Proceedings of the Federated Conference on Computer Science and Information Systems pp. 777–782 ISBN 978-83-60810-22-4 Enhancing DNS Security using Dynamic Firewalling with Network Agents Joao Afonso Pedro Veiga Foundation for National Scientific Computing Lisbon, Portugal e-mail: [email protected] Department of Informatics University of Lisbon Lisbon, Portugal e-mail: [email protected] Abstract—In this paper we propose a solution to strengthen the security of Domain Name System (DNS) servers associated with one or more Top Level Domains (TLD). In this way we intend to be able to reduce the security risk when using major internet services, based on DNS. The proposed solution has been developed and tested at FCCN, the TLD manager for the .PT domain. Through the implementation of network sensors that monitor the network in real-time, we are capable to dynamically prevent, detect or limit the scope of attempted intrusions or other types of occurrences to the DNS service. The platform relies heavily on cross-correlation allowing data from a particular sensor to be shared with the others. Administration tasks such as setting up alarms or performing statistical analysis are made through a web-based interface. The DNS service is required to access e-mail, browse Web sites, and is needed for normal operation in all major services in the Internet (most of them use critical information, like e-banking). Taking care of the huge number of internet users, and the risk associated with the fact that all major applications requires the DNS service, there is a security risk needed to be reduced. DNS servers assume a pivotal role in the regular running of IP networks today and any disruption to their normal operation can have a dramatic impact on the service they provide and on the global Internet. Although based on a small set of basic rules, stored in files, and distributed hierarchically, the DNS service has evolved into a very complex system [2]. According to other recent studies [3], there are nearly 11.7 million public DNS servers available on the Internet. It is estimated that 52% of them allow arbitrary queries (thus allowing the risks of denial of service attacks or “poisoning” of the cache). They are still nearly 33% of the cases where the authoritative nameservers of an area are on the same network, which facilitates the attacks of Denial of Service (DOS). Furthermore, the type of attacks targeting the DNS are becoming more sophisticated, making them more difficult to detect and control on time. Examples are the attacks by Fast Flux (ability to quickly move the DNS information about the domain to delay or evade detection) and its recent evolution to Double Flux [4]. A central aspect of a security system is the ability to collect statistically useful information about network traffic. This information can be used to monitor the effectiveness of the protective actions, to detect trends in the collected data that might suggest a new type of attack or simply to record important parameters to help improve the performance of the service. The fact that the DNS is based on an autonomous database, distributed by hierarchy, means that whatever solution we use to monitor, it must respect this topology. In this paper we propose a distributed system using a network of sensors, which operate in conjunction with the DNS servers of one or more TLDs, monitoring in real-time the data that passes through them. Index Terms—DNS; risk; security; intrusion detection system; real-time;monitoring. I. INTRODUCTION O BSERVING internet usage and world population statistics [1] updated on March 2011, there are 30.2% internet users – of the estimated world population of 6.8 billion. If we take a closer look to Europe this value increase to 58.3 % (with a growth rate of 353.1% between 2000 and 2011) and in North America, there are 78.3 % of internet users (growth rate of 151.7% at same period), as shown in Fig. 1. Figure1. Internet penetration (% population) c 2011 IEEE 978-83-60810-22-4/$25.00 777 778 PROCEEDINGS OF THE FEDCSIS. SZCZECIN, 2011 '/ D DC& C E E E CD & D D EA D D C/ D DC & E& C CD A 7D ECD A E B CD &D C/ C/ E E C/ ED D C/ E D % E C& CC 7 E BDE C B C C/ E "F C '/ A DE * ACD */ CED ED EA E B& D & E C B & C/ C* E7 E D A B C C C/ & C C D C E CC 7D &C B E CAE D C C/ D DCD DCA CD */ C/ E C D C E BD E C CE D CC E / B C ?D C A E C AC A A CD D C/ C E D E * C 7 C D D DC C/ B C CD CD% B DCD% '/ E D D C/ E D CEA CAE B * CD 0 E %DB 7 E A B D E CD E EBD E C B * E7 CD 2 D CE BA &C ( =ADE C # CD B * B ED C/ E B ACD CD 9 E C CAB& E % DB CD C/ E # CD 5 C/ E AC C/ E B D C/ CAB& E &C B D & CD < E C AD B BDE CD E AEC/ E * E7 "F & ### .8'K)") )EL E ## (8 '8" >)(D ) C/ DE C CABD C/ C *DC B D C/D E / C/ AC/ E /D EA C E B D E *DC/ C CDC B = B B +9- '/ DE D CD A BD D B % E D C/ CE BDCD F#F" +5- * E7D C C/ E *DC/ CEA CAE B GA E& A : G ; % E D D DB ( CD B C C &C :("F. ; E "F D C C/D ACD D CE E C B C/ E D BD E E D F#F" HBE E C B &C E AEDC& . DC ED "F CE D +<- A D C* E7 E *DC/ AC D C E ED *DC/ C/ "F E% E C DC E B '/D D CE E C ACD C/ C B C E D C/ /D / % D D DC& B B E C/ "F E%D !D?D E B "F CE D CAE ACD DC& B "F +6- '/D C D C E BA D E& B C A D E C DC/ E C B EB AC AC E D A D% BA D '/ D CD D D D E C C BA +I- 4 B D C E DC ED C* E7 CE D B/ D E E D B 7 C E DCD C D E B E "F CE CD B E C CD *D ED C C C/ A "F */ C BA & / * D A E& C/ E C % D D " "F C CD CD C E +,1- " D D CD E CD B &CD C CD CD E A & "F E% E . E CAE D AB C/ D DC& C E A EDC B E / D DB "F =A ED B C D B C D C E BD G B C '/D C * E7 D DB "F E% E E D C/ E E% E C/ C J CAE J D BDE CD CE D E "F B DED C E B AC C B D DB C E &C A D F#F" =A E& +,,- '/D ECD A E & C DB C/ C CD CD &D E %DB D E CD E EBD C/ 7D B A C CD E C B D E CD D % D C/E A / C/ > B EC 8 / AEDC& D DB C E ACD EC B CD% CD AA ' C E BA C/ D DB C ED 7 D "F E CD C/ E /DC CAE C/ & C C/ C * / % B % D C D E % C/ AEDC& E E B D D & C/ "F E C E %D A * C B CE D B E D E C/ E DD ' % " D > E E /DC CAE ED D D C E C B E C CD A CD "F E% E * E7D C C/ E *DC/ % E C* E7 E C/ C & D% EA C B BD C B DE * CD CE D / D C E E A & C B D C/ C* E7 DC E C/ CE D D C C/ "F D E CEA CAE DB CD & C CD & / E A CE D A D EDC/ C/ C * / % B % B B C C B B A C/D D E CD C D C CE D C/ C / DB CD D B / AEDC& C/E C % E C* E7 E DC E BD E C EC C/ D E CEA CAE B ? / D E CD E C B C AEDC& CC 7 # C/D * & / * D D 0 DC / A B D C ? / EDCD AEDC& D E CD C* C/ E # BBDCD C D E D E E C/D E CD / AB E % C CC 7 E% E E AE DB CD D B & C/ E E D D A '/D ED D E % C D 7D B CC 7 E BDE C B C % E C C/ "F D E CEA CAE D AE 0 "D E C/ B DE B ACD B C D AA ) C/ EA D EC AE * E7 D C/ EDC/ C DB CD & CE D / E A C C/ "F # EB E C D C C/ C C B /& C/ D D C/ E /DC CAE B7 C/ "F E C D D C D DC D E& C & / AED CD */D / D E CD % A C C/ D E CD C B E BD E C AE B D % D C * D /C C / C B C EBD & '/ C C/ C * / % / C / % D CD C/ AEDC& D DB C "F E C/ A E AEE &D C& =A ED B C/ A C CD C* AEE C/ A E E C B B D E CD E EC B E D CEA D B C CD &C )AE & C A C/ *D E A C % A C E C E C/ C AE C/ D7 D/ B C/ AEE AEDC& D DB C : ;= ⋅1 0 + ⋅1 0+ ⋅ 1 ,9 + F ⋅ 1 09 + E ⋅ 1 01 JOAO AFONSO, PEDRO VEIGA: ENHANCING DNS SECURITY USING DYNAMIC FIREWALLING WITH NETWORK AGENTS E C E DB E B D &D C/D E A A A O • ) AEE :); ( E C C/ A E CD :D C ; C/ C / % D% D D A AE * 7 B C/ C C/ BD CED AC B C/ B D C B D ' # DA B E A 093 913 <93 ,113 E , D D −O A D DN # C/ % ? E D C/ C E " !# D D E E C C/ A E E EA D C C/ E D C/ D E CEA CAE B C ? / D E CD C/ % '/ C/ E C E O E N CC 7 B C B E C/ A E E C/ C E AEE C E ECD AEDC& D DB C • # CEA D " C CD &C :#; > DB E B C/ A C/ EC C E D E C A B C/ E E A E C EDC B D CAE AEDC& D DB C E CD C C/ "F E%D ' F 8 # 4 )F'(#F$'#)F ) 'K8 F$.F8( ) ) $((8F 8 ) )$( 8 #F . # #)$ K8$(# '# , 0 2 !N 779 A • & D : ; ( CD % A CD C/ B %D CD C/ % A E EB B D E CD C C/ % E E% B C CD CD B C/ EDC ED B * D /C DB CD D B *D ' ## ' F 8 ## 4 )F'(#F$'#)F ) . # #)$ 8 CDE C CE ECD CE EC # EE C =A E& % % E E AE # EE C =A E& % GA E& % A A & ED D 8!8F' 'L # #8" )'8F'# ' F 8 #! 4 #F'8( )FF8 '#)F >#'K '8. )( " ' E 'K8(8" (). #F'($ #)F "8'8 '#)F L '8. $ %AA L )$( 8 E#!8F #F K8$(# '# A E CC C : M (; CC C :#M (; A 91 C <93 ,113 913 <93 A ? 913 C/ A ,113 913 BD <93 % E A E • 'D C* AEE * D /C C E & C/ % A %D D% % E C/ E C/ , 0 C/ C/ C/ C/ E C/ D 2 C B AEE :E; CD D C D% AE BD CED AC B *DC/ C/ D C B C C/ CD *D D C ' F 8 ### 4 >8#EK' ) "# 8(8F' '#.8 F8'>88F 8 A , .D AC , K AE ," & ,> 7 K) $((8F 8 A ,113 <93 913 093 A C • # DB D C/ E C/ :F; FA E BBE AE A CD * E C/ C E E% B ? E D EC A A CD% CD EA D 2B3 5<3 ,113 DE * AE *D E =ADE A F C C/ C C/ CD B C E D CD E B % C B C A& ! ' ! (A A) & *A * % .DBB % KD / % (D 7 '/ E A / * % C 7 % A =A C E E C E C/ 1 09P '/ D CD C* E E EDC ED C/ E A 8? CD */ E D%D D E CD E C/ C/ E E D */D / D EDC ED D A D D CP #C E C B C/ ?D CD */DC D C D C/ E DC E& *D DB E B ED%D B AE C/ C E C 7 B # C/D * & * % DB E D D C/ # C E C E%D DB ED C/ 7 & E & B & "F C/ >/DC D C E C C 7 & BBE E D 7 B D DCD% % C '/D D C D E C B E E EB CEA C B AE *D BBE DC B/ E C E C C B E D BB B C C/ DE * EA ) ? D C/ D C D C E BBE B C/ "F E% E # # C B E C/ E % AE D A C A & C/ , 0 EA D C/ *D DE * *D A CD B 8? B B C/ =A E CD ED B B C/ E C E D A P '/ ? E D CD% CD :/ AED CD ; B C : CD ; / 7 C/ E E B AE 780 PROCEEDINGS OF THE FEDCSIS. SZCZECIN, 2011 #! + () ) 8" ) $'#)F A / * D D 2 C/D ACD D E D C/ C &C CE D E% E D C/ E % DB E D % DB D E CD E D% B E C/ E E E DD C* E7 BBE # D B C C B E C/ E D A D D A / C* E7 BBE DC *D 7 BD C/ E E CD D B C/ & C A C C/ E CD % A C C/ E E C/ E% E B C* E7 *D D C C/ "F =A ED E C/ B D A E CED CD E / %D E %D E E EC D C/ DE * B C/ EBD & '/ & C E / E CD C D AE B GA E CD B F , A E BAE % E C/ DE * A ! ,A EBD C AE B D B C C/ C * C/E A / C/ E / BD E C/ "F E% E D CE C B EBD C C B EB C DE * EA * B & DD EA E EBD C C/ BBE C/ C E D 7 B D E CD '/ =A ED E C/ B D% E B C C/ E EC &C B B C E B D C/ ("F. C C/ C D C/ & C E B C/ > EC : D 9; D AE 9 F C* E7 B C D AE 2 F 7 "D E E B ACD D E CD C B D C E B D B C C B D .& G +,0- ' 7D D C DB E CD C/ B C CD DC C/ E E C/ =A ED B C E BA C/ % A D E CD C E B C/ B C D BD%DB B D C A E BD E C C '/ % ED C/ # BBE AE B B CD CD :"F E% E; D C D C E E C / * B E A / E D D C B C C E B D DD C D E % C D C/ % E E E C/ ACD D E / EA D EC B D C/ E DE * C/ E *D ED B =A E CD B C C/ B C/D CD C/ E *D % A C C/ / %D E C/ C AE C % A C C/ B BC E % C/ EA / * D D B * JOAO AFONSO, PEDRO VEIGA: ENHANCING DNS SECURITY USING DYNAMIC FIREWALLING WITH NETWORK AGENTS '/ D E CD E EBD =A ED B D C E B B D &D C B7 C % D BAED C/ ?C 21 B & '* C C D D C/ C EA C/ C E B& D & D B 4 BB E E % B B DCA CD C/ C / % CED E B CE C/ EE C E CD C/ DE * E ABDCD AE % E& CD D E D C E B '/ D E CD E =ADE B E ABDCD B C CD CD C 7 % E ? DE D !A !(D DA A- A ! A '/ C CD CD D E CD C B B C E B D B C / D DD C A C B C D #C D D ? C A C E / E C/ % ACD =A ED E A DC CD :/ AE B & C ; B & E E =A C "F =A ED E E C& B B C E D AE C/ C E BA C/ E E A E A C CD D C C/ C B EB B %D CD D% * E C DC C C/ C D *DC/ C/ C/ E /DC +,9'/ E E C/ "F E C E E C& AE B E EBD C/ E CD E =A C " C D C C&E D C E B B E D E D E E CD E ? B B ! )AE C C/ E CC B C/ #C D AE D # 781 BBDCD CD E%D D& A & ) 'E C& ED B ' D % % %A E C/ '/ E C E AEE C C/ A A E CD DC ED B C CD CD E CD C C/ E CD "F / * % C/ ACD E B / E B CC D D DCA CD D% C/ C C/ C DC D D AE C/ D CD * C/ % C F EC/ C CD )E DC CD :F '); A C D 01,1 C C/ ,9 C 0, F % E 01,1 E BA AEDC& ED 7 D C/ E C/ # C E C B D % C A E E DB E B C * E C B B B B D& DC ED % E & * E DD B D C AE C ED * C 7D % E C B D BA CE& '/ B C B & / E E C B CC E A C CD / C/ C ED B B C C E DCA CD B */ B %D CD / E CC E : D <; E DC CD D CD * E E E B AD F. CE E D B 8 '$"L E / % A B E B % C D E 0115 C F 4 */ / C/ E D D DC& C E DC E B D C D C/ B D A B E C/ ' ' " C E C CD C/ E E C* E EA D CC / B C C/ "F E% E : C C/ ED E& "F B C/ E * E7D C C/ E *DC/ B E& "F E% E; '/ C* E7 &C E D C / E7 +,5- B C/ DE * A B D # D C E +,2- '/ E CD E E * E E B D % CD C/ D E CD E D% B E C/ C / E7 '/ > E% E D EA D / *DC/ K ( EBD C/ M E% E +,B- * / C/ D% E C E BA E D C E C B C C/ E '/ CDE E ACD B ED B % * C/ * C E * B % B* C D C/ , C A E& 011< B C/ B C E C/ % ED A C * C B E C/ ,1C/ . & 0116 CD * : D 5; D AE 5 > EC D AE < . DC ED "F !# E%D C F ') % CQ D 01,1 (8 $ ' > E C / E C/ E A C C/ C ,0 C/ B C CD : C* ,C . & 011I B 2, C . & 01,1; '/ % E A E E =A C C C/ ED E& "F E% E D A C ,I <5I IB5 E B & :006 E ;AD C E EB C <C/ A A C 01,, '/ E E C/ B C &D E E D % ,0B1 E =A C E B E : D C E B % DB C B B D EC B D C/ B C ; $ D C/ B C C B & C/ E BAED C/D CD ED B * * E C C A A C CD CD D E CD • " D & C CD CD & C& BP • FA E # C E CD =A ED P • FA E B D & =A ED : D 6; "F DC B B C # !5 E C D E DC E :#"F; "F C& 782 PROCEEDINGS OF THE FEDCSIS. SZCZECIN, 2011 AEE C & C/ ACD E C B B C * C/ D BBE D C/ # %5 E C '/ C / D C C/ C B C C/D DCA CD E D 7 B C C/ B C CD DC C/ E E C/ B C E EB E D CD 7D DC D C C E C/ B C E A C CD ) D CD E % C/D D A D C / C/ B C D C C/ E ACD ED C E D F % EC/ =A ED B C # %5 BBE E C D B D C/D ACD : C& ; > E * E7D ?C BD C/ B C EE CD D DCD C/ & C & BBD D E CD C B E C/ E AE :D CEA D B C CD &C ED C ; > CD D C C/ C C/D AB % A E / C E BA DB E & C/ A E DCD% B CD% +,<E D AE 6 C CD CD &D & # !5 E EB B: • " C C ? E A :C/ C AEDC& D DB C ; E ? * * E B C C C/ C D% # * A D C/ ED "F E% E CD E % E '/ A E =A ED B * ? D% E B *DC/ C/ % E % A E E /D % A C # C E C E %DB E C/ C E C A B E C/ 'B D • " C C DCA CD A D ABD B D CC 7 *DC/ C/ ? ACD D% =A ED ,0 C/ & D C/ E E ,< ") CED E B '/ & * E D C C & 7 B B BBE =A E CD :' !; ; E C C ' E& (8 8(8F 8 +,- */ AE E%D +0+2- E%D # C CC 7 BD +B+9+5+<- ' F 8 ! 8M . 8 >K8F 'K8 8F )( "8'8 '8" #'$ '#)F 'K ' (8G$#(8" 'K8 #(8> ($ 8 ') K FE8 AA + A.A A DDA ?? ?? 011 B9 01,, 16 19 10 ,9 BB ?? ?? ,< ,00 01,, 16 19 12 09 ,0 ?? ?? ,0I 9, 01,, 16 19 1B B< ,B ?? ?? ,B 02I 01,, 16 19 19 0< 0I ?? ?? ,B ,2, 01,, 16 19 16 29 26 !## )F BB EA ( % EA BB EA BB EA ( % EA A D A ?? ?? BB 52 ?? ?? BB 52 +6+I+,1+,,- ?? ?? BB 50 ?? ?? BB 50 ?? ?? BB 52 +,0+,2- +,B- $ #)F F" $'$(8 >)(D +,9- '/D ECD / E C B % E / C E BA AEDC& ED 7 C/ D C E C D CD C/ C A E%D )AE ACD AD B A C/ ?D CD ACD C C CD CD D E CD E EBD "F E%D BBD C/ D DC& C B C C B CE AEDC& D DB E CD #C BB C/ B% C E CD BD CED AC B * & *D C/ ? / D E C* E CD E B C/ E D E C * AEDC& % E DC D C/E C B C/ "F C/ C & C D D CD DC +,5+,<- # C E C $ B > EB A CD C CD CD * DC + /CC QQ*** D C E C* E B C C Q C C /C C B < A A C 01,, !D?D @"F ?DC&A . GA A % 9 2 ED 011< " > J ( C "F AE% &J "F ) ( F % E 011< " % D DC @ D 7 E A E& B ( %D *A # FF . & 01,1 G "F * DC +/CC QQ/ CD D C 6161QR C0,1990Q = B /C C B < A A C 01,, F#F" * DC +/CC QQ*** D E Q E BA C QF#F"C B < A A C 01,, F HBE @ AEDC& . DC ED "F CE D A . & 0115 A !D?D " > A"F 4 "F CE D CAE ACD DC&A #" > E7 / A & 011< "A > J>/ C F * *DC/ " J "F ) ( F % E 011< *E F E7 & F CD E C E& ' BA * DC /CC QQ*** C BA E / DED C J AC C B # DB C ( &C $ D F#F" GA E& J A 0115 .& G * DC 4 :) AE " C ; +/CC QQ*** & = C B < A A C 01,, # # '8( 4 ' Q# DE * QF ' C* E +/CC QQ A BA AQR % C B < A A C 01,, D C BE 8B 8?C D . D B E E C :M. ; E ( 2I01 011B S 8B A B . C DE J" % C # C E C B ACD E # CEA D " C CD . B F B " C EE CD J D E C/ #888 # F T15 # C E CD E F C* E7D B E%D # F T15 D D ! & $ A & 0115 ' / E7 * DC 4 '/ >DE / E7 F C* E7 &C E +/CC QQ*** *DE / E7 E C B < A A C 01,, S BE ! D @ E C CD C/ "F # E CEA CAE ' % " D ( 'D DC ED *DC/ F C* E7 > E7 / E A > F 0116 BC/ #888 4 # C E CD >DE B E F C* E7 AEDC& C C $ 0I C E 4 0 ) C E 0116