DNS is important in nearly all interactions on the Internet. All large DNS operators use IP anycast, announcing servers in BGP from multiple physical locations to reduce client latency and provide capacity. However, DNS is easy to spoof: third parties intercept and respond to queries for benign or malicious purposes. Spoofing is of particular risk for services using anycast, since service is already announced from multiple origins. In this paper, we describe methods to identify DNS spoofing, infer the mechanism being used, and identify organizations that spoof from historical data. Our methods detect overt spoofing and some covertly-delayed answers, although a very diligent adversarial spoofer can hide. We use these methods to study more than six years of data about root DNS servers from thousands of vantage points. We show that spoofing today is rare, occurring only in about 1.7% of observations. However, the rate of DNS spoofing has more than doubled in less than seven years, and it occurs globally. Finally, we use data from B-Root DNS to validate our methods for spoof detection, showing a true positive rate over 0.96. B-Root confirms that spoofing occurs with both DNS injection and proxies, but proxies account for nearly all spoofing we see.
翻译:在互联网上几乎所有互动中, DNS 几乎都很重要。 所有大型 DNS 操作员都使用 IP, 从多个物理地点在 BGP 中宣布服务器, 以减少客户的潜伏, 并提供能力。 但是, DNS 很容易骗人: 第三方拦截和回答善意或恶意的询问。 嘲笑对使用任何播客的服务都特别有风险, 因为服务已经由多个来源宣布。 在本文中, 我们描述识别 DNS 潜伏的方法, 推断正在使用的机制, 并识别来自历史数据的组织。 我们的方法从多个物理地点探测公开的潜伏和一些隐蔽的延迟的答案, 尽管非常勤奋的对立螺旋螺旋桨可以隐藏。 我们使用这些方法来研究超过六年的来自数千个积极点的根 DNS 服务器数据。 我们显示, 今天的潜伏是罕见的, 仅发生于1. 7% 的观测结果中。 然而, DNS 的速率在不到7 年就翻了一番多, 并且在全球出现 。 最后, 我们使用 B-Rot DNS 的数据来验证我们真实的S- spoos 的S- simpow 比例都显示了我们真实的S- simpex 的S- sex as in smexexex ex ex exion agregations in sprevations in smex a s pirmex pirmex sex a sex as sex a sex sex pex pex pre pre sex ex ex ex as in smex ex as
相关内容
微信扫码咨询专知VIP会员