understanding and characterizing hidden
play

Understanding and Characterizing Hidden Interception of the DNS - PowerPoint PPT Presentation

May 27, 2023 •151 likes •496 views

Who Is Answering My Queries? Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao and MinYang Presenter: Zhou Li (UC Irvine EECS) 1 DNS Resolution

  1. Who Is Answering My Queries? Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao and MinYang Presenter: Zhou Li (UC Irvine EECS) 1

  2. DNS Resolution • DNS: the beginning of Internet activities Authoritative servers – By a recursive resolver – Usually assigned by ISP Root NS request response 1. irtf.org? 4 TLD NS 5 8. 64.191.0.198 Client Recursive Resolver SLD NS 2

  3. DNS Resolution • Why public DNS? – Performance (e.g., load balancing) – Security (e.g., DNSSEC support) – DNS extensions (e.g., EDNS Client Subnet) 3

  4. DNS Interception • Who is answering my queries? Irft.org? Google DNS 8.8.8.8 Client I’m 8.8.8.8, irtf.org is at Authoritative 64.191.0.198. nameserver Alternative resolver 1.2.3.4 Spoof the IP address and intercept queries. 4

  5. Potential Interceptors Network Providers (ISP) Censorship / firewall Anti-virus software / malware (E.g., Avast anti-virus) Enterprise proxy (E.g., Cisco Umbrella intelligent proxy) 5

  6. Potential Interceptors Network Providers * https://labs.ripe.net/Members/babak_farrokhi/is-your-isp-hijacking-your-dns-traffic 6 * https://www.cactusvpn.com/tutorials/find-out-isp-doing-transparent-dns-proxy/

  7. Q1: How prevalent is DNS interception? Q2: What are the characteristics of DNS interception?

  8. Motivation Threat Model Methodology Analysis

  9. Threat Model • Taxonomy (request) – [1] Normal resolution Public DNS Request to 8.8.8.8 8.8.8.8 On-path Client Authoritative Device server Alternative resolver 1.2.3.4 9

  10. Threat Model • Taxonomy (request) – [2] Request redirection Public DNS Request to 8.8.8.8 8.8.8.8 On-path Client Authoritative Device server Alternative resolver 1.2.3.4 10

  11. Threat Model • Taxonomy (request) – [3] Request replication Public DNS Request to 8.8.8.8 8.8.8.8 On-path Client Authoritative Device server Alternative resolver 1.2.3.4 11

  12. Threat Model • Taxonomy (request) – [4] Direct responding Public DNS Request to 8.8.8.8 8.8.8.8 On-path Client Authoritative Device server Alternative resolver 1.2.3.4 12

  13. Motivation Threat Model Methodology Analysis

  14. How to Detect? • End-to-end data collection and comparison Check where Send DNS requests. they are from. Public DNS Request to 8.8.8.8 8.8.8.8 On-path Client Authoritative Device server Alternative resolver 1.2.3.4 14

  15. Vantage Points • Phase I: Global Analysis – ProxyRack: SOCKS residential proxy networks – Limitation: TCP traffic only • Phase II: China-wide Analysis – A network debugger module of security software – Similar to Netalyzr [Kreibich, IMC’ 10] – Capability: TCP and UDP; Socket level 15

  16. DNS Requests • Requirements – Diverse : triggering interception behaviors – Controlled : allowing fine-grained analysis Public DNS Google, OpenDNS, Dynamic DNS, EDU DNS Protocol TCP, UDP QTYPE A, AAAA, CNAME, MX, NS QNAME (TLD) com, net, org, club QNAME UUID.[Google].OurDomain. [TLD] 16

  17. Collected Dataset • DNS requests from vantage points – A wide range of requests collected Phase # Request # IP # Country # AS ProxyRack 1.6 M 36K 173 2,691 Debugging tool 4.6 M 112K 87 356 17

  18. Motivation Threat Model Methodology Analysis

  19. How many queries are intercepted?

  20. Magnitude • Investigated Ases 198 ASes 61 ASes have intercepted traffic have intercepted traffic (of 2,691, 7.36%, TCP) (of 356, 17.13%) 20

  21. Magnitude • Interception ratio – China-wide analysis, UDP & TCP 27.9% 12.6% 7.3% 0.9% 16.1% 9.8% EDU DNS 2.3% 1.1% Popular resolvers are prone to be intercepted. 21

  22. How are my queries intercepted?

  23. Interception Characteristics • Magnitude (% of total requests) – Normal resolution Request redirection Request replication 6.3% Direct responding is 7.8% 9.7% 22.3% rare. Request redirection > 90.2% 87.4% 83.9% 72.1% Request replication OpenDNS Dyn DNS EDU DNS Google 23

  24. Are my responses tampered?

  25. Response Manipulation • DNS record values – Most responses are not tampered . – Some exceptions: Classification # Response Example Client AS Gateway 54 192.168.32.1 AS4134, CN, China Telecom Monetization 10 39.130.151.30 AS9808, CN, GD Mobile Misconfiguration 26 ::218.207.212.91 AS9808, CN, GD Mobile Others 54 fe80::1 AS4837, CN, China Unicom 25

  26. Response Manipulation • Example: traffic monetization China Mobile Group of Yunnan: advertisements of an APP . 26

  27. So why should I care? Any threats?

  28. Security Threats • Ethics & privacy – Users may not be aware of the interception behavior • Alternative resolvers’ security – An analysis on 205 open alternative resolvers ALL BIND Only 43% versions resolvers should be support deprecated DNSSEC before 2009 28

  29. How can I prevent this?

  30. Solutions • DNSSEC and validation at client-side * Pic from: https://www.keycdn.com/support/dnssec/ 30

  31. Solutions • Encrypted DNS DNS * Pic from: https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt 31

  32. Solutions • Encrypted DNS – Resolver authentication (RFC8310) – DNS-over-TLS (RFC7858) – DNS-over-DTLS (RFC8094, experimental) – DNS-over-HTTPS (RFC8484) • Online checking tool – Which resolver are you really using? – http://whatismydnsresolver.com/ 32

  33. Conclusions • Understanding – A measurement platform to systematically study DNS interception • Findings – DNS interception exists in 259 ASes we inspected globally – Up to 28% requests from China to Google are intercepted – Security concerns • Mitigation – Resolver authentication; online checking tool 33

  34. Thank you! • Details in our Usenix Security’18 paper – Who Is Answering My Queries? Understanding and Characterizing Hidden Interception of the DNS Resolution Path • UC Irvine author contact – Zhou Li (Assistant Professor) – zhou.li@uci.edu – https://faculty.sites.uci.edu/zhouli/ – Looking for collaborations ☺ 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu,

Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu,

Who Is Answering My Queries? Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao and MinYang DNS Resolution ISP DNS Resolver Might have

702 views • 41 slides
Characterizing minimal interval completions: Background Motivation Towards better understanding

Characterizing minimal interval completions: Background Motivation Towards better understanding

Pinar Heggernes, Karol Suchan, Ioan Todinca, and Yngve Villanger Characterizing minimal interval completions: Background Motivation Towards better understanding of profile and Interval graphs Minimum and minimal interval pathwidth

356 views • 21 slides
Understanding and Tackling the Hidden Memory Latency for Edge-based Heterogeneous Platform

Understanding and Tackling the Hidden Memory Latency for Edge-based Heterogeneous Platform

DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING Pervasive and Emerging Architecture Research Lab (PEARL) Understanding and Tackling the Hidden Memory Latency for Edge-based Heterogeneous Platform Zhendong Wang, Zhen Wang, Cong Liu, and Yang Hu

398 views • 13 slides
On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies Internet Routing Policies Feng Wang Lixin Gao Department of Electrical and Computer Engineering University of Massachusetts, Amherst MA 01002, USA 1

450 views • 18 slides
Understanding Hidden Memories of Recurrent Neural Networks Yao Ming , Shaozu Cao, Ruixiang Zhang,

Understanding Hidden Memories of Recurrent Neural Networks Yao Ming , Shaozu Cao, Ruixiang Zhang,

Understanding Hidden Memories of Recurrent Neural Networks Yao Ming , Shaozu Cao, Ruixiang Zhang, Zhen Li, Yuanzhe Chen, Yangqiu Song, Huamin Qu. THE HONG KONG UNIVERSITY OF SCIENCE AND TECHNOLOGY What is a Recurrent Neural Network? H K U S T

397 views • 37 slides
Detecting and Detecting and Characterizing Heterogeneity Characterizing Heterogeneity

Detecting and Detecting and Characterizing Heterogeneity Characterizing Heterogeneity

Detecting and Detecting and Characterizing Heterogeneity Characterizing Heterogeneity (Biochemical or Conformational) (Biochemical or Conformational) by Cryo-EM by Cryo-EM Eva Nogales HHMI / UC Berkeley LBNL Seth Kostek Transcription

492 views • 34 slides
Characterizing Ext xtragalactic Pre-Main- Sequence Stars wit ith Machine and Deep Learnin ing

Characterizing Ext xtragalactic Pre-Main- Sequence Stars wit ith Machine and Deep Learnin ing

Characterizing Ext xtragalactic Pre-Main- Sequence Stars wit ith Machine and Deep Learnin ing Techniques Victor Francisco Ksoll Understanding the Nearby Star-forming Universe with JWST 27.08.2019 Star Forming Regions in the Large Magellanic

333 views • 18 slides
Port Newark 101 Understanding the Hidden Cost of the Moving Goods in Newark Nicole Scott-Harris,

Port Newark 101 Understanding the Hidden Cost of the Moving Goods in Newark Nicole Scott-Harris,

Port Newark 101 Understanding the Hidden Cost of the Moving Goods in Newark Nicole Scott-Harris, Newark Organizer NJEJA - "Take Back Port Newark" The Port Authority of NY & NJ Established in 1921, as a bi-state

334 views • 8 slides
Hidden$Terminals$ Nodes$A$and$C$are$hidden$terminals$when$sending$to$B$

Hidden$Terminals$ Nodes$A$and$C$are$hidden$terminals$when$sending$to$B$

Hidden$Terminals$ Nodes$A$and$C$are$hidden$terminals$when$sending$to$B$ Cant$hear$each$other$(to$coordinate)$yet$collide$at$B$ We$want$to$avoid$the$inefficiency$of$collisions $ CSE$461$University$of$Washington$ 53$

463 views • 31 slides
Ubiquitous and Mobile Computing CS 528: Automatically Characterizing Places with Opportunistic

Ubiquitous and Mobile Computing CS 528: Automatically Characterizing Places with Opportunistic

Ubiquitous and Mobile Computing CS 528: Automatically Characterizing Places with Opportunistic CrowdSensing using Smartphones Gauri Pulekar Computer Science Dept. Worcester Polytechnic Institute (WPI) Automatically Characterizing Places with

311 views • 30 slides
Hidden Markov Models Pratik Lahiri Introduction A hidden Markov model (HMM) is a

Hidden Markov Models Pratik Lahiri Introduction A hidden Markov model (HMM) is a

Hidden Markov Models Pratik Lahiri Introduction A hidden Markov model (HMM) is a statistical Markov model in which the system being modeled is assumed to be a Markov process with unobserved (hidden) states. We call the observed event

741 views • 13 slides
Characterizing and Synthesizing Task Dependencies of Data-Parallel Jobs in Alibaba Cloud

Characterizing and Synthesizing Task Dependencies of Data-Parallel Jobs in Alibaba Cloud

Characterizing and Synthesizing Task Dependencies of Data-Parallel Jobs in Alibaba Cloud Huangshi Tian, Yunchuan Zheng, Wei Wang @ HKUST Nov. 21, 2019 1 Every job is born equal, but some are more complicated ... Hadoop Spark Characterizing

269 views • 26 slides
Like Sheep Among Wolves: Characterizing Hateful Users on Twitter Manoel Horta Ribeiro Pedro H.

Like Sheep Among Wolves: Characterizing Hateful Users on Twitter Manoel Horta Ribeiro Pedro H.

Like Sheep Among Wolves: Characterizing Hateful Users on Twitter Manoel Horta Ribeiro Pedro H. Calais Yuri A. Santos Virglio A. F. Almeida Wagner Meira Jr. Motivation |||| In recent years plenty of work was done on characterizing and

311 views • 19 slides
Another view Hidden Input CEC is constant error Hidden carrousel No vanishing gradients

Another view Hidden Input CEC is constant error Hidden carrousel No vanishing gradients

Another view Hidden Input CEC is constant error Hidden carrousel No vanishing gradients Input f But, it is not always on Hidden s f Introducing gates: Input f Allow or disallow input Hidden Allow or

641 views • 28 slides
LSTMs Overview Subhashini Venugopalan Neural Networks z t Output B Hidden Hidden Input WHY

LSTMs Overview Subhashini Venugopalan Neural Networks z t Output B Hidden Hidden Input WHY

LSTMs Overview Subhashini Venugopalan Neural Networks z t Output B Hidden Hidden Input WHY RNNs/LSTMs? Can we operate over sequences of inputs? Limitations of vanilla Neural Networks z t Output Outputs a fixed size vector. B Hidden

737 views • 32 slides
Key methods for unlocking hidden data Dr Julie Scott-Jackson Institute of Archaeology, University

Key methods for unlocking hidden data Dr Julie Scott-Jackson Institute of Archaeology, University

The importance of Palaeolithic surface-scatters to our understanding of hominin dispersal and Neanderthal variability: Key methods for unlocking hidden data Dr Julie Scott-Jackson Institute of Archaeology, University of Oxford Director, PADMAC

492 views • 27 slides
Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke

Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke

Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke Tian, Steve T.K. Jan , Hang Hu, Danfeng Yao, Gang Wang Computer Science, Virginia Tech Phishing is a Big Th Threat Phishing: fraudulent attempt

411 views • 30 slides
Encapsulation End-to-End Argument Source Transport Saltzer, Reed & Clark, 1981 src &

Encapsulation End-to-End Argument Source Transport Saltzer, Reed & Clark, 1981 src &

Encapsulation End-to-End Argument Source Transport Saltzer, Reed & Clark, 1981 src & dst ports + Network src & dst IP addresses + message M Application src & dst MAC addresses Link segment H T M Transport datagram H N

354 views • 6 slides
Passive DNS Collection and Analysis The 'dnstap' (& fstrm) Approach Farsight Security, Inc.

Passive DNS Collection and Analysis The 'dnstap' (& fstrm) Approach Farsight Security, Inc.

Passive DNS Collection and Analysis The 'dnstap' (& fstrm) Approach Farsight Security, Inc. December 2014 Importance of Measuring DNS High volume low latency datagram protocol Channel 202; 40 sources; 1,657,398,226,932 bytes/day;

196 views • 19 slides
The DNS as a directory for identities ICANN DNS Symposium 2018, Montreal Vittorio Bertola

The DNS as a directory for identities ICANN DNS Symposium 2018, Montreal Vittorio Bertola

The DNS as a directory for identities ICANN DNS Symposium 2018, Montreal Vittorio Bertola <vittorio.bertola@open-xchange.com> 1 Premise: We need proper online identities Traditionally, we only had accounts And they were not

302 views • 18 slides
The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit

The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit

1 The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit Eindhoven 2 The Domain Name System tue.nl wants to see http://www.ru.nl . Browser at tue.nl The web

1.39k views • 124 slides
Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter

Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter

Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter (UNC-Chapel Hill) Yinqian Zhang (Ohio State Univ.) Ba Backg kground Servers identity is not well protected with the normal HTTPS connection.

1.04k views • 65 slides
Networking: UDP & DNS 2 Lab Schedule Activities Assignments Due This Week Lab 9

Networking: UDP & DNS 2 Lab Schedule Activities Assignments Due This Week Lab 9

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Networking: UDP & DNS 2 Lab Schedule Activities Assignments Due This Week Lab 9 Due by Apr 4 th 5:00am Lab 9 Network

349 views • 31 slides
Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI

Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI

Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI Networks Seminar jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 1 / 26 A Review of the DNS Lookup Process jtk (jtk@depaul.edu) ORs and

626 views • 26 slides

More recommend