Skip to main content
SpringerLink
Log in

A wrinkle in time: a case study in DNS poisoning

  • regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The domain name system (DNS) provides a translation between readable domain names and IP addresses. The DNS is a key infrastructure component of the Internet and a prime target for a variety of attacks. One of the most significant threats to DNS’ well-being is a DNS poisoning attack in which the DNS responses are maliciously replaced, or poisoned, by an attacker. To identify this kind of attack, we start by an analysis of different kinds of response times. We present an analysis of typical and atypical response times, while differentiating between the different levels of DNS servers’ response times, from root servers down to internal caching servers. We successfully identify empirical DNS poisoning attacks based on a novel method for DNS response timing analysis. We then present a system we developed to validate our technique that does not require any changes to the DNS protocol or any existing network equipment. Our validation system tested data from different architectures including LAN and cloud environments and real data from an internet service provider. Our method and system differ from most other DNS poisoning detection methods and achieved high detection rates exceeding 98%. These findings suggest that when used in conjunction with other methods, they can considerably enhance the accuracy of these methods.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

References

  1. Mockapetris, P.: RFC 1034 Domain Names-Concepts and Facilities (1987). http://tools.ietf.org/html/rfc1034

  2. Mockapetris, P.: Domain names-implementation and specification. STD 13, RFC Editor (1987). http://www.rfc-editor.org/rfc/rfc1035.txt

  3. BT global services. DNS Security Survey Report. BT global services (2017). https://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=1&r=1&w=7&g=0

  4. Kambourakis, G., Moschos, T., Geneiatakis, D., Gritzalis, SD.: Detecting DNS amplification attacks. In: Critical Information Infrastructures Security, pp. 185–196. Springer, Berlin, Heidelberg (2007)

  5. Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting browsers from dns rebinding attacks. ACM Trans. Web (TWEB) 3(1), 2 (2009)

    Google Scholar 

  6. Cheshire, S., Krochmal, M.: DNS-based service discovery. RFC 6763, RFC Editor (2013). http://www.rfc-editor.org/rfc/rfc6763.txt

  7. Ballani, H., Francis, P.: Mitigating DNS dos attacks. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 189–198. ACM (2008)

  8. Son, S., Shmatikov, V.: The Hitchhiker’s guide to DNS cache poisoning. In: Security and Privacy in Communication Networks, pp. 466–483. Springer, Berlin, Heidelberg (2010)

  9. Nazreen Banu, M., Munawara Banu, S.: A comprehensive study of phishing attacks. Int. J. Comput. Sci. Inf. Technol. 4(6), 783–786 (2013)

    Google Scholar 

  10. Amazon. Alexa top sites. Alexa top sites (2018). https://www.alexa.com/topsites

  11. IUCC. Inter-University Computation Center. IUCC website (2018). https://www.iucc.ac.il/

  12. van Rijswijk-Deij, R., Jonker, M., Sperotto, A., Pras, A.: A high-performance, scalable infrastructure for large-scale active DNS measurements. IEEE J. Sel. Areas Commun. 34(6), 1877–1888 (2016)

    Article  Google Scholar 

  13. Ager, B., Mühlbauer, W., Smaragdakis, G., Uhlig, S.: Comparing DNS resolvers in the wild. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, pp. 15–21. ACM (2010)

  14. Google. Google Public DNS. Google website (2018). https://developers.google.com/speed/public-dns/

  15. OpenDNS. OpenDNS. Cisco website (2018). https://www.opendns.com/

  16. Callejo, P., Cuevas, R., Vallina-Rodriguez, N., Rumin, A.C.: Measuring the global recursive DNS infrastructure: a view from the edge. IEEE Access 7, 168020–168028 (2019)

    Article  Google Scholar 

  17. Callejo, P., Kelton, C., Vallina-Rodriguez, N., Cuevas, R., Gasser, O., Kreibich, C., Wohlfart, F., Cuevas, A.: Opportunities and challenges of AD-based measurements from the edge of the network. In: Proceedings of the 16th ACM Workshop on Hot Topics in Networks, pp. 87–93 (2017)

  18. Rose, S., Larson, M., Massey, D., Austein, R., Arends, R.: DNS Security Introduction and Requirements. RFC 4033 (2005)

  19. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Resource records for the DNS security extensions. In: Internet Requests for Comments (2005). http://www.rfc-editor.org/rfc/rfc4034.txt

  20. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Protocol modifications for the DNS security extensions. In: Internet Requests for Comments (2005). http://www.rfc-editor.org/rfc/rfc4035.txt

  21. Silva, P.: Dnssec: the antidote to DNS cache poisoning and other DNS a ACKS. White paper, F5 (2009)

  22. stats.labs.apnic.net. DNSSEC deploy rate. stats.labs.apnic.net (2018). https://www.globalservices.bt.com/static/assets/pdf/products/diamond_ip/DNS-Security-Survey-Report-2017.pdf

  23. Dai, T., Shulman, H., Waidner, M.: Dnssec misconfigurations in popular domains. In: International Conference on Cryptology and Network Security, pp. 651–660. Springer (2016)

  24. Ariyapperuma, S., Mitchell, C.J.: Security vulnerabilities in DNS and DNSSEC. In: The Second International Conference on Availability, Reliability and Security (ARES’07), pp. 335–342. IEEE (2007)

  25. Anu, P., Vimala, S.: A survey on sniffing attacks on computer networks. In: 2017 International Conference on Intelligent Computing and Control (I2C2), pp. 1–5. IEEE (2017)

  26. van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDOS attacks: a comprehensive measurement study. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 449–460. ACM (2014)

  27. van Rijswijk-Deij, R., Jonker, M., Sperotto, A.: On the adoption of the elliptic curve digital signature algorithm (ECDSA) in DNSSEC. In: 12th International Conference on Network and Service Management (CNSM), pp. 258–262. IEEE (2016)

  28. Bernstein, D.J.: Dnscurve: usable security for DNS. dnscurve.org (2009)

  29. Bernstein, D.J.: Dnscurve: usable security for DNS, 2009 (2011)

  30. DNScrypt. DNScrypt. DNScrypt website (2013). https://dnscrypt.info/

  31. Zhong, Y., Xue, D., Fan, J., Guo, C.: Dnstsm: DNS cache resources trusted sharing model based on consortium blockchain. IEEE Access 8, 13640–13650 (2020)

    Article  Google Scholar 

  32. Wang, Y., Hu, M.Z., Li, B., Yan, B.R.: Tracking anomalous behaviors of name servers by mining DNS traffic. In: Frontiers of High Performance Computing and Networking—ISPA 2006 Workshops, pp. 351–357. Springer (2006)

  33. Yamada, A., Miyake, Y., Terabe, M., Hashimoto, K., Kato, N.: Anomaly detection for DNS servers using frequent host selection. In: International Conference on Advanced Information Networking and Applications, AINA’09, pp. 853–860. IEEE (2009)

  34. Haya Shulman Klein, A., Waidner, M.: Internet-wide study of DNS cache injections. In: IEEE International Conference on Computer Communications 2017, Atlanta. IEEE

  35. Alharbi, F., Chang, J., Zhou, Y., Qian, F., Qian, Z., Abu-Ghazaleh, N.: Collaborative client-side DNS cache poisoning attack. In: IEEE INFOCOM 2019-IEEE Conference on Computer Communications, pp. 1153–1161. IEEE (2019)

  36. Celik, Z.B., Oktug, S.: Detection of fast-flux networks using various DNS feature sets. In: IEEE Symposium on Computers and Communications (ISCC), pp. 868–873. IEEE (2013)

  37. Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P.N., Kumar, V., Srivastava, J., Dokas, P.: Minds-minnesota intrusion detection system. In: Next Generation Data Mining, pp. 199-218. MIT Press, Cambridge, USA (2004)

  38. Yao, H., Silva, D., Jaggi, S., Langberg, M.: Network codes resilient to jamming and eavesdropping. IEEE/ACM Trans. Netw. 22(6), 1978–1987 (2014)

    Article  Google Scholar 

  39. Herzberg, A., Shulman, H.: Socket overloading for fun and cache-poisoning. In: Proceedings of the 29th Annual Computer Security Applications Conference, pp. 189–198. ACM (2013)

  40. Herzberg, A., Shulman, H.: Dnssec: security and availability challenges. In: 2013 IEEE Conference on Communications and Network Security (CNS), pp. 365–366. IEEE (2013)

  41. Eastlake, D., Brunner-Williams, E., Manning, B.: RFC, 2929: domain name system (DNS) IANA considerations (2000)

  42. Klein, A.: Bind 9 DNS cache poisoning. Report, Trusteer, Ltd, p. 3 (2007)

  43. Al-Musawi, B., Branch, P., Armitage, G.: Bgp anomaly detection techniques: a survey. IEEE Commun. Surv. Tutor. 19(1), 377–396 (2016)

    Article  Google Scholar 

  44. Huston, G., Rossi, M., Armitage, G.: Securing BGP—a literature survey. IEEE Commun. Surv. Tutor. 13(2), 199–222 (2010)

    Article  Google Scholar 

  45. Nichols, S.: AWS DNS network hijack turns MyEtherWallet into ThievesEtherWallet. The Register websire (2018). https://www.theregister.co.uk/2018/04/24/myetherwallet_dns_hijack/

  46. Siddiqui, A.: Public DNS in Taiwan the latest victim to BGP hijack. MANRS website (2019). https://www.manrs.org/2019/05/public-dns-in-taiwan-the-latest-victim-to-bgp-hijack/

  47. Bush, R., Austein, R.: The resource public key infrastructure (RPKI) to router protocol (2013)

  48. IANA.: IANA roots table. IANA website (2018). https://www.iana.org/domains/root/servers

  49. gPrado. dnspoof attack tool. github (2011). https://github.com/maurotfilho/dns-spoof

  50. Kotsiantis, S.B., Zaharakis, I., Pintelas, P.: Supervised machine learning: a review of classification techniques. In: Emerging artificial intelligence applications in computer engineering, pp. 3–24. IOS Press, Amsterdam (2007)

  51. Gentleman, R., Huber, W., Carey, V.J.: Supervised machine learning. In: Bioconductor Case Studies, pp. 121–136. Springer (2008)

  52. Ho, T.K.: Random decision forests. In: Proceedings of the Third International Conference on Document Analysis and Recognition, vol. 1, pp. 278–282. IEEE (1995)

  53. Tin Kam Ho: The random subspace method for constructing decision forests. IEEE Trans. Pattern Anal. Mach. Intell. 20(8), 832–844 (1998)

    Article  Google Scholar 

  54. Gomes, H.M., Bifet, A., Read, J., Barddal, J.P., Enembreck, F., Pfharinger, B., Holmes, G., Abdessalem, T.: Adaptive random forests for evolving data stream classification. Mach. Learn. 106(9–10), 1469–1495 (2017)

    Article  MathSciNet  Google Scholar 

  55. Cover, T., Hart, P.: Nearest neighbor pattern classification. IEEE Trans. Inf. Theory 13(1), 21–27 (1967)

    Article  Google Scholar 

  56. Lihua, Y., Qi, D., Yanjun, G.: Study on knn text categorization algorithm. Micro Comput. Inf. 21, 269–271 (2006)

    Google Scholar 

  57. Dasarathy, B.V.: Nearest neighbor (\(\{\)NN\(\}\)) norms:\(\{\)NN\(\}\) pattern classification techniques (1991)

  58. Internet Systems consortium. Bind. BIND (2018). https://www.isc.org/downloads/bind/

  59. wireshark. Tshark. wireshark command line tool (2018). https://www.wireshark.org/docs/man-pages/tshark.html

  60. IANA. IANA database. IANA website (2018). https://www.iana.org/domains/root/db

  61. dnspython. DNSpython tool. DNS python tool (2018). http://www.dnspython.org/

  62. Boyle, R.J.: Applied Networking Labs. Prentice Hall, Upper Saddle River (2013)

    Google Scholar 

  63. scikit learn. scikit learn python library. scikit learn webpage (2018). http://scikit-learn.org/stable/

  64. Google. archive google drive. Google drive (2018). https://drive.google.com/file/d/16dwFZHmu94wsJGA5MePhr8MPRnP3LNjM/view?usp=sharing

Download references

Acknowledgements

This work was supported by the Ariel Cyber Innovation Center and The Bar Ilan Center for Research in Applied Cryptography and Cyber Security, in conjunction with the Israel National Cyber directorate in the Prime Minister’s Office.

Author information

Authors and Affiliations

  1. Ariel University, The Golan Heights 65, Ariel, Israel

    Harel Berger & Amit Z. Dvir

  2. Bar-Ilan University, 5290002, Ramat Gan, Israel

    Moti Geva

Authors
  1. Harel Berger
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Amit Z. Dvir
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Moti Geva
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Harel Berger.

Ethics declarations

Conflict of interest

Mr. Harel Berger declares that he has no conflict of interest. Mr. Amit Z. Dvir declares that he has no conflict of interest. Mr. Moti Geva declares that he has no conflict of interest.

Funding

No funding was received for this study

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Berger, H., Dvir, A.Z. & Geva, M. A wrinkle in time: a case study in DNS poisoning. Int. J. Inf. Secur. 20, 313–329 (2021). https://doi.org/10.1007/s10207-020-00502-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-020-00502-x

Keywords

Search

Navigation