TY - JOUR
T1 - A wrinkle in time
T2 - a case study in DNS poisoning
AU - Berger, Harel
AU - Dvir, Amit Z.
AU - Geva, Moti
N1 - Publisher Copyright:
© 2020, Springer-Verlag GmbH Germany, part of Springer Nature.
PY - 2021/6
Y1 - 2021/6
N2 - The domain name system (DNS) provides a translation between readable domain names and IP addresses. The DNS is a key infrastructure component of the Internet and a prime target for a variety of attacks. One of the most significant threats to DNS’ well-being is a DNS poisoning attack in which the DNS responses are maliciously replaced, or poisoned, by an attacker. To identify this kind of attack, we start by an analysis of different kinds of response times. We present an analysis of typical and atypical response times, while differentiating between the different levels of DNS servers’ response times, from root servers down to internal caching servers. We successfully identify empirical DNS poisoning attacks based on a novel method for DNS response timing analysis. We then present a system we developed to validate our technique that does not require any changes to the DNS protocol or any existing network equipment. Our validation system tested data from different architectures including LAN and cloud environments and real data from an internet service provider. Our method and system differ from most other DNS poisoning detection methods and achieved high detection rates exceeding 98%. These findings suggest that when used in conjunction with other methods, they can considerably enhance the accuracy of these methods.
AB - The domain name system (DNS) provides a translation between readable domain names and IP addresses. The DNS is a key infrastructure component of the Internet and a prime target for a variety of attacks. One of the most significant threats to DNS’ well-being is a DNS poisoning attack in which the DNS responses are maliciously replaced, or poisoned, by an attacker. To identify this kind of attack, we start by an analysis of different kinds of response times. We present an analysis of typical and atypical response times, while differentiating between the different levels of DNS servers’ response times, from root servers down to internal caching servers. We successfully identify empirical DNS poisoning attacks based on a novel method for DNS response timing analysis. We then present a system we developed to validate our technique that does not require any changes to the DNS protocol or any existing network equipment. Our validation system tested data from different architectures including LAN and cloud environments and real data from an internet service provider. Our method and system differ from most other DNS poisoning detection methods and achieved high detection rates exceeding 98%. These findings suggest that when used in conjunction with other methods, they can considerably enhance the accuracy of these methods.
KW - DNS
KW - DNS security
KW - Network protocols
KW - Network security
UR - http://www.scopus.com/inward/record.url?scp=85085380532&partnerID=8YFLogxK
U2 - 10.1007/s10207-020-00502-x
DO - 10.1007/s10207-020-00502-x
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:85085380532
SN - 1615-5262
VL - 20
SP - 313
EP - 329
JO - International Journal of Information Security
JF - International Journal of Information Security
IS - 3
ER -