNS cache resources trusted sharing model based on consortium blockchain. IEEE Access 8, 13640–13650 (2020)
Wang, Y., Hu, M.Z., Li, B., Yan, B.R.: Tracking anomalous behaviors of name servers by mining DNS traffic. In: Frontiers of High Performance Computing and Networking—ISPA 2006 Workshops, pp. 351–357. Springer (2006)
Yamada, A., Miyake, Y., Terabe, M., Hashimoto, K., Kato, N.: Anomaly detection for DNS servers using frequent host selection. In: International Conference on Advanced Information Networking and Applications, AINA’09, pp. 853–860. IEEE (2009)
Haya Shulman Klein, A., Waidner, M.: Internet-wide study of DNS cache injections. In: IEEE International Conference on Computer Communications 2017, Atlanta. IEEE
Alharbi, F., Chang, J., Zhou, Y., Qian, F., Qian, Z., Abu-Ghazaleh, N.: Collaborative client-side DNS cache poisoning attack. In: IEEE INFOCOM 2019-IEEE Conference on Computer Communications, pp. 1153–1161. IEEE (2019)
Celik, Z.B., Oktug, S.: Detection of fast-flux networks using various DNS feature sets. In: IEEE Symposium on Computers and Communications (ISCC), pp. 868–873. IEEE (2013)
Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P.N., Kumar, V., Srivastava, J., Dokas, P.: Minds-minnesota intrusion detection system. In: Next Generation Data Mining, pp. 199-218. MIT Press, Cambridge, USA (2004)
Yao, H., Silva, D., Jaggi, S., Langberg, M.: Network codes resilient to jamming and eavesdropping. IEEE/ACM Trans. Netw. 22(6), 1978–1987 (2014)
Herzberg, A., Shulman, H.: Socket overloading for fun and cache-poisoning. In: Proceedings of the 29th Annual Computer Security Applications Conference, pp. 189–198. ACM (2013)
Herzberg, A., Shulman, H.: Dnssec: security and availability challenges. In: 2013 IEEE Conference on Communications and Network Security (CNS), pp. 365–366. IEEE (2013)
Eastlake, D., Brunner-Williams, E., Manning, B.: RFC, 2929: domain name system (DNS) IANA considerations (2000)
Klein, A.: Bind 9 DNS cache poisoning. Report, Trusteer, Ltd, p. 3 (2007)
Al-Musawi, B., Branch, P., Armitage, G.: Bgp anomaly detection techniques: a survey. IEEE Commun. Surv. Tutor. 19(1), 377–396 (2016)
Huston, G., Rossi, M., Armitage, G.: Securing BGP—a literature survey. IEEE Commun. Surv. Tutor. 13(2), 199–222 (2010)
Nichols, S.: AWS DNS network hijack turns MyEtherWallet into ThievesEtherWallet. The Register websire (2018). https://www.theregister.co.uk/2018/04/24/myetherwallet_dns_hijack/
Siddiqui, A.: Public DNS in Taiwan the latest victim to BGP hijack. MANRS website (2019). https://www.manrs.org/2019/05/public-dns-in-taiwan-the-latest-victim-to-bgp-hijack/
Bush, R., Austein, R.: The resource public key infrastructure (RPKI) to router protocol (2013)
IANA.: IANA roots table. IANA website (2018). https://www.iana.org/domains/root/servers
gPrado. dnspoof attack tool. github (2011). https://github.com/maurotfilho/dns-spoof
Kotsiantis, S.B., Zaharakis, I., Pintelas, P.: Supervised machine learning: a review of classification techniques. In: Emerging artificial intelligence applications in computer engineering, pp. 3–24. IOS Press, Amsterdam (2007)
Gentleman, R., Huber, W., Carey, V.J.: Supervised machine learning. In: Bioconductor Case Studies, pp. 121–136. Springer (2008)
Ho, T.K.: Random decision forests. In: Proceedings of the Third International Conference on Document Analysis and Recognition, vol. 1, pp. 278–282. IEEE (1995)
Tin Kam Ho: The random subspace method for constructing decision forests. IEEE Trans. Pattern Anal. Mach. Intell. 20(8), 832–844 (1998)
Gomes, H.M., Bifet, A., Read, J., Barddal, J.P., Enembreck, F., Pfharinger, B., Holmes, G., Abdessalem, T.: Adaptive random forests for evolving data stream classification. Mach. Learn. 106(9–10), 1469–1495 (2017)
Cover, T., Hart, P.: Nearest neighbor pattern classification. IEEE Trans. Inf. Theory 13(1), 21–27 (1967)
Lihua, Y., Qi, D., Yanjun, G.: Study on knn text categorization algorithm. Micro Comput. Inf. 21, 269–271 (2006)
Dasarathy, B.V.: Nearest neighbor (\(\{\)NN\(\}\)) norms:\(\{\)NN\(\}\) pattern classification techniques (1991)
Internet Systems consortium. Bind. BIND (2018). https://www.isc.org/downloads/bind/
wireshark. Tshark. wireshark command line tool (2018). https://www.wireshark.org/docs/man-pages/tshark.html
IANA. IANA database. IANA website (2018). https://www.iana.org/domains/root/db
dnspython. DNSpython tool. DNS python tool (2018). http://www.dnspython.org/
Boyle, R.J.: Applied Networking Labs. Prentice Hall, Upper Saddle River (2013)
scikit learn. scikit learn python library. scikit learn webpage (2018). http://scikit-learn.org/stable/
Google. archive google drive. Google drive (2018). https://drive.google.com/file/d/16dwFZHmu94wsJGA5MePhr8MPRnP3LNjM/view?usp=sharing
Acknowledgements
This work was supported by the Ariel Cyber Innovation Center and The Bar Ilan Center for Research in Applied Cryptography and Cyber Security, in conjunction with the Israel National Cyber directorate in the Prime Minister’s Office.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
Mr. Harel Berger declares that he has no conflict of interest. Mr. Amit Z. Dvir declares that he has no conflict of interest. Mr. Moti Geva declares that he has no conflict of interest.
Funding
No funding was received for this study
Ethical approval
This article does not contain any studies with human participants or animals performed by any of the authors.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Berger, H., Dvir, A.Z. & Geva, M. A wrinkle in time: a case study in DNS poisoning. Int. J. Inf. Secur. 20, 313–329 (2021). https://doi.org/10.1007/s10207-020-00502-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-020-00502-x