ترغب بنشر مسار تعليمي؟ اضغط هنا

The Far Side of DNS Amplification: Tracing the DDoS Attack Ecosystem from the Internet Core

114   0   0.0 ( 0 )
 نشر من قبل Marcin Nawrocki
 تاريخ النشر 2021
  مجال البحث الهندسة المعلوماتية
والبحث باللغة English




اسأل ChatGPT حول البحث

In this paper, we shed new light on the DNS amplification ecosystem, by studying complementary data sources, bolstered by orthogonal methodologies. First, we introduce a passive attack detection method for the Internet core, i.e., at Internet eXchange Points (IXPs). Surprisingly, IXPs and honeypots observe mostly disjoint sets of attacks: 96% of IXP-inferred attacks were invisible to a sizable honeypot platform. Second, we assess the effectiveness of observed DNS attacks by studying IXP traces jointly with diverse data from independent measurement infrastructures. We find that attackers efficiently detect new reflectors and purposefully rotate between them. At the same time, we reveal that attackers are a small step removed from bringing about significantly higher amplification factors (14x). Third, we identify and fingerprint a major attack entity by studying patterns in attack traces. We show that this entity dominates the DNS amplification ecosystem by carrying out 59% of the attacks, and provide an in-depth analysis of its behavior over time. Finally, our results reveal that operators of various .gov names adhere to a DNSSEC key rollover scheme, which exacerbates amplification potential, and which we can verifiably connect to misuses and attacker decision-making.



قيم البحث

اقرأ أيضاً

We demonstrate the first practical off-path time shifting attacks against NTP as well as against Man-in-the-Middle (MitM) secure Chronos-enhanced NTP. Our attacks exploit the insecurity of DNS allowing us to redirect the NTP clients to attacker contr olled servers. We perform large scale measurements of the attack surface in NTP clients and demonstrate the threats to NTP due to vulnerable DNS.
133 - Zhiyuan Wang , Lin Gao , Tong Wang 2020
In mobile Internet ecosystem, Mobile Users (MUs) purchase wireless data services from Internet Service Provider (ISP) to access to Internet and acquire the interested content services (e.g., online game) from Content Provider (CP). The popularity of intelligent functions (e.g., AI and 3D modeling) increases the computation-intensity of the content services, leading to a growing computation pressure for the MUs resource-limited devices. To this end, edge computing service is emerging as a promising approach to alleviate the MUs computation pressure while keeping their quality-of-service, via offloading some computation tasks of MUs to edge (computing) servers deployed at the local network edge. Thus, Edge Service Provider (ESP), who deploys the edge servers and offers the edge computing service, becomes an upcoming new stakeholder in the ecosystem. In this work, we study the economic interactions of MUs, ISP, CP, and ESP in the new ecosystem with edge computing service, where MUs can acquire the computation-intensive content services (offered by CP) and offload some computation tasks, together with the necessary raw input data, to edge servers (deployed by ESP) through ISP. We first study the MUs Joint Content Acquisition and Task Offloading (J-CATO) problem, which aims to maximize his long-term payoff. We derive the off-line solution with crucial insights, based on which we design an online strategy with provable performance. Then, we study the ESPs edge service monetization problem. We propose a pricing policy that can achieve a constant fraction of the ex-post optimal revenue with an extra constant loss for the ESP. Numerical results show that the edge computing service can stimulate the MUs content acquisition and improve the payoffs of MUs, ISP, and CP.
111 - Lan Wei , John Heidemann 2020
DNS is important in nearly all interactions on the Internet. All large DNS operators use IP anycast, announcing servers in BGP from multiple physical locations to reduce client latency and provide capacity. However, DNS is easy to spoof: third partie s intercept and respond to queries for benign or malicious purposes. Spoofing is of particular risk for services using anycast, since service is already announced from multiple origins. In this paper, we describe methods to identify DNS spoofing, infer the mechanism being used, and identify organizations that spoof from historical data. Our methods detect overt spoofing and some covertly-delayed answers, although a very diligent adversarial spoofer can hide. We use these methods to study more than six years of data about root DNS servers from thousands of vantage points. We show that spoofing today is rare, occurring only in about 1.7% of observations. However, the rate of DNS spoofing has more than doubled in less than seven years, and it occurs globally. Finally, we use data from B-Root DNS to validate our methods for spoof detection, showing a true positive rate over 0.96. B-Root confirms that spoofing occurs with both DNS injection and proxies, but proxies account for nearly all spoofing we see.
75 - Lorenzo Ghiro 2021
The use of the term blockchain is documented for disparate projects, from cryptocurrencies to applications for the Internet of Things (IoT), and many more. The concept of blockchain appears therefore blurred, as it is hard to believe that the same te chnology can empower applications that have extremely different requirements and exhibit dissimilar performance and security. This position paper elaborates on the theory of distributed systems to advance a clear definition of blockchain that allows us to clarify its role in the IoT. This definition inextricably binds together three elements that, as a whole, provide the blockchain with those unique features that distinguish it from other distributed ledger technologies: immutability, transparency and anonimity. We note however that immutability comes at the expense of remarkable resource consumption, transparency demands no confidentiality and anonymity prevents user identification and registration. This is in stark contrast to the requirements of most IoT applications that are made up of resource constrained devices, whose data need to be kept confidential and users to be clearly known. Building on the proposed definition, we derive new guidelines for selecting the proper distributed ledger technology depending on application requirements and trust models, identifying common pitfalls leading to improper applications of the blockchain. We finally indicate a feasible role of the blockchain for the IoT: myriads of local, IoT transactions can be aggregated off-chain and then be successfully recorded on an external blockchain as a means of public accountability when required.
The interconnection of resource-constrained and globally accessible things with untrusted and unreliable Internet make them vulnerable to attacks including data forging, false data injection, and packet drop that affects applications with critical de cision-making processes. For data trustworthiness, reliance on provenance is considered to be an effective mechanism that tracks both data acquisition and data transmission. However, provenance management for sensor networks introduces several challenges, such as low energy, bandwidth consumption, and efficient storage. This paper attempts to identify packet drop (either maliciously or due to network disruptions) and detect faulty or misbehaving nodes in the Routing Protocol for Low-Power and Lossy Networks (RPL) by following a bi-fold provenance-enabled packed path tracing (PPPT) approach. Firstly, a system-level ordered-provenance information encapsulates the data generating nodes and the forwarding nodes in the data packet. Secondly, to closely monitor the dropped packets, a node-level provenance in the form of the packet sequence number is enclosed as a routing entry in the routing table of each participating node. Lossless in nature, both approaches conserve the provenance size satisfying processing and storage requirements of IoT devices. Finally, we evaluate the efficacy of the proposed scheme with respect to provenance size, provenance generation time, and energy consumption.
التعليقات
جاري جلب التعليقات جاري جلب التعليقات
mircosoft-partner

هل ترغب بارسال اشعارات عن اخر التحديثات في شمرا-اكاديميا