Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking
Uploaded by gsperezsci

DNSProtectionAgainstSpoofing

advertisement 
See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/309687590
DNS Protection against Spoofing and Poisoning Attacks
Conference Paper · July 2016
DOI: 10.1109/ICISCE.2016.279
CITATIONS
READS
12
663
6 authors, including:
Mohammed Abdulridha Hussain
Hai Jin
University of Basrah
Huazhong University of Science and Technology
37 PUBLICATIONS 112 CITATIONS
1,004 PUBLICATIONS 11,608 CITATIONS
SEE PROFILE
SEE PROFILE
Zaid Alaa Hussien
Zaid Ameen Abduljabbar
Huazhong University of Science and Technology
Huazhong University of Science and Technology
40 PUBLICATIONS 143 CITATIONS
87 PUBLICATIONS 186 CITATIONS
SEE PROFILE
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
An effective image retrieval based on optimized genetic algorithm utilized a novel SVM-based convolutional neural network classifier View project
Container and Virtualization View project
All content following this page was uploaded by Zaid Ameen Abduljabbar on 26 January 2021.
The user has requested enhancement of the downloaded file.
2016 3rd International Conference on Information Science and Control Engineering
DNS Protection Against Spoofing and Poisoning Attacks
Mohammed Abdulridha Hussain1,2, Hai Jin1, Zaid Alaa Hussien1,3,
Zaid Ameen Abduljabbar1,2, Salah H. Abbdal1, Ayad Ibrahim2
1
Cluster and Grid Computing Lab
Services Computing Technology and System Lab
School of Computer Science and Technology
Huazhong University of Science and Technology, Wuhan, 430074, China
2
University of Basrah, Basrah, Iraq
3
Southern Technical University, Basrah, Iraq
mohsubber@gmail.com, hjin@hust.edu.cn
•
Abstract— Domain name system is among the core part of
TCP/IP protocol suite and the standard protocol used by the
Internet. The domain name system consists of mapped website
names with Internet protocol, which facilitates browsing by not
requiring users to remember numeric notation addresses. The
nature of the system, which involves transferring information
in plain text, makes it vulnerable to security attacks. The
domain name system suffers from spoofing and cache
poisoning attacks that are intended to steal the private
information of users. In this paper, a scheme is proposed to
prevent the aforementioned attacks by using an asymmetric
cipher to encrypt the important information in messages and
to protect these messages from manipulation. The proposed
scheme is examined and implemented using Linux platform
and C programming language. The proposed scheme protects
DNS against spoofing and poisoning attacks while the results
show small fraction of delay in time comparing with the
applied DNS. There are also additional commercial benefits
since it does not result in additional costs.
DNS Query: This is created by the resolver and it
contains an identifier (ID). The ID differs for each
message and port number, and it contains the Name
Server (NS).
• DNS Response: This is created by the server and it
contains the same ID to identify the query, NS, port
number, and IP.
The DNS messages can be transferred without any
encryption or authentication mechanisms, thereby raising the
risk of attacks. The DNS in general suffers from spoofing
and cache poisoning attacks that are intended to redirect
client traffic to an attacker machine or to a fake website.
Several enhancements have been made to enable the
DNS to resist and obstruct the aforementioned attacks.
Simply stated, one example is randomly creating the DNS
message ID and port number [3], which delays, reduces, and
resists the attacker. However, with current Internet speed and
bandwidth, even random IDs and port numbers can be
predicted easily. The 0x20-bit encoding method [4] is
intended to resist attackers by randomly mixing the domain
name in the DNS messages and changing character cases.
The objective of the attacker is to guess the valid domain
name by using the correct cases of characters. The main
drawback of the 0x20-bit encoding method is that the
attacker can easily guess the domain name if it is short.
With current processor speeds, deriving the correct
domain name is not so difficult. Thus, certain algorithms are
used to address security concerns. One of them is DNSSEC
[5], a set of cryptography algorithms that can prevent DNS
attacks. Public key infrastructure (PKI), such as RSA, DSA,
and Diffie–Hellman, are used in DNSSEC to create a digital
signature to authenticate the sender of DNS messages. The
digital signature is an encrypted hash value using the private
key. However, DNSSEC has the following disadvantages:
first, it is not deployed although it is an Internet standard;
second, it causes an increase in traffic when the servers share
certificates and keys; third, the scheme is complicated and is
therefore time consuming and changing in the DNS protocol
in the Internet infrastructure.
The objective of this paper is to present a scheme to
protect the DNS from spoofing and cache poisoning attacks.
To achieve this objective, PKI is used in encrypting the
valuable fields in the DNS messages while DNSSEC is used
by PKI to sign the messages. The proposed scheme is tested
Keywords- DNS; DNS-spoofing; DNS cache poisoning; DNS
protection
I.
INTRODUCTION
Internet-based hosts and entities are identified through
their Internet Protocol (IP) addresses. However, users prefer
to use Uniform Resource Locators (URL) or host names
instead of numeric addresses. Therefore, raising the needs for
a system to translate host names to IP address, which is
became Domain Name System (DNS) [1].
The DNS is designed as a client-server application. The
DNS client-side application, which is called a resolver,
receives the URL from the browser and sends a mapped
request query to the DNS server. The complete domain name
cannot be stored on a single server; thus, the DNS server is
divided into a hierarchy of servers. This hierarchy can
consist of many levels, but it generally includes three levels:
root, zone, and local DNS servers. Moreover, when the local
DNS server cannot respond to the resolver query, the local
server creates a query for the zone DNS server. If the zone
does not possess the answer, then a query for the root DNS
server is created, and when the response is received, the
answer is stored in the DNS server cache for future use. The
types of DNS messages are described briefly as follows [2]:
978-1-5090-2535-0/16
978-1-5090-2534-3
/16$31.00
$31.00©
©2016
2016IEEE
IEEE
DOI 10.1109/ICISCE.2016.279
1308
on Linux environments. This study provides the following
contributions to network security:
• The proposed scheme protects the DNS from
spoofing and cache poisoning attacks.
• The proposed scheme can resist man-in-the-middle
and denial-of-service attacks.
• The scheme can be applied without requiring the
root server key to authenticate other servers.
• The proposed approach is applicable to the Internet
protocol infrastructure without modification.
• Changes occur only in the application layer; in other
words, the update affects only the message handler
software.
The rest of this paper is organized as follows. Section II
defines the problem. Section III describes the proposed
scheme. Section IV explains the implementation and
experiment. Section V presents the results and discussion.
Section VI concludes the paper.
II.
•
the attacker carries the correct ID2 at the right time,
then the attacker succeeds in poisoning the local
DNS server cache.
When the attacker receives the DNS response
message from the local DNS sever with the forged
IP, then the attacker can successfully penetrate the
cache memory.
C. Results of DNS Attacks
The objective of the two attacks is to modify the IP of the
NS in the DNS response message received by the client so
that the client request is redirected to the intended IP. The IP
inserted by the attacker involves the following three
situations:
• If the IP does not exist, then the client suffers from a
denial-of-service attack.
• The IP can be a real website implemented by the
attacker to communicate with the client, thereby
prompting the client to disclose information. This
type of attack is known as a web spoofing.
• If the IP is the attacker machine IP, then the attacker
is able to read and manipulate the client messages,
which means that the client suffers from a man-inthe-middle attack.
PROBLEM DEFINITION
The DNS messages are transferred across the Internet
without security; in other words, any node can view or read
these messages through listen to UDP on port 53. The
implemented DNS in the Internet standard does not support
any type of encryption or authentication signature, which
places the DNS under risk of attack. The two main types of
DNS attacks are spoofing and cache poisoning, the
procedures of which are described as follows:
III.
PROPOSED SCHEME
The proposed scheme is based on an asymmetric cipher
that is intended to encrypt the significant values in the DNS
messages. Under this scheme, the RSA algorithm is used as
an asymmetric cipher that generates public and private keys
to the DNS servers. The client must possess the DNS server
public key, which is obtained from the DNS server either
through a secure channel or through a static configuration.
The procedures and contents of the DNS messages in the
proposed design are summarized as follows:
• Send_Query procedure: Generate an ID, encrypt the
ID using the public key, and bring the NS from the
URL. Transmit Query (NS and encrypted ID).
• Receive_Query procedure: Query (ID and NS)
arrives. Search the database for the NS; if found,
fetch the IP. Decrypt the ID using the private key.
• Send_Response procedure: Encrypt the IP using the
private key. Transmit Response (ID, NS, and
encrypted IP).
• Receive_Response procedure: Response (ID, NS,
and encrypted IP) arrives. Compare the received ID
with the stored ID; if they are the same, decrypt the
IP using the public key.
The DNS design is shown in Fig. 1. Entities and their
functions are described as follows:
A. DNS Spoofing Attack
The attacker must find a way to intercept the traffic
between the client and the gateway router through an
Address Resolution Protocol (ARP) cache poisoning attack.
At this stage, the attacker can read the DNS messages and
either change the IP of the NS in the DNS response message
or simply create a response message with the same query ID
and fake IP for the NS. In both cases, the IP is forged for the
benefit of the attacker [6].
B. DNS Cache Poisoning Attack
The cache is a high-speed memory device in the DNS
server where the response information is saved from the
upper level in the DNS server hierarchy. As the name
suggests, the cache poisoning attack involves an attempt to
poison the cache entries by using a fake response [7]. The
attack procedure is described as follows [8]:
• The attacker sends a query with ID1 and NS to the
local DNS server. The server searches the local
database and the cache memory for the NS. If the NS
is not found, then the server sends a query with ID2
and the same given NS to the upper-level DNS
server.
• The attacker sends multiple messages with random
ID2 values as DNS response messages to the local
DNS server containing the NS and fake IP. The
attacker attempts to guess the correct ID2 value
before the zone server response message arrives at
the local DNS server. If one of the responses sent by
A. Client
The client must have the local DNS server public key
(PUL). When the user types a URL on the address bar of the
browser, the browser sends the NS to the DNS resolver to
ask for the IP. The resolver functions are shown as follows:
1) Send_Query to local DNS server.
2) Wait until time out or response is received.
1309
3) Receive_Response from local DNS server.
The client-side program function is to create a DNS
query message. First, the URL is read from a file named
website.txt and the public key (PU) is read from
PuRSAkey.txt. Second, the DNS query header is prepared
with a single question each time a query ID is created, and
the ID is encrypted with the PU. Third, a query is sent and
the client program waits for a response from the server.
When the response arrives, the client program compares the
response message ID with the created query ID. If the IDs
are equal, then the IP is decrypted using PU, and if not equal,
then the system is attacked.
The server-side program function is to handle the client
query and to send a response. First, when the query arrives,
the private key (PR) is read from the file PrRSAkey.txt and
the query ID is decrypted with PR. Second, the name server
(NS) is read from the query. Third, the file dnsdb.txt is
opened and the program searches for the NS; if the NS is
found, then the IP is fetched and encrypted with PR. Finally,
a response message is created with the decrypted ID and
encrypted IP.
A network with three hosts is used to test the proposed
scheme where two hosts run Ubuntu operating system and
one host runs Kali Linux [10] operating system as attacker
program tools. One of the Ubuntu operating systems runs the
DNS client program, whereas the other runs the DNS server
program and acts as a gateway router with two connections.
On the server side, the file dnsdb.txt is filled with NSs
and their corresponding IPs. On the client side, the file
website.txt is filled with 10 different URLs, two of which do
not exist in the server file. The evaluation experiment for the
proposed scheme is divided into two parts. The first part
involves sending 1000 DNS queries using a Linux bash file.
The second part involves sending 10, 50, 100, 500, and
1000 DNS queries using the standard DNS, proposed DNS,
standard DNS with spoofing attack on 5 web pages, and
proposed DNS scheme with spoofing attack. Wireshark
program [11] is used to capture and analyze traffic.
B. Local DNS Server
The local DNS server possesses a private key (PRL), PUL,
and public key (PUZ) of the zone DNS server. The server
always listens to the media, and the server functions are
shown as follows:
1) Receive_Query from the client.
2) If the NS is found, then Send_Response to the
client.
3) Otherwise, Send_Query to zone DNS server.
4) Wait until time out or response is received.
5) Receive_Response from zone DNS server.
6) Send_Response to the client.
C. Zone DNS Server
The zone DNS server possesses a private key (PRZ), PUZ,
and public key (PUR) of the root DNS server. The server
always listens to the media, and the server functions (the
same functions as those for the root server) are shown as
follows:
1) Receive_Query from local DNS server.
2) If the NS is found, then Send_Response to the local
DNS server.
3) Otherwise, Send_Query to root DNS server.
4) Wait until time out or response is received.
5) Receive_Response from root DNS server.
6) Send_Response to local DNS server.
IV.
IMPLEMENTATION AND EXPERIMENT
Linux Ubuntu 12.04 LTS [9] is used as a platform for
implementation. The DNS server, DNS client side, and RSA
are implemented using C programming language. The RSA
key generation program stores the public key in a file called
PuRSAkey.txt and the private key in a file named
PrRSAkey.txt where the public key is sent to the client side.
Fig. 1.
Proposed scheme
1310
V.
RESULTS AND DISCUSSION
machine, and the machine time delay in the four cases is
almost the same.
The proposed scheme protects the DNS from attackers.
The strength of the scheme comes from the PKI and from the
encryption of the target information. The DNS cache
poisoning attack is based on guessing the correct ID; in the
proposed scheme, the ID is encrypted. If the attacker is
lucky, the challenge is how to encrypt the response IP with
the server private key.
The time difference between the DNS query and the
response from the client named T1 is expressed in seconds.
T1 in the normal situation and T1 in the proposed scheme are
shown in Fig. 2. T1 indicates the system time delay or media
plus router to response delay.
The time difference between the DNS query and the
response from the server is called T2, which is expressed in
seconds. T2 in the normal situation and T2 in the proposed
scheme are shown in Fig. 3. T2 indicates the DNS server
delay; in other words, it represents the time when the query
is received and processed and when the response is sent.
The peak values in Figs. 2 and 3 occur when the URL is
not found, which means that the dnsdb.txt file is searched
record by record through linear search. The preceding figures
show a small time difference between the normal and the
proposed schemes, where the difference between the two
average values in Fig. 2 is equal to 0.0000166 and that in
Fig. 3 is equal to 0.0000646.
ARP spoofing is a program implemented in the Kali
Linux operating system. Kali Linux runs dnsspoofing
through arpspoofing or enabling monitor mode in the
wireless interface. To identify the targeted website, the Kali
Linux uses a file that contains a list of websites and their
fake IPs. Dnsspoofing identifies the website through its name
server in the query message, whereas in normal situation, the
attacker forwards the query. When the name server is found
in the attacker file, the attacker uses the query ID and the
fake IP. Subsequently, the attacker enables the recursion bit
in the DNS header to send a response to the client. Fig. 4
shows that the attacker uses the query ID instead of the
response ID, which will be blocked by the proposed scheme
because it is not equal to the ID prior to encryption. Even if
the attacker uses the response ID, the client still decrypts the
IP, which results in unknown IP. This situation may cause a
denial of service; however, the attacker forwards the server
response because the ID is different from the query (Fig. 4).
Time evaluation of client and router machines is
conducted using the normal scheme, as well as the proposed
scheme without attack and with DNS spoofing attack. As
previously mentioned, the experiment sends 10, 50, 100,
500, and 1000 DNS queries and receives the response
messages. Fig. 5 shows the average time delay of the client
machine. Fig. 6 demonstrates the average time delay of the
router machine. The first bar in the figure represents the
normal DNS; second bar, proposed scheme; third bar,
normal DNS under attack; and fourth bar, proposed scheme
under spoofing attack. The first four set of bars represents 10
queries; second set, 50 queries; third set, 100 queries; fourth
set, 500 queries; and fifth set, 1000 queries.
As shown in Figs. 5 and 6, a small difference exists
between the proposed scheme and the normal DNS in both
machine delays. In the first two cases the delay is high
comparing with others because of the delay of startup
program time. The time delay increases in the client machine
when the client is under attack because of the number of fake
responses sent to the client from the attacker. By contrast, no
fake response is received from the attacker in the router
1311
Fig. 2.
T1 for normal and proposed situations
Fig. 3.
T2 for normal and proposed situations
Fig. 4.
Attacker fake response
ACKNOWLEDGMENT
This work is supported by National 973 Fundamental
Basic Research Program of China under grant No.
2014CB340600.
REFERENCES
[1]
Fig. 5.
Time delay of client machine
Fig. 6.
Time delay of router machine
R. Bassil, R. Hobeica, W. Itani, C. Ghali, A. Kayssi, and A. Chehab,
“Security Analysis and Solution for Thwarting Cache Poisoning
Attacks in the Domain Name System,” Proceedings of the 19th IEEE
International Conference on Telecommunications (ICT’12),
Lebanon, pp. 1-6, 2012.
[2] B. A. Forouzan, TCP/IP protocol Suite, McGraw-Hill, 4th Edition,
2010.
[3] D. J. Bernstein. The DNS random Library Interface.
http://cr.yp.to/djbdns/dns random.html. 2008
[4] D. Dagon, M. Antonakakis, P. Vixie, T. Jinmei, and W. Lee,
“Increased DNS Forgery Resistance Through 0x20-Bit Encoding,”
Proceedings of the 15th ACM Conference on Computer and
Communications Security (CCS’08), USA, pp. 211-222, 2008.
[5] D. Eastlake 3rd. Domain Name System Security Extensions. RFC
2535, Internet Engineering Task Force, 1999. http://www.rfcbase.org/rfc-2535.html
[6] R. Rijswijk-Deij, A. Sperotto, and A. Pras, “DNSSEC and Its
Potential for DDoS Attacks,” Proceedings of ACM Conference on
Internet Measurement (IMC’14), Canada, pp. 449-460, 2014.
[7] J. Mohan, S. Puranik, and K. Chandrasekaran, “Reducing DNS Cache
Poisoning Attacks,” Proceedings of IEEE International Conference
on Advanced Computing and Communication Systems (ICACCS’15),
India, pp. 1-6, 2015.
[8] H. Wu, X. Dang, L. Zhang, and L. Wang, “Kalman Filter Based DNS
Cache Poisoning Attack Detection,” Proceedings of IEEE
International Conference on Automation Science and Engineering
(CASE’15), Sweden, pp. 1594-1600, 2015.
[9] http://www.ubuntu.com.
[10] https://www.kali.org.
[11] https://www.wireshark.org.
The DNS spoofing attack manages to disclose the query
and response, but is still the problem with the strength of PKI
even if one of the keys is known.
Finally, the DNS server PU is sent to every host, such as
through HTTPS or by downloading from the router. This
approach means that everyone can read the response, but not
everyone can encrypt the IP with PR. In other words, IP
encryption is needed to authenticate the DNS server.
VI.
CONCLUSION
A DNS attack is a core part of man-in-the-middle and
denial-of-service attacks. To manage an attack, the attacker
exploits the DNS messages transferred in plain text. The
proposed scheme withstands DNS attacks with minimal
computation time.
The proposed scheme uses an asymmetric cipher
technique to encrypt the important information, specifically
the query ID and the response name server IP. Both
parameters are used to authenticate the server and hide the
information from the attacker. Thus, guessing the
information becomes difficult or impossible for the attacker.
Results show that the proposed scheme does not suffer
from the denial of service because the strategy of sending the
decrypted ID in the response causes the difference between
the query and response IDs.
1312
View publication stats
Related documents
Questions for Unit-7
Questions for Unit-7
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
Development of the domain name system Baoning Wu 01/30/2003
Development of the domain name system Baoning Wu 01/30/2003
Assignment-2_old Paper
Assignment-2_old Paper
Download
advertisement