Whac-A-Mole: Six Years of DNS Spoofing

Whac-A-Mole: Six Years of DNS Spoofing. Wei, L. & Heidemann, J. Technical Report arXiv:2011.12978v1, USC/ISI, 25 Nov, 2020.

Paper bibtex

@TechReport{Wei20c,
        author =        "Lan Wei and John Heidemann",
        title =         "Whac-A-Mole: Six Years of {DNS} Spoofing",
        institution =   "USC/ISI",
        year =          2020,
        sortdate =          "2020-11-30",
	project = "ant, retrofuturebridge, lacrend, lacanic",
	jsubject = "network_security",
        number =     "arXiv:2011.12978v1",
	url =		"https://ant.isi.edu/%7ejohnh/PAPERS/Wei20c.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Wei20c.pdf",
	blogurl = "https://ant.isi.edu/blog/?p=xxx",
	myorganization =	"USC/Information Sciences Institute",
        month =      "25 Nov",
        jlocation =   "johnh: pafile",
        keywords =   "dns, root, dns spoofing",
        url =        "https://arxiv.org/abs/2011.12978",
	abstact = "
DNS is important in nearly all interactions on the Internet.  All
large DNS operators use IP anycast, announcing servers in BGP from
multiple physical locations to reduce client latency and provide
capacity.  However, DNS is easy to \emph{spoof:}  third parties
intercept and respond to queries for benign or malicious purposes.
Spoofing is of particular risk for services using anycast, since
service is already announced from multiple origins.  In this paper, we
describe methods to identify DNS spoofing, infer the mechanism being
used, and identify organizations that spoof from historical data.  Our
methods detect overt spoofing and some covertly-delayed answers,
although a very diligent adversarial spoofer can hide.  We use these
methods to study more than six years of data about root DNS servers
from thousands of vantage points.  We show that spoofing today is
rare, occurring only in about 1.7\% of observations.  However, the
rate of DNS spoofing has more than doubled in less than seven years,
and it occurs globally.  Finally, we use data from B-Root DNS to
validate our methods for spoof detection, showing a true positive rate
over 0.96.  B-Root confirms that spoofing occurs with both DNS
injection and proxies, but proxies account for nearly all spoofing we
see.",
}

Downloads: 0

{"_id":"DPBJEPaDoBpAzuHtf","bibbaseid":"wei-heidemann-whacamolesixyearsofdnsspoofing-2020","author_short":["Wei, L.","Heidemann, J."],"bibdata":{"bibtype":"techreport","type":"techreport","author":[{"firstnames":["Lan"],"propositions":[],"lastnames":["Wei"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]}],"title":"Whac-A-Mole: Six Years of DNS Spoofing","institution":"USC/ISI","year":"2020","sortdate":"2020-11-30","project":"ant, retrofuturebridge, lacrend, lacanic","jsubject":"network_security","number":"arXiv:2011.12978v1","url":"https://arxiv.org/abs/2011.12978","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Wei20c.pdf","blogurl":"https://ant.isi.edu/blog/?p=xxx","myorganization":"USC/Information Sciences Institute","month":"25 Nov","jlocation":"johnh: pafile","keywords":"dns, root, dns spoofing","abstact":"DNS is important in nearly all interactions on the Internet. All large DNS operators use IP anycast, announcing servers in BGP from multiple physical locations to reduce client latency and provide capacity. However, DNS is easy to \\emphspoof: third parties intercept and respond to queries for benign or malicious purposes. Spoofing is of particular risk for services using anycast, since service is already announced from multiple origins. In this paper, we describe methods to identify DNS spoofing, infer the mechanism being used, and identify organizations that spoof from historical data. Our methods detect overt spoofing and some covertly-delayed answers, although a very diligent adversarial spoofer can hide. We use these methods to study more than six years of data about root DNS servers from thousands of vantage points. We show that spoofing today is rare, occurring only in about 1.7% of observations. However, the rate of DNS spoofing has more than doubled in less than seven years, and it occurs globally. Finally, we use data from B-Root DNS to validate our methods for spoof detection, showing a true positive rate over 0.96. B-Root confirms that spoofing occurs with both DNS injection and proxies, but proxies account for nearly all spoofing we see.","bibtex":"@TechReport{Wei20c,\n author = \"Lan Wei and John Heidemann\",\n title = \"Whac-A-Mole: Six Years of {DNS} Spoofing\",\n institution = \"USC/ISI\",\n year = 2020,\n sortdate = \"2020-11-30\",\n\tproject = \"ant, retrofuturebridge, lacrend, lacanic\",\n\tjsubject = \"network_security\",\n number = \"arXiv:2011.12978v1\",\n\turl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Wei20c.html\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Wei20c.pdf\",\n\tblogurl = \"https://ant.isi.edu/blog/?p=xxx\",\n\tmyorganization =\t\"USC/Information Sciences Institute\",\n month = \"25 Nov\",\n jlocation = \"johnh: pafile\",\n keywords = \"dns, root, dns spoofing\",\n url = \"https://arxiv.org/abs/2011.12978\",\n\tabstact = \"\nDNS is important in nearly all interactions on the Internet. All\nlarge DNS operators use IP anycast, announcing servers in BGP from\nmultiple physical locations to reduce client latency and provide\ncapacity. However, DNS is easy to \\emph{spoof:} third parties\nintercept and respond to queries for benign or malicious purposes.\nSpoofing is of particular risk for services using anycast, since\nservice is already announced from multiple origins. In this paper, we\ndescribe methods to identify DNS spoofing, infer the mechanism being\nused, and identify organizations that spoof from historical data. Our\nmethods detect overt spoofing and some covertly-delayed answers,\nalthough a very diligent adversarial spoofer can hide. We use these\nmethods to study more than six years of data about root DNS servers\nfrom thousands of vantage points. We show that spoofing today is\nrare, occurring only in about 1.7\\% of observations. However, the\nrate of DNS spoofing has more than doubled in less than seven years,\nand it occurs globally. Finally, we use data from B-Root DNS to\nvalidate our methods for spoof detection, showing a true positive rate\nover 0.96. B-Root confirms that spoofing occurs with both DNS\ninjection and proxies, but proxies account for nearly all spoofing we\nsee.\",\n}\n\n","author_short":["Wei, L.","Heidemann, J."],"bibbaseid":"wei-heidemann-whacamolesixyearsofdnsspoofing-2020","role":"author","urls":{"Paper":"https://arxiv.org/abs/2011.12978"},"keyword":["dns","root","dns spoofing"],"metadata":{"authorlinks":{}}},"bibtype":"techreport","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["dns","root","dns spoofing"],"search_terms":["whac","mole","six","years","dns","spoofing","wei","heidemann"],"title":"Whac-A-Mole: Six Years of DNS Spoofing","year":2020}