Protecting BGP routes to top-level DNS servers

The Domain Name System (DNS) is an essential part of the Internet infrastructure and provides fundamental services, such as translating host names into IP addresses for Internet communication. The DNS is vulnerable to a number of potential faults and attacks. In particular, false routing announcements can deny access to the DNS service or redirect DNS queries to a malicious impostor. Due to the hierarchical DNS design, a single fault or attack against the routes to any of the top-level DNS servers can disrupt Internet services to millions of users. We propose a path-filtering approach to protect the routes to the critical top-level DNS servers. Our approach exploits both the high degree of redundancy in top-level DNS servers and the observation that popular destinations, including top-level DNS servers, are well-connected via stable routes. Our path-filter restricts the potential top-level DNS server route changes to be within a set of established paths. Heuristics derived from routing operations are used to adjust the potential routes over time. We tested our path-filtering design against BGP routing logs and the results show that the design can effectively ensure correct routes to top-level DNS servers without impacting DNS service availability.     

An Internet without the Internet protocol

The growth of the Internet has brought about many challenges for its critical infrastructure. The DNS infrastructure, which translates mnemonic host names into IP addresses understood by the routers, is frequently the target of cache poisoning attacks. Internet routers are also experiencing alarming growth in their routing table sizes, which may soon make it impossible for them to forward packets quickly enough to meet demand. Further, concerns about IPv4 address space exhaustion loom on the horizon despite the availability of IPv6. In this paper, we take a fresh look at Internet routing and propose a scheme that addresses all of these concerns cleanly. Our scheme forgoes IP addresses entirely and instead uses host names as identifiers in packets. The scalability of routing is ensured by encapsulating these packets in highly aggregated routing locators: we use autonomous system numbers (ASNs), which are already an integral part of inter-domain routing. We present data and experiments to show that a much simpler and scalable routing infrastructure can be designed for a future Internet by using fewer identifiers for its entities.     

Maintaining Strong Cache Consistency for the Domain Name System

Effective caching in the domain name system (DNS) is critical to its performance and scalability. Existing DNS only supports weak cache consistency by using the time-to-live (TTL) mechanism, which functions reasonably well in normal situations. However, maintaining strong cache consistency in DNS as an indispensable exceptional handling mechanism has become more and more demanding for three important objectives: 1) to quickly respond and handle exceptions such as sudden and dramatic Internet failures caused by natural and human disasters, 2) to adapt increasingly frequent changes of Internet Protocol (IP) addresses due to the introduction of dynamic DNS techniques for various stationed and mobile devices on the Internet, and 3) to provide fine-grain controls for content delivery services to timely balance server load distributions. With agile adaptation to various exceptional Internet dynamics, strong DNS cache consistency improves the availability and reliability of Internet services. In this paper, we first conduct extensive Internet measurements to quantitatively characterize DNS dynamics. Then, we propose a proactive DNS cache update protocol (DNScup), running as middleware in DNS name servers, to provide strong cache consistency for DNS. The core of DNScup is an optimal lease scheme, called dynamic lease, to keep track of the local DNS name servers. We compare dynamic lease with other existing lease schemes through theoretical analysis and trace-driven simulations. Based on the DNS dynamic update protocol, we build a DNScup prototype with minor modifications to the current DNS implementation. Our system prototype demonstrates the effectiveness of DNScup and its easy and incremental deployment on the Internet.     

Stronger Domain Name System Thwarts Root-Server Attacks

The DNS is a service that translates easy-to-remember alphabetic URLs into Web sites' actual numerical IP addresses. The system enables users to easily access the Web sites they want to visit and thus is a critical part of Internet operations. DDoS attacks can overwhelm servers with hacker-generated traffic and thereby make them unavailable for legitimate communications. These assaults are a serious threat to the Internet because hackers are developing increasingly sophisticated ways to take over thousands of unsuspecting victims' computers, creating large botnets of zombie machines they can use to launch DDoS attacks. DNS security measures and quick, coordinated responses by Internet engineers, including the filtering of hackers' messages, made the recent attack less effective than a major assault that occurred in 2002. This is important because a significant disruption to the DNS system could slow or limit Internet access for millions of users.     

基于流量分析的App-DDoS攻击检测

针对当前应用层分布式拒绝服务攻击(App-DDoS)检测方法高度依赖于系统日志,且检测攻击类型单一的问题,提出了基于卡尔曼滤波和信息熵的联合检测模型DFM-FA(detection and filtering model against App-DDoSattacks based on flow analysis),将应用层的行为异常检测映射为网络层的流量异常检测,最大限度地保证了合法用户的优先正常访问.实验证明,DFM-FA既不依赖于系统日志,同时又能检测到FTP、DNS等多种App-DDoS攻击.     

DNS隐私问题现状的研究

域名系统（DNS）作为互联网运行必不可少的基础设施,它能将易记的域名转换成互联网资源的IP地址。DNS由于天然的开放性,导致其备受安全问题困扰。而隐私问题则是近些年DNS安全上的热点问题。通过回顾DNS的查询操作,分析了DNS查询每个环节可能存在的隐私隐患,发现DNS受到的隐私攻击主要有链路上窃听和服务器上的隐私收集。结合近些年DNS隐私的相关的研究,分析了DNS上可能泄漏的隐私数据、影响范围以及可能带来的危害。整理了目前已知的解决方案,分析对比了各种方案在可靠性、匿名化程度、可部署性上的表现。最后从技术、部署难度和法律层面为后续研究提供了一些建议。     

Challenges in securing the domain name system

Two main security threats exist for DNS in the context of query/response transactions. Attackers can spoof authoritative name servers responding to DNS queries and alter DNS responses in transit through man-in-the-middle attacks, and alter the DNS responses stored in caching name servers. The IETF has defined the digital signature-based DNSSEC for protecting DNS query/response transactions through a series of requests for comments.     

DNS的RPZ安全防护系统的构建、配置与验证

DNS(domain name system)作为网络的重要基础服务设施, 是终端访问互联网必要的一环. 近年来, 越来越多尝试将用户通过DNS系统引入恶意服务器的攻击, 对互联网安全产生重要威胁. 防范与化解针对恶意域名或IP的访问, 如钓鱼网站、垃圾邮件、勒索软件、色情网站等, 无论是对于运营商还是网络监管机构都具...     

基于关键节点的域内路由保护算法

随着互联网规模的膨胀,大量的实时应用部署在互联网上,这些实时应用对网络时延提出了更加严格的要求。然而,目前互联网部署的域内路由协议无法满足实时应用对网络时延的要求,因此提高域内路由可用性成为了一项亟待解决的关键性科学问题。学术界和工业界提出利用路由保护方案来提高路由可用性,从而减少由于网络故障造成的网络中断和报文丢失。已有的路由保护方案将网络中的节点同等对待,没有考虑节点在网络中的重要程度,然而实际情况并非如此。因此,提出了一种基于关键节点的域内路由保护算法(Intra-domain Routing Protection Algorithm Based on Critical Nodes,RPBCN)。首先,建立路由可用性模型,以定量衡量路由可用性;其次,建立节点关键度模型,以定量衡量网络中节点的重要程度;最后,基于路由可用性模型和节点关键度模型,提出基于关键节点的域内路由保护方案。实验结果表明,RPBCN在保证路由可用性的前提下极大地降低了算法的计算开销,从而为ISP解决路由可用性问题提供了一种全新的高效解决方案。     

Guest Editors' Introduction: Securing the Domain Name System

Virtually every Internet application relies on the Domain Name System, but security wasn't a major goal of its original design. The result is several critical vulnerabilities, reviewed in this introduction to a special issue on DNS security. To address the security challenges, the community developed the DNS Security Extensions (DNSSEC), which are undergoing deployment. The articles in this special issue summarize key aspects of how to deploy DNSSEC at authoritative servers, resolvers, and public key learning.     

DNS攻击和防护

DNS作为因特网重要的服务器,其安全性和稳定性直接关系到服务质量。掌握针对DNS的攻击手段及防护方法是非常必要的,安全厂商也为DNS服务器的安全提供了很多产品。     

Providing scalable Web services using multicast communication

The recent growth in use of the World-Wide Web in the Internet has caused a significant increase in the demand placed on Web servers. This increased load results in noticeably longer response times for users. We propose an approach to using multicast in the delivery of Web resources that reduces the load on servers as well as the networks that connect them. We analyze the issues involved in using multicast in the Web, especially those related to routing and addressing, and present an alternative approach to multicast routing that is appropriate for this application. We also describe the design and implementation of a system based on the existing WWW client and server architecture and the multicast support provided within IP. Experimental results from this implementation are presented.     

Analysis of task assignment policies in scalable distributedweb-server systems

A distributed multiserver Web site can provide the scalability necessary to keep up with growing client demand at popular sites. Load balancing of these distributed Web-server systems, consisting of multiple, homogeneous Web servers for document retrieval and a Domain Name Server (DNS) for address resolution, opens interesting new problems. In this paper, we investigate the effects of using a more active DNS which, as an atypical centralized scheduler, applies some scheduling strategy in routing the requests to the most suitable Web server. Unlike traditional parallel/distributed systems in which a centralized scheduler has full control of the system, the DNS controls only a very small fraction of the requests reaching the multiserver Web site. This peculiarity, especially in the presence of highly skewed load, makes it very difficult to achieve acceptable load balancing and avoid overloading some Web servers. This paper adapts traditional scheduling algorithms to the DNS, proposes new policies, and examines their impact under different scenarios. Extensive simulation results show the advantage of strategies that make scheduling decisions on the basis of the domain that originates the client requests and limited server state information (e.g., whether a server is overloaded or not). An initially unexpected result is that using detailed server information, especially based on history, does not seem useful in predicting the future load and can often lead to degraded performance     

Defending your DNS & DHCP — Best Practices

In the aftermath of well publicized attacks against DNS root servers, top level domains (TLDs), and country code domains, most recently Pakistan, CIOs are looking for ways to make sure their own DNS and DHCP services are reliable and secure. Here’s the recipe we use at Nominum, that can help most enterprises.     

The Design of a Generic Intrusion-Tolerant Architecture for Web Servers

Nowadays, more and more information systems are connected to the Internet and offer Web interfaces to the general public or to a restricted set of users. Such openness makes them likely targets for intruders, and conventional protection techniques have been shown insufficient to prevent all intrusions in such open systems. This paper proposes a generic architecture to implement intrusion-tolerant Web servers. This architecture is based on redundancy and diversification principles, in order to increase the system resilience to attacks: usually, an attack targets a particular software, running on a particular platform, and fails on others. The architecture is composed of redundant proxies that mediate client requests to a redundant bank of diversified COTSfootnote{Commercial Off The Shelf.} application servers. The redundancy is deployed here to increase system availability and integrity. To improve performance, adaptive redundancy is applied: the redundancy level is selected according to the current alert level. The architecture can be used for static servers, i.e., for Web distribution of stable information (updated off-line), as well as for fully dynamic systems where information updates are executed immediately on an on-line database. The feasibility of this architecture has been demonstrated by implementing an example of a travel agency Web server.     

DNS服务中的Internet访问行为测量研究

借助于中国互联网络信息中心负责管理的国家顶级域名系统资源,对当前CN顶级域名DNS服务请求进行了宏观测量和分析。研究发现,CN国家域名整体查询频度特征服从类Zipf’s分布,递归服务器域名查询量遵从广延指数分布,即CN国家域名的DNS服务请求具有整体集中分布的特征和域名查询模式的时间局部特征。这些关于国家域名服务的整体认识和全局性描述对于深入了解我国国家域名系统的整体运行状况,科学认识我国宏观网络发展特征具有重要意义。     

Addressing the challenges of modern DNS a comprehensive tutorial

The Domain Name System (DNS) plays a crucial role in connecting services and users on the Internet. Since its first specification, DNS has been extended in numerous documents to keep it fit for today’s challenges and demands. And these challenges are many. Revelations of snooping on DNS traffic led to changes to guarantee confidentiality of DNS queries. Attacks to forge DNS traffic led to changes to shore up the integrity of the DNS. Finally, denial-of-service attack on DNS operations have led to new DNS operations architectures. All of these developments make DNS a highly interesting, but also highly challenging research topic. This tutorial – aimed at graduate students and early-career researchers – provides a overview of the modern DNS, its ongoing development and its open challenges. This tutorial has four major contributions. We first provide a comprehensive overview of the DNS protocol. Then, we explain how DNS is deployed in practice. This lays the foundation for the third contribution: a review of the biggest challenges the modern DNS faces today and how they can be addressed. These challenges are (i) protecting the confidentiality and (ii) guaranteeing the integrity of the information provided in the DNS, (iii) ensuring the availability of the DNS infrastructure, and (iv) detecting and preventing attacks that make use of the DNS. Last, we discuss which challenges remain open, pointing the reader towards new research areas.     

Securing SIP-based VoIP infrastructure against flooding attacks and Spam Over IP Telephony

Security of session initiation protocol (SIP) servers is a serious concern of Voice over Internet (VoIP) vendors. The important contribution of our paper is an accurate and real-time attack classification system that detects: (1) application layer SIP flood attacks that result in denial of service (DoS) and distributed DoS attacks, and (2) Spam over Internet Telephony (SPIT). The major advantage of our framework over existing schemes is that it performs packet-based analysis using a set of spatial and temporal features. As a result, we do not need to transform network packet streams into traffic flows and thus save significant processing and memory overheads associated with the flow-based analysis. We evaluate our framework on a real-world SIP traffic—collected from the SIP server of a VoIP vendor—by injecting a number of application layer anomalies in it. The results of our experiments show that our proposed framework achieves significantly greater detection accuracy compared with existing state-of-the-art flooding and SPIT detection schemes.     

IIS中虚拟主机业务的配置和管理

在一般学校现有的局域网基础上,按照Internet的TCP/IP协议,建立Web站点和DNS、FTP、MAIL等服务器,模拟Internet的功能,可使学生得到建立、管理网站的经验。     

DNSSEC技术原理及应用研究

DNS作为互联网服务的重要基础设施,存在着严重的安全漏洞,近年来针对这些安全漏洞的网络攻击给DNS和互联网带来了巨大损失。基于此,本文讨论了DNS安全扩展协议问题。文中首先对DNS的安全漏洞进行了分析,然后详细介绍了DNSSEC,主要从技术原理、实施过程、验证方法等方面进行了探讨;最后,对当前全球DNSSEC部署情况及发展趋势进行了总结和预测。