Page 57 - Read Online
P. 57

Page 50                                                               Kim et al. J Surveill Secur Saf 2020;1:34-60  I  http://dx.doi.org/10.20517/jsss.2020.14

               queries because the domains do not exist. Eventually, the cache in the recursive DNS server could be filled
               with NXDOMAIN results and users will experience slower DNS server response times for legitimate DNS
               requests. The authoritative DNS servers also spend valuable resources due to the multiple recursive queries
                                      [50]
               to obtain resolution results .
               4.4.2 DA11. phantom domain
               The phantom domain attack is similar to the DNS NXDOMAIN attack. However, the major difference is
               that attackers use multiple phantom domains to interfere with normal DNS resolution. First, an attacker
               sets up several phantom domains which either respond very slowly or do not respond to DNS requests.
               Then, numerous bots send malicious DNS queries for the phantom domains to DNS resolvers. The DNS
               resolvers handle and deliver the queries to the authoritative servers. However, under the phantom domain
               attack, the DNS resolvers will continue to wait for responses and continue to query the unresponsive
               servers, which consumes their resources. As a result, the DNS resolvers’ resources are used to process the
               queries for the phantom domain, and users could be delayed or unable to receive responses to normal DNS
                     [51]
               queries .

               4.5 Assessment of DNS attacks
               To classify DNS attacks, the types of attacks first are evaluated for each factor. Figure 12 shows the
               assessment of the 11 DNS attacks introduced in this paper. There are five criteria for evaluating DNS
               attacks. First is the Attack Method, as described above. The Effect factor classifies attacks according to
               their intended outcome. The Attack Mode factor refers to whether the attack is passive (i.e., takes place
               in response to a user-initiated query) or aggressive (launched by the attacker). The Attack Source/Target
               classifies the multiplicity of attack source(s) and target(s). The Location of Attack Target factor means the
               location where the attack is executed. If an attacker attempts to attack the DNS infrastructure directly, it is
               labeled “Internal”. Otherwise, if an attacker attempts to attack a target using the DNS infrastructure, it is
               labeled “External”.

               The assessment for each factor is a filled circle, meaning fully or completely, half-filled circle, meaning
               partially, and empty circle, indicating does not apply or not at all. DNS attacks have a variety of purposes.
               Hijacking/poisoning-based attacks (DNS cache poisoning, Kaminsky, and DNS hijacking) mainly
               have attack targets to lead to specific malicious sites, while flooding-based attacks (DNS reflection and
               amplification, DNS flooding, Random sub-domain, DNS NXDOMAIN, and Phantom domain) have the
               purpose to exhaust DNS servers’ resources through direct and aggressive attacks from malware-infected
                                          [35]
               Botnets. van Rijswijk-Deij et al.  found that DNSSEC could be exploited as DNS reflection attacks. Thus,
               this attack can target specific servers as well as DNS servers. Finally, attacks that hide their attacks in
               normal DNS packets or procedures have the purpose of exploiting DNS.

               Based on the assessment, Figure 13 shows the classification of DNS attacks by purpose.
               (1) DNS Server Unable/Slow: These attacks target DNS servers. The attacker sends a flood of queries to a
               DNS server, and then the DNS server is forced to exhaust server resources to handle the enormous queries.
               Eventually, the DNS server will not function normally and not be able to provide the domain service to the
               user.
               (2) Specific Target Server Unable: These attacks target a specific server. The attacker attempts to send heavy
               traffic to the target server through flooding from the DNS servers. Attackers exploit open DNS resolvers
                                                        [52]
               to amplify heavy traffic volume, as a third party . The victim server receives a number of legitimate DNS
               responses and finally, is subjected to a denial of service attack.
               (3) Malicious Website: These attacks provide malicious websites to victims despite requests with normal
               domains is a DNS Poisoning attack. By manipulating normal response queries, an attacker can illegally
               acquire and exploit user information by providing bogus IP addresses to the user.
   52   53   54   55   56   57   58   59   60   61   62