Page 59 - Read Online
P. 59
Page 52 Kim et al. J Surveill Secur Saf 2020;1:34-60 I http://dx.doi.org/10.20517/jsss.2020.14
(4) Hidden Attack: These attacks abuse DNS servers to hide their attack location or attack message. The
attacker tries to conceal the location of C&C servers or to exfiltrate the botnet command from C&C, using
a vulnerability in internal DNS.
5. MITIGATION
Although DNS has suffered from many attacks, researchers’ efforts to mitigate these attacks are ongoing. In
particular, DNSSEC, which is the product of their efforts, has helped ensure the integrity of the unreliable
DNS data as the main vulnerability of DNS. Additionally, various advanced methods have been introduced
to overcome a number of limitations. This section briefly describes them.
5.1 DNSSEC and redundant DNS
Common DNS attacks, such as cache poisoning and spoofing attacks, occur easily by forging DNS data
and disguising fake DNS queries. Designed to overcome these problems, DNSSEC uses digital signatures
to authenticate the contents of DNS responses, preventing the use of forged DNS data and enhancing the
reliability of DNS queries.
[8]
As discussed in Section III, DNSSEC suffers from technical complexity, overhead, and low deployment .
[53]
In 2018, NS1 has developed DNSSEC guidelines, so that DNSSEC can be configured correctly and used
more easily. However, this does not solve all DNS security issues, including vulnerability to DDoS attacks.
The additional length of DNSSEC responses exacerbates the problems of reflection and amplification (DDoS
attacks). This dilemma is a major challenge for DSSEC to address in the future.
Redundant DNS servers are one solution to attacks on availability. The DNS standard specified that up to
[54]
eight spare servers may be used for redundancy , so that if a server is unreliable or unavailable, another
server can provide name lookup for the user . However, these settings are rarely used in practice by
[55]
[56]
enterprises and ISPs , although redundancy has been recommended for a long time.
[57]
Ansari et al. introduced a new technique to overcome the limitation of DNSSEC and reinforce DNS
security, based on using Cloud services for availability and reliability. The redundancy, flexibility, and
managed nature of the cloud make it a promising solution for DNS security.
5.2 Existing DNS mitigation systems
A number of approaches for securing DNS have been proposed. We describe these systems by grouping
them into three categories: Monitoring and Detection Systems, security extensions on DNS records, and
Advanced DNS with additional security functions.
5.2.1 Monitoring and detection systems
DNS is vulnerable to the threat of counterfeited data. One approach is to detect and monitor forged data to
distinguish reliable DNS data. The following systems are representative DNS defense systems that include
these functions.
[58]
(1) Kopis System : Independently detects malware-related domains at the higher levels of the DNS
hierarchy (e.g., TLD level) by monitoring network traffic at a high level of the DNS hierarchy. In particular,
the Kopis System analyzes the streams of DNS queries and responses at authoritative name servers. From
the monitored DNS traffic, they extract the statistical features such as the diversity in the network locations
and the reputation of the IP space into which the domain name resolves. Kopis can predict malware-related
domains based on monitored traffic patterns with a statistical classification which is determined from
[59]
higher DNS levels’ information. This feature is different from existing detection systems such as Notos
(see below) or Exposure . Even without current IP reputation information, Kopis can accurately detect
[60]
