This research paper, originally published in Chinese in 2006, has not been available in English before. It is a bit unusual in that it describes how to mitigate a class of DNS attacks that is done by the Great Firewall of China, even though one of the authors, 方滨兴 (Fang Binxing), is known to have helped create the Great Firewall.
DNS 欺骗攻击的检测和防范
Detection and prevention of DNS spoofing attacks
闫伯儒 (Yan Boru), 方滨兴 (Fang Binxing), 李斌 (Li Bin), 王垚 (Wang Yao)
Journal homepage
Original Chinese PDF
Online English HTML
English PDF
The paper is, facially, about detecting and preventing DNS response injection attacks—exactly the kind of attack that has long been one of the GFW's primary tools for censorship. It presents three way to detect that DNS response injection is occurring, and three ways to distinguish injected responses from legitimate one and thereby foil the attack.
Section 1.2 is a straightforward description of a DNS response injection attack. The DNS client sends a query, and the attacker sends a response containing a fake IP address (spoofing the source address so it appears to come from the real resolver). The real resolver sends its response too, but because the attacker's response arrives first, that is the one honored by the client.
Figure 2: DNS spoofing attack
The paper unambiguously calls DNS response injection "harmful" and an "attack". Table 1 compares response injection with other DNS attacks: cache poisoning, server compromise, and denial of service. They emphasize that the attack is only possible because of design flaws in the DNS protocol.
The three techniques for detecting that DNS injection is happening come in both passive and active varieties:
- After sending a DNS query, wait for a certain amount of time and count the responses. (Similar to "Hold-On", 2012.) Real resolvers send only one response per query, so receiving more than one response is a sign of injection.
- Actively send DNS queries to non-resolvers. If any response is received, it must have been from DNS injection.
- Cross-checking: After receiving a DNS response containing an IP address, do a reverse lookup on the IP address to get a hostname, and check whether the hostname matches the hostname that was initially queried for. A mismatch indicates DNS injection.
There are an additional three techniques for distinguishing injected DNS responses from legitimate ones. The first two are based in the observation that injected responses tend to be simpler in structure than real responses, having fewer sections and resource records.
- Assign a weight (which may be positive or negative) to each of the possible section in a DNS message (Question, Answer, Authority, and Additional), and compute a weighted sum over the number of resource records in each section. Classify as injection any responses whose score is above or below some threshold.
- Use a Bayes classifier. The paper devotes considerable space to deriving a Bayes classifier over a single feature, the number of resource records in the Authority section. The distribution of the number of authoritative servers in legitimate responses is empirically estimated using the top 100 websites in China in Figure 3. The authors stress that this is only a proof of concept, and that a realistic classifier would take more features into account. (Though they do try out the single-feature classifier later, in the evaluation section.)
- Cross-checking: Just as with detection technique (3) above, check that forward and reverse lookups are consistent. The extra step that makes it prevention is to ignore any inconsistent responses.
The evaluation uses ADMid as a DNS spoofing attack tool. The authors enhanced ADMid to, with 10% probability, add a non-empty Authority section to responses, to make them more realistic. They try prevention technique (1) with two different weight vectors, and prevention technique (2) (the single-feature Bayes classifier). Sending 1000 queries in total for the top 100 websites in China (thereby provoking 1000 injected and 1000 legitimate responses), they get true positive rates of 97% or 98%, and true negative rates of 72% to 97%. The best prevention technique is (1), the weighted sum of section sizes, with weight 1 for each of the Answer, Authority, and Additional sections.
In two places the paper says that the attacker is constrained to send an injected response as quickly as possible, and therefore cannot spend much time on packet construction. This is what makes detection technique (2) work: the attacker could check that the destination IP address in a DNS query is actually a resolver, but it would take too much time.
This research paper, originally published in Chinese in 2006, has not been available in English before. It is a bit unusual in that it describes how to mitigate a class of DNS attacks that is done by the Great Firewall of China, even though one of the authors, 方滨兴 (Fang Binxing), is known to have helped create the Great Firewall.
DNS 欺骗攻击的检测和防范
Detection and prevention of DNS spoofing attacks
闫伯儒 (Yan Boru), 方滨兴 (Fang Binxing), 李斌 (Li Bin), 王垚 (Wang Yao)
Journal homepage
Original Chinese PDF
Online English HTML
English PDF
The paper is, facially, about detecting and preventing DNS response injection attacks—exactly the kind of attack that has long been one of the GFW's primary tools for censorship. It presents three way to detect that DNS response injection is occurring, and three ways to distinguish injected responses from legitimate one and thereby foil the attack.
Section 1.2 is a straightforward description of a DNS response injection attack. The DNS client sends a query, and the attacker sends a response containing a fake IP address (spoofing the source address so it appears to come from the real resolver). The real resolver sends its response too, but because the attacker's response arrives first, that is the one honored by the client.
Figure 2: DNS spoofing attack
The paper unambiguously calls DNS response injection "harmful" and an "attack". Table 1 compares response injection with other DNS attacks: cache poisoning, server compromise, and denial of service. They emphasize that the attack is only possible because of design flaws in the DNS protocol.
The three techniques for detecting that DNS injection is happening come in both passive and active varieties:
There are an additional three techniques for distinguishing injected DNS responses from legitimate ones. The first two are based in the observation that injected responses tend to be simpler in structure than real responses, having fewer sections and resource records.
The evaluation uses ADMid as a DNS spoofing attack tool. The authors enhanced ADMid to, with 10% probability, add a non-empty Authority section to responses, to make them more realistic. They try prevention technique (1) with two different weight vectors, and prevention technique (2) (the single-feature Bayes classifier). Sending 1000 queries in total for the top 100 websites in China (thereby provoking 1000 injected and 1000 legitimate responses), they get true positive rates of 97% or 98%, and true negative rates of 72% to 97%. The best prevention technique is (1), the weighted sum of section sizes, with weight 1 for each of the Answer, Authority, and Additional sections.
In two places the paper says that the attacker is constrained to send an injected response as quickly as possible, and therefore cannot spend much time on packet construction. This is what makes detection technique (2) work: the attacker could check that the destination IP address in a DNS query is actually a resolver, but it would take too much time.