Abstract
Few will argue that DNS security is a complex, multi-faceted, and of growing concern research topic. This is simply because virtually any protocol or service in the Internet depends its operation on the DNS service. Putting it another way, attacks on DNS can paralyze the network infrastructure of entire countries or even continents. Even worse, the original DNS design was concentrated on availability not security, and thus up to 1997 (and practically prior to 2008) the protocol did not afford any ilk of security protection, not even origin authentication of the offered DNS data. In this context, the primary aim of this PhD thesis is to alert the community by the investigation of novel ways of DNS exploitation, and thus our work can be mainly classified under the umbrella of offensive security. Specifically, we show that DNS can be exploited as a multipurpose attack vector that may severely threaten the integrity, authenticity, confidentiality, and availability of the offered resources ...
Few will argue that DNS security is a complex, multi-faceted, and of growing concern research topic. This is simply because virtually any protocol or service in the Internet depends its operation on the DNS service. Putting it another way, attacks on DNS can paralyze the network infrastructure of entire countries or even continents. Even worse, the original DNS design was concentrated on availability not security, and thus up to 1997 (and practically prior to 2008) the protocol did not afford any ilk of security protection, not even origin authentication of the offered DNS data. In this context, the primary aim of this PhD thesis is to alert the community by the investigation of novel ways of DNS exploitation, and thus our work can be mainly classified under the umbrella of offensive security. Specifically, we show that DNS can be exploited as a multipurpose attack vector that may severely threaten the integrity, authenticity, confidentiality, and availability of the offered resources in the cyberspace.Nowadays, DNS security inefficiencies have been addressed in practice by DNSSEC, and at least up to now, only on a limited scale by DNSCurve. Both these mechanisms utilize public key cryptography with the aim of extending the core DNS protocol. Therefore, one of the contribution of this thesis is to provide a comprehensive and constructive side-by-side comparison among the aforementioned security mechanisms. This is anticipated to greatly aid the defenders to decide which mechanism best suits to each particular deployment.Furthermore, there are overwhelming evidences that DNS is frequently abused by cyber crooks in Denial of Service (DoS) type of attacks. This is because that - even the typical - DNS records can greatly amplify the attack effect, meaning vastly augment the volume of network traffic reflected and destined toward victims. This amplification effect is foreseen to be far more devastating in the case of DNSSEC records, which normally are considerably bigger. In this mindset, an additional contribution of the thesis at hand is the investigation and assessment (in terms of attack amplification factor) of novel types of DNSSEC-powered DoS kind of attacks. The role of DNS forwarders as reflectors in such attack incidents is studied as well. Moreover, we examine some novel options about which publicly available resources (in terms of DNS servers) could be particular fruitful for the attacker to include them to their arsenal. In this direction, the potential of entangling the infrastructure of upper DNS hierarchy as both amplifiers and reflectors is thoroughly investigated. Regarding this point, the main advantage of our research compared with the standard type of DNS amplification attack is that we demonstrate that even a naive attacker is capable of executing a fruitful attack by simply exploiting the great amount of DNS machines existing out there.This thesis also deals with the exploitation of DNS protocol by bot herders with the purpose of building hidden Communication and Control (C&C) channels for their botnets. In this respect, we delve into the so called DNS- and IP-fluxing techniques, and propose and evaluate three novel botnet architectures which solely rely on DNS to deliver the botnet's C&C infrastructure. Given the mushrooming of smart mobile devices, the proposed architectures utilize not only mixed structures consisting of both mobile and desktop bot agents, but more importantly, structures that are purely mobile. This aspect of our work also includes the evaluation of the robustness of the proposed botnet formations.Finally, besides the contributions devoted to legacy DNS attacks, we investigate the potential of DNS as an attack vector to evade user's privacy by means of harvesting private sensitive information from, say, smartphone owners. To this end, we design and implement a privacy-invasive mobile application (spyware) able to manipulate the DNS service running on devices based on the Apple's iOS platform. The spyware is capable of acting as a man-in-the-middle to the tethering and intelligent personal assistant (such as Siri and Goggle now) services present in virtually every modern mobile platform. In this case, the aim of the spyware coder is that of redirecting all users connected via the device to a malicious website in order to phish user's credentials, harvest sensitive personal information, and so forth.
show more
