Proceedings of the Federated Conference on
Computer Science and Information Systems pp. 777–782
ISBN 978-83-60810-22-4
Enhancing DNS Security using
Dynamic Firewalling with Network Agents
Joao Afonso
Pedro Veiga
Foundation for National Scientific Computing
Lisbon, Portugal
e-mail: [email protected]
Department of Informatics
University of Lisbon
Lisbon, Portugal
e-mail: [email protected]
Abstract—In this paper we propose a solution to strengthen the
security of Domain Name System (DNS) servers associated
with one or more Top Level Domains (TLD). In this way we intend to be able to reduce the security risk when using major internet services, based on DNS. The proposed solution has been
developed and tested at FCCN, the TLD manager for the .PT
domain. Through the implementation of network sensors that
monitor the network in real-time, we are capable to dynamically prevent, detect or limit the scope of attempted intrusions or
other types of occurrences to the DNS service. The platform relies heavily on cross-correlation allowing data from a particular sensor to be shared with the others. Administration tasks
such as setting up alarms or performing statistical analysis are
made through a web-based interface.
The DNS service is required to access e-mail, browse
Web sites, and is needed for normal operation in all major
services in the Internet (most of them use critical information, like e-banking).
Taking care of the huge number of internet users, and the
risk associated with the fact that all major applications requires the DNS service, there is a security risk needed to be
reduced.
DNS servers assume a pivotal role in the regular running
of IP networks today and any disruption to their normal operation can have a dramatic impact on the service they provide and on the global Internet.
Although based on a small set of basic rules, stored in
files, and distributed hierarchically, the DNS service has
evolved into a very complex system [2].
According to other recent studies [3], there are nearly
11.7 million public DNS servers available on the Internet.
It is estimated that 52% of them allow arbitrary queries
(thus allowing the risks of denial of service attacks or “poisoning” of the cache).
They are still nearly 33% of the cases where the authoritative nameservers of an area are on the same network,
which facilitates the attacks of Denial of Service (DOS).
Furthermore, the type of attacks targeting the DNS are
becoming more sophisticated, making them more difficult to
detect and control on time.
Examples are the attacks by Fast Flux (ability to quickly
move the DNS information about the domain to delay or
evade detection) and its recent evolution to Double Flux [4].
A central aspect of a security system is the ability to collect statistically useful information about network traffic.
This information can be used to monitor the effectiveness of
the protective actions, to detect trends in the collected data
that might suggest a new type of attack or simply to record
important parameters to help improve the performance of the
service.
The fact that the DNS is based on an autonomous database, distributed by hierarchy, means that whatever solution
we use to monitor, it must respect this topology. In this paper
we propose a distributed system using a network of sensors,
which operate in conjunction with the DNS servers of one or
more TLDs, monitoring in real-time the data that passes
through them.
Index Terms—DNS; risk; security; intrusion detection system;
real-time;monitoring.
I.
INTRODUCTION
O
BSERVING internet usage and world population statistics [1] updated on March 2011, there are 30.2% internet users – of the estimated world population of 6.8 billion.
If we take a closer look to Europe this value increase to 58.3
% (with a growth rate of 353.1% between 2000 and 2011)
and in North America, there are 78.3 % of internet users
(growth rate of 151.7% at same period), as shown in Fig. 1.
Figure1. Internet penetration (% population)
c 2011 IEEE
978-83-60810-22-4/$25.00 777
778
PROCEEDINGS OF THE FEDCSIS. SZCZECIN, 2011
'/
D DC& C
E E E CD
& D D EA D D C/
D
DC
&
E& C
CD
A
7D
ECD A E
B
CD &D
C/ C/ E
E
C/ ED D
C/ E
D
% E C&
CC 7 E BDE C B C C/ E "F
C
'/ A
DE *
ACD */
CED ED EA
E
B&
D &
E C B & C/
C* E7
E D
A B
C
C
C/ & C
C D C E CC 7D
&C
B E CAE D C C/ D DCD DCA CD */ C/ E
C
D C E BD E C CE D
CC E
/
B C
?D C
A E C
AC
A A CD D
C/
C E
D
E * C 7 C
D D DC C/ B C CD
CD%
B
DCD%
'/ E
D D
C/
E D CEA CAE B
*
CD 0 E %DB
7 E A B D E CD E EBD E C B
* E7
CD 2 D CE BA
&C
( =ADE
C #
CD
B * B ED C/ E
B
ACD
CD 9 E
C
CAB& E % DB CD
C/ E
#
CD 5 C/
E AC
C/ E B D C/
CAB& E
&C B D &
CD
< E
C
AD
B BDE CD
E
AEC/ E * E7
"F
&
###
.8'K)") )EL
E
##
(8
'8" >)(D
)
C/ DE C CABD C/ C
*DC
B D C/D E
/ C/ AC/ E /D
EA C E B D E *DC/ C
CDC B
= B B +9- '/ DE
D CD A
BD D B % E D
C/ CE BDCD
F#F" +5- * E7D C C/ E *DC/
CEA CAE B
GA E&
A
: G ; % E D D DB
( CD
B C
C &C
:("F. ;
E "F
D C C/D
ACD D CE
E C B C/ E D
BD E
E
D
F#F"
HBE
E
C B
&C
E
AEDC& . DC ED
"F CE D +<- A D
C* E7
E *DC/ AC D C E ED
*DC/ C/ "F
E% E C
DC E B '/D D CE
E C
ACD
C/ C B
C
E D C/ /D / % D D DC&
B B E C/ "F
E%D
!D?D
E
B
"F CE D
CAE ACD DC&
B
"F
+6- '/D C
D
C E BA
D E& B C A D
E C DC/ E
C B EB AC AC E D A
D% BA
D
'/
D CD D D D E C C BA
+I- 4
B
D C
E
DC ED
C* E7 CE D
B/ D E E D B
7 C E
DCD
C D E B
E "F CE
CD
B
E C
CD
*D
ED C
C
C/ A "F
*/ C BA
& / *
D
A
E&
C/ E C
% D
D "
"F C CD CD
C E
+,1- "
D
D CD
E
CD
B
&CD
C CD CD E
A & "F
E% E . E
CAE D AB C/
D DC& C
E
A
EDC
B
E / D DB "F =A ED
B C D
B C D C E BD
G B C
'/D C
* E7 D DB "F
E% E E D
C/ E E% E C/ C J CAE J
D BDE CD
CE D
E "F
B
DED C
E
B
AC
C B D DB C E
&C
A D F#F" =A E&
+,,- '/D
ECD A E & C
DB
C/
C CD CD
&D
E %DB
D E CD E EBD C/ 7D B
A C CD
E C B
D E CD D % D
C/E A / C/ >
B EC 8 /
AEDC& D DB C
E ACD
EC B CD% CD
AA
'
C E BA C/ D DB C ED 7 D "F
E CD
C/ E /DC CAE
C/ & C
C/ C * / % B %
D C
D E % C/
AEDC& E E
B D D & C/ "F
E C
E
%D
A * C B CE D
B E D E C/
E DD
'
%
"
D
>
E
E /DC CAE
ED D
D C E C B E C CD
A CD
"F
E% E * E7D C C/ E *DC/ % E
C* E7
E
C/ C
& D% EA C B BD C B DE *
CD
CE D
/ D
C
E
E A &
C B D C/
C* E7
DC E
C/
CE D
D C C/ "F D E CEA CAE DB CD & C CD &
/ E A CE D A D
EDC/ C/ C * / % B %
B B
C C B B A C/D D E CD C D
C CE D C/ C /
DB CD D B /
AEDC& C/E C
% E
C* E7
E
DC E BD E C EC
C/
D E CEA CAE
B ? /
D E CD E C B C
AEDC&
CC 7 # C/D * &
/ * D D 0 DC / A B
D
C ? /
EDCD
AEDC& D E CD
C*
C/
E # BBDCD C
D E
D
E E
C/D
E CD
/ AB E % C
CC 7
E% E E
AE
DB CD D B &
C/ E
E
D D A '/D
ED D
E % C D
7D B
CC 7 E BDE C B C
% E
C
C/ "F D E CEA CAE
D AE 0 "D E
C/ B DE B
ACD
B
C
D AA
)
C/ EA D
EC
AE * E7 D C/
EDC/ C
DB CD & CE D / E A C C/ "F # EB E C D
C
C/ C C B /& C/ D D C/ E /DC CAE
B7
C/ "F
E C
D D C
D
DC D
E& C
&
/ AED CD */D / D E
CD
% A C
C/ D E CD
C B E
BD E C
AE
B
D
% D C
* D /C C
/
C B C
EBD &
'/
C C/ C * / % /
C / % D
CD
C/
AEDC& D DB C
"F
E
C/
A
E
AEE
&D
C&
=A ED
B C/
A C
CD
C*
AEE
C/ A
E
E
C B B D E CD E EC B E
D CEA D B C CD
&C
)AE & C
A
C/
*D
E A C % A C
E
C E C/ C
AE C/ D7 D/ B C/
AEE
AEDC& D DB C
: ;=
⋅1 0 +
⋅1 0+
⋅ 1 ,9 + F ⋅ 1 09 + E ⋅ 1 01
JOAO AFONSO, PEDRO VEIGA: ENHANCING DNS SECURITY USING DYNAMIC FIREWALLING WITH NETWORK AGENTS
E
C E
DB E B D
&D
C/D
E A
A
A
O
• ) AEE
:); ( E
C C/ A
E
CD
:D C
; C/ C / %
D%
D D A
AE *
7 B
C/ C C/ BD CED AC B C/
B D C B D
'
#
DA
B E
A
093
913
<93
,113
E
,
D D −O
A
D DN
# C/
% ? E D
C/
C E "
!# D D
E E
C C/ A
E
E EA D C C/ E D
C/ D E CEA CAE
B
C ? /
D E CD
C/
%
'/ C/ E
C E O
E N CC 7 B C B
E C/
A
E
E C/ C E AEE C E ECD
AEDC&
D DB C
• # CEA D " C CD
&C
:#; >
DB E B C/
A
C/
EC
C E
D
E C A
B
C/ E
E
A
E
C EDC B D CAE
AEDC& D DB C E CD C C/ "F
E%D
' F 8 # 4 )F'(#F$'#)F ) 'K8 F$.F8( ) ) $((8F 8 )
)$( 8 #F . # #)$ K8$(# '#
,
0
2
!N
779
A
•
& D : ; ( CD
% A CD
C/ B %D CD
C/ % A E EB B D E CD
C C/ % E
E% B C CD CD
B
C/ EDC ED
B * D /C
DB CD D B
*D '
##
' F 8 ## 4
)F'(#F$'#)F )
.
# #)$
8 CDE C
CE
ECD CE
EC
# EE C =A E& %
% E
E AE
# EE C =A E& %
GA E& % A
A
& ED D
8!8F' 'L # #8"
)'8F'#
' F 8 #! 4 #F'8( )FF8 '#)F >#'K '8. )( " ' E 'K8(8" ().
#F'($ #)F "8'8 '#)F L '8.
$
%AA
L
)$( 8 E#!8F #F K8$(# '#
A
E CC
C : M (;
CC
C :#M (;
A
91 C <93
,113
913
<93
A
?
913 C/
A
,113
913
BD <93
% E
A
E
• 'D
C*
AEE
* D /C
C
E
& C/
% A
%D
D%
% E
C/
E C/
,
0
C/
C/
C/
C/
E C/
D
2
C B
AEE
:E;
CD
D
C
D%
AE
BD CED AC B *DC/ C/
D C B C C/ CD
*D
D C
' F 8 ### 4 >8#EK' ) "# 8(8F' '#.8 F8'>88F 8
A
, .D AC
, K AE
," &
,> 7
K)
$((8F 8
A
,113
<93
913
093
A
C
• # DB
D C/
E C/
:F; FA
E
BBE
AE
A CD
*
E
C/ C E
E% B ? E
D
EC
A
A
CD% CD
EA
D
2B3
5<3
,113
DE *
AE *D
E =ADE
A
F C C/ C C/
CD
B C E D CD
E
B %
C B C
A& !
' ! (A
A) & *A
* %
.DBB
%
KD / %
(D
7
'/
E A / *
% C 7 % A
=A C
E E C E C/ 1 09P
'/
D CD
C* E
E EDC ED
C/
E A
8? CD
*/ E D%D D E CD
E
C/ C/ E
E D */D /
D
EDC ED
D A D D CP
#C E
C B C/
?D CD
*/DC D C D C/
E
DC E&
*D
DB E B
ED%D
B
AE C/ C E
C
7 B
# C/D * & * % DB
E D D C/ # C E C
E%D
DB ED
C/ 7 & E
& B &
"F C/ >/DC
D C E C C 7 & BBE
E
D
7 B D
DCD%
% C
'/D D C D E C B E
E EB
CEA C B
AE
*D
BBE
DC B/ E C
E C C B E
D
BB B C C/
DE *
EA
)
?
D C/ D C
D C E
BBE
B C/ "F
E% E
#
# C B E C/ E
%
AE D A C
A & C/
,
0
EA D C/
*D
DE * *D
A CD
B
8? B B C/ =A E CD
ED B
B
C/
E
C E D A P
'/ ? E D
CD% CD
:/ AED CD ; B
C : CD ; / 7 C/ E E
B AE
780
PROCEEDINGS OF THE FEDCSIS. SZCZECIN, 2011
#!
+
() ) 8" ) $'#)F
A
/ * D D 2 C/D
ACD D
E
D
C/ C
&C
CE D
E% E D C/
E
% DB E D % DB
D E CD E D% B E
C/ E E
E
DD
C* E7 BBE
#
D B C C B E C/ E D A D D A
/
C* E7 BBE
DC *D
7 BD
C/ E E
CD D B C/ &
C
A C C/ E
CD
% A C C/
E E
C/
E% E
B
C* E7
*D D C C/ "F
=A ED
E
C/
B D A E CED CD
E
/ %D E
%D E E
EC D
C/ DE *
B C/
EBD & '/ & C
E
/
E CD C
D AE B GA E CD
B
F ,
A
E
BAE
% E C/
DE *
A ! ,A
EBD C AE B D
B C C/ C * C/E A / C/
E
/ BD
E C/ "F
E% E D CE C B
EBD C
C B EB C
DE * EA
* B &
DD
EA E EBD C C/ BBE
C/ C E
D
7 B
D E CD
'/ =A ED
E C/ B D% E B C C/
E EC
&C B B C E B D C/ ("F.
C C/ C D C/ & C
E
B C/ >
EC : D 9;
D AE 9 F C* E7 B C
D AE 2 F
7 "D E
E
B
ACD
D
E CD
C B D
C E B D
B C
C B D .& G +,0- ' 7D D C
DB E CD C/
B C
CD DC C/
E E
C/ =A ED
B C
E BA C/ % A
D E CD
C E B C/ B C D BD%DB B
D C
A
E BD E C C
'/
% ED
C/ #
BBE
AE
B
B CD CD :"F
E% E; D C
D C E E C /
* B
E
A /
E
D D C B C
C E
B D DD C
D E %
C D C/ % E
E E
C/
ACD
D
E
/ EA D EC B D C/
E DE *
C/ E *D
ED B =A E CD
B C C/
B C/D CD
C/
E
*D % A C C/
/ %D E
C/ C AE
C % A C C/
B BC E
% C/ EA
/ * D D B
*
JOAO AFONSO, PEDRO VEIGA: ENHANCING DNS SECURITY USING DYNAMIC FIREWALLING WITH NETWORK AGENTS
'/ D E CD
E EBD
=A ED
B D C E B
B D &D C
B7 C % D
BAED C/
?C 21 B &
'* C
C D D
C/
C
EA
C/ C E
B&
D &
D B 4 BB E E
% B
B
DCA CD
C/ C / %
CED E B
CE C/
EE C
E CD
C/
DE *
E ABDCD
AE
% E& CD D E D C E B
'/ D E CD E =ADE B E ABDCD
B C CD CD C 7
% E ? DE
D
!A
!(D DA
A-
A
!
A
'/ C CD CD
D E CD
C B B C E B D
B C
/
D DD C
A C B C D #C D
D
?
C
A C
E
/
E C/ % ACD
=A ED
E A DC
CD
:/ AE B & C ; B & E
E =A C "F =A ED
E E C&
B B C E D
AE
C/ C E BA C/ E E A
E
A C CD
D C
C/ C B EB B %D CD
D%
*
E C DC C C/ C D
*DC/ C/ C/ E /DC +,9'/
E E
C/ "F
E C
E
E
C&
AE B E EBD
C/ E
CD
E =A C " C D
C C&E D C E B B
E D E
D
E
E
CD
E ? B B
!
)AE
C
C/
E
CC B
C/
#C D
AE
D
#
781
BBDCD
CD
E%D
D&
A &
)
'E C&
ED B
'
D % %
%A E
C/
'/
E
C
E
AEE
C C/ A A
E CD
DC ED
B
C CD CD E CD
C C/
E CD
"F
/ *
% C/
ACD
E
B / E
B CC
D D DCA CD
D% C/
C C/ C DC D
D AE
C/
D CD
* C/ % C F EC/ C CD
)E DC CD :F '); A
C D
01,1 C C/
,9 C 0, F %
E 01,1
E BA
AEDC& ED 7 D C/ E
C/ # C E C
B D
% C
A
E
E
DB E B
C
* E
C B
B
B
B D&
DC ED
% E
&
* E
DD B D C
AE
C ED
*
C
7D
% E
C B D BA CE& '/ B C
B &
/
E E C B
CC E
A C CD
/
C/
C ED
B B C C
E
DCA CD
B */ B %D CD
/
E
CC E : D <;
E DC
CD D CD
* E E E
B AD
F.
CE
E
D B
8 '$"L
E
/ %
A B E B %
C D
E 0115 C
F 4 */ / C/ E
D D DC& C
E DC E B
D C D C/ B
D A B E C/
'
' "
C E
C CD
C/ E E C*
E EA D
CC / B C
C/ "F
E% E :
C C/
ED E& "F
B
C/ E
* E7D C C/ E *DC/
B E& "F
E% E;
'/
C* E7
&C E D C / E7 +,5- B C/ DE * A B
D # D C E +,2- '/ E
CD
E E *
E E
B D
%
CD C/ D E CD E D% B E
C/ C / E7
'/ >
E% E D EA D
/ *DC/ K
( EBD
C/ M
E% E +,B- * /
C/ D%
E C E
BA
E D C E C B C C/ E
'/
CDE
E ACD
B ED B
%
*
C/ *
C E * B %
B* C
D
C/ , C
A E& 011<
B C/ B C E
C/ % ED A
C *
C B E
C/ ,1C/ . & 0116 CD
* : D 5;
D AE 5 >
EC
D AE < .
DC ED
"F
!#
E%D
C F ') % CQ D
01,1
(8 $ '
>
E
C / E C/ E A C
C/
C ,0
C/
B C
CD : C*
,C
. & 011I B 2, C . & 01,1;
'/ % E
A
E E =A C C C/ ED E& "F
E% E
D A C ,I <5I IB5 E B & :006 E
;AD
C E EB
C <C/ A A C 01,,
'/
E E
C/ B C
&D E E
D
%
,0B1 E =A C E
B
E
: D C E B % DB C B B
D EC B D C/ B C
;
$ D C/ B C
C B & C/
E BAED C/D CD
ED B * * E
C
C A A C CD CD D E CD
• " D & C CD CD
& C&
BP
• FA
E
# C E CD
=A ED P
• FA
E B D & =A ED
: D 6;
"F
DC B B
C # !5
E C
D
E DC E
:#"F;
"F C&
782
PROCEEDINGS OF THE FEDCSIS. SZCZECIN, 2011
AEE C & C/
ACD
E
C B B
C
* C/
D
BBE
D C/ # %5 E C '/ C / D
C C/ C B C C/D DCA CD
E D 7 B C C/
B C
CD DC C/
E E
C/ B C E EB E
D CD
7D DC
D
C C E C/ B C E
A C CD
)
D
CD
E
% C/D D A D C /
C/
B C
D C C/ E ACD
ED C
E D
F % EC/
=A ED
B C # %5 BBE
E
C D B D C/D
ACD :
C& ;
> E
* E7D
?C BD C/ B C
EE CD
D DCD
C/ & C
& BBD D E CD
C B
E
C/ E AE
:D CEA D B C CD
&C
ED C
;
>
CD D C C/ C C/D
AB
% A
E / C
E BA
DB E & C/
A
E
DCD%
B
CD% +,<E
D AE 6
C CD CD
&D
& # !5 E
EB
B:
• " C C ?
E
A
:C/ C
AEDC& D DB C ;
E ?
* * E
B C C C/ C
D% # * A D
C/ ED
"F
E% E
CD E
% E
'/ A
E
=A ED
B *
?
D%
E B *DC/ C/
% E
% A
E
E /D
% A
C
# C E C
E %DB E C/ C
E C A B E C/
'B
D
• " C C DCA CD
A D ABD B D
CC 7 *DC/ C/ ? ACD
D% =A ED
,0
C/
& D C/ E E ,< ")
CED E B
'/ & * E D C C &
7 B B BBE
=A E CD :'
!;
;
E
C
C
'
E&
(8 8(8F 8
+,-
*/
AE
E%D
+0+2-
E%D
#
C
CC 7
BD
+B+9+5+<-
' F 8 ! 8M . 8 >K8F 'K8 8F )( "8'8 '8" #'$ '#)F 'K '
(8G$#(8" 'K8 #(8>
($ 8 ') K FE8
AA
+ A.A
A
DDA
?? ?? 011 B9 01,, 16 19 10 ,9 BB
?? ?? ,< ,00 01,, 16 19 12 09 ,0
?? ?? ,0I 9, 01,, 16 19 1B B< ,B
?? ?? ,B 02I 01,, 16 19 19 0< 0I
?? ?? ,B ,2, 01,, 16 19 16 29 26
!##
)F
BB EA
(
%
EA
BB EA
BB EA
(
%
EA
A
D A
?? ?? BB 52
?? ?? BB 52
+6+I+,1+,,-
?? ?? BB 50
?? ?? BB 50
?? ?? BB 52
+,0+,2-
+,B-
$ #)F F" $'$(8 >)(D
+,9-
'/D ECD /
E
C B
%
E / C E BA
AEDC& ED 7
C/ D C E C
D CD
C/ C A
E%D )AE ACD
AD B A
C/ ?D CD
ACD
C C CD CD
D E CD
E EBD
"F
E%D
BBD C/
D DC& C B C C B
CE
AEDC& D DB
E
CD
#C
BB C/ B% C
E CD
BD CED AC B * &
*D
C/
? /
D E
C*
E CD
E
B C/ E D E
C
*
AEDC& %
E DC D C/E C B
C/
"F
C/ C
&
C D
D
CD
DC
+,5+,<-
# C E C $
B > EB
A CD
C CD CD * DC +
/CC QQ*** D C E C* E B C C
Q C C /C C
B
< A A C 01,,
!D?D @"F
?DC&A
. GA A % 9
2
ED
011<
" >
J
(
C "F
AE% &J "F ) (
F %
E 011<
" % D DC
@
D 7 E A
E& B ( %D *A # FF
. & 01,1
G "F * DC
+/CC QQ/
CD
D C 6161QR C0,1990Q
= B /C C
B < A A C 01,,
F#F" * DC
+/CC QQ*** D
E Q E BA C QF#F"C
B < A A C 01,,
F
HBE
@ AEDC& . DC ED
"F CE D A . &
0115
A !D?D " >
A"F
4 "F CE D
CAE
ACD DC&A
#" > E7 /
A & 011<
"A
>
J>/ C F * *DC/ " J "F ) (
F %
E 011<
*E
F E7 & F CD
E C E& ' BA
* DC
/CC QQ*** C BA
E
/ DED C
J
AC
C B # DB C (
&C
$ D F#F" GA E&
J A 0115
.& G
* DC
4
:)
AE
" C
;
+/CC QQ*** & =
C
B < A A C 01,,
#
# '8(
4
' Q#
DE * QF '
C* E
+/CC QQ
A BA AQR %
C
B
<
A A C 01,,
D C
BE 8B 8?C D
.
D
B E
E C
:M. ;
E ( 2I01 011B
S
8B A B . C DE
J" %
C
# C E C B
ACD
E # CEA D " C CD
. B F B
" C
EE CD J D
E
C/ #888 # F T15
# C E CD
E
F C* E7D
B
E%D
# F T15 D D
! & $
A & 0115
' / E7 * DC 4 '/ >DE / E7 F C* E7
&C E
+/CC QQ*** *DE / E7 E C
B < A A C 01,,
S
BE ! D @ E C CD C/ "F # E CEA CAE
'
% "
D ( 'D
DC ED *DC/ F C* E7
> E7 /
E A > F 0116 BC/ #888 4 # C E CD
>DE
B
E F C* E7
AEDC& C C $
0I
C
E 4 0 ) C E 0116
Scarica

Enhancing DNS Security using Dynamic Firewalling