John Heidemann / Papers / Whac-A-Mole: Six Years of DNS Spoofing

Whac-A-Mole: Six Years of DNS Spoofing
Lan Wei and John Heidemann
USC/Information Sciences Institute

Citation

Lan Wei and John Heidemann. Whac-A-Mole: Six Years of DNS Spoofing. Technical Report arXiv:2011.12978v1. USC/ISI. [PDF] [alt PDF]

Bibtex Citation

@techreport{Wei20c,
  author = {Wei, Lan and Heidemann, John},
  title = {Whac-A-Mole: Six Years of {DNS} Spoofing},
  institution = {USC/ISI},
  year = {2020},
  sortdate = {2020-11-30},
  project = {ant, retrofuturebridge, lacrend, lacanic},
  jsubject = {network_security},
  number = {arXiv:2011.12978v1},
  url = {https://arxiv.org/abs/2011.12978},
  pdfurl = {https://ant.isi.edu/%7ejohnh/PAPERS/Wei20c.pdf},
  blogurl = {https://ant.isi.edu/blog/?p=xxx},
  myorganization = {USC/Information Sciences Institute},
  month = {25 Nov},
  jlocation = {johnh: pafile},
  keywords = {dns, root, dns spoofing},
  abstact = {
  DNS is important in nearly all interactions on the Internet.  All
  large DNS operators use IP anycast, announcing servers in BGP from
  multiple physical locations to reduce client latency and provide
  capacity.  However, DNS is easy to \emph{spoof:}  third parties
  intercept and respond to queries for benign or malicious purposes.
  Spoofing is of particular risk for services using anycast, since
  service is already announced from multiple origins.  In this paper, we
  describe methods to identify DNS spoofing, infer the mechanism being
  used, and identify organizations that spoof from historical data.  Our
  methods detect overt spoofing and some covertly-delayed answers,
  although a very diligent adversarial spoofer can hide.  We use these
  methods to study more than six years of data about root DNS servers
  from thousands of vantage points.  We show that spoofing today is
  rare, occurring only in about 1.7\% of observations.  However, the
  rate of DNS spoofing has more than doubled in less than seven years,
  and it occurs globally.  Finally, we use data from B-Root DNS to
  validate our methods for spoof detection, showing a true positive rate
  over 0.96.  B-Root confirms that spoofing occurs with both DNS
  injection and proxies, but proxies account for nearly all spoofing we
  see.}
}
Copyright © by John Heidemann