DOCSLIB.ORG

Journal of Digital Forensics, Security and Law Automated Man-In-The

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Journal of Digital Forensics, Security and Law Automated Man-In-The Journal of Digital Forensics, Security and Law Volume 13 Number 1 Article 9 3-31-2018 Automated Man-in-the-Middle Attack Against Wi‑Fi Networks Martin Vondráček Brno University of Technology, Brno, Czech Republic, [email protected] Jan Pluskal Brno University of Technology, Brno, Czech Republic, [email protected] Ondřej Ryšavý Brno University of Technology, Brno, Czech Republic, [email protected] Follow this and additional works at: https://commons.erau.edu/jdfsl Part of the Digital Communications and Networking Commons, Forensic Science and Technology Commons, Information Security Commons, OS and Networks Commons, and the Software Engineering Commons Recommended Citation Vondráček, Martin; Pluskal, Jan; and Ryšavý, Ondřej (2018) "Automated Man-in-the-Middle Attack Against Wi‑Fi Networks," Journal of Digital Forensics, Security and Law: Vol. 13 : No. 1 , Article 9. DOI: https://doi.org/10.15394/jdfsl.2018.1495 Available at: https://commons.erau.edu/jdfsl/vol13/iss1/9 This Article is brought to you for free and open access by the Journals at Scholarly Commons. It has been accepted for inclusion in Journal of Digital Forensics, Security and Law by an authorized administrator of (c)ADFSL Scholarly Commons. For more information, please contact [email protected]. Automated Man-in-the-Middle Attack Against Wi‑Fi Networks Cover Page Footnote This paper is an extended version of the original paper that has been presented at the 9th EAI International Conference on Digital Forensics and Cyber Crime (Vondráček, Pluskal, & Ryšavý, 2018). This work was supported by Ministry of Interior of the Czech Republic project "Integrated platform for analysis of digital data from security incidents" VI20172020062; Ministry of Education, Youth and Sports of the Czech Republic from the National Programme of Sustainability (NPU II) project "IT4Innovations excellence in science" LQ1602; and by BUT internal project "ICT tools, methods and technologies for smart cities" FIT-S-17-3964. This article is available in Journal of Digital Forensics, Security and Law: https://commons.erau.edu/jdfsl/vol13/iss1/ 9 Automated Man-in-the-Middle Attack Against . JDFSL V13N1 AUTOMATED MAN-IN-THE-MIDDLE ATTACK AGAINST WI-FI NETWORKS Martin Vondr´aˇcek Jan Pluskal OndˇrejRyˇsav´y Brno University of Technology Faculty of Information Technology Boˇzetˇechova 2, Brno, Czech Republic fxvondr20g@stud.fit.vutbr.cz, fipluskal,rysavyg@fit.vutbr.cz ABSTRACT Currently used wireless communication technologies suffer security weaknesses that can be exploited allowing to eavesdrop or to spoof network communication. In this paper, we present a practical tool that can automate the attack on wireless security. The developed package called wifimitm provides functionality for the automation of MitM attacks in the wireless environment. The package combines several existing tools and attack strategies to bypass the wireless security mechanisms, such as WEP, WPA, and WPS. The presented tool can be integrated into a solution for automated penetration testing. Also, a popularization of the fact that such attacks can be easily automated should raise public awareness about the state of wireless security. Keywords: Man-in-the-Middle attack, accessing secured wireless networks, password crack- ing, dictionary personalization, tampering network topology, impersonation, phishing 1. INTRODUCTION proposed wireless security standards aim at prevention of such unauthorized access. Un- Recent enhancements to wireless technology fortunately, the first standard called WEP is strengthen the benefits of wireless commu- so weak that it is possible to crack the pass- nication. It is convenient to access the net- word in a few seconds using a conventional work from any location within the network laptop computer. The answer was the intro- coverage area. For most of the portable de- duction of stronger standard WPA and later vices, this is the only way to connect to the even stronger WPA2. In 2017, Mathy Van- network. Installation and network setup are hoef announced that he discovered a vulner- easy, and the network is further expandable. ability in security mechanisms that use the The main benefit of Wi-Fi, its accessibility, four-way handshake (WPA and WPA2) and makes this technology a suitable target of at- demonstrated how easily this vulnerability tacks. A potential attacker needs to be in the can be exploited. physical proximity of a Wi-Fi network. The The main focus of this paper is security 1This paper is an extended version of the original paper that has been presented at the 9th EAI Inter- of wireless networks. It provides a study of national Conference on Digital Forensics and Cyber widely used network technologies and mech- Crime (Vondr´aˇcek,Pluskal, & Ryˇsav´y,2018). anisms of wireless security. Analyzed tech- c 2018 ADFSL Page 59 JDFSL V13N1 Automated Man-in-the-Middle Attack Against . nologies and security algorithms suffer weak- evidence, it is scarcely used, because it re- nesses that can be exploited to perform Man- quires expert domain knowledge. Thus, this in-the-Middle attacks. A successful realiza- process of evidence collection is very expen- tion of this kind of attack allows not only sive and human resource demanding. to eavesdrop on all the victim's network traffic but also to spoof his communication (Prowell, Kraus, & Borkin, 2010, pp. 101{ Internet ISP 120; Callegati, Cerroni, & Ramilli, 2009). In an example scenario (Figure 1), the victim is a suspect conducting illegal activ- ity on a target network. The attacker is a law-enforcement agency investigator with appropriate legal authorization to intercept the suspect's communication and to perform a direct attack on the network. In some cases, the suspect may be aware that his communication can be intercepted by the In- AP ternet Service Provider and harden his net- work. For example, he could use an over- lay network technology, e.g., VPN (imple- mented by L2TP, IPsec (Kent & Seo, 2005, Suspect Investigator pp. 09{10), PPTP) or anonymization net- works (Tor, I2P, etc.) to create an encrypted tunnel configured on his gateway, for all Figure 1. Example forensics scenario where his external communication. This concept the suspect has hardened his network and is easy to implement and does not require uses an encrypted tunnel from the gate- any additional configuration on endpoint de- way (AP). vices. Generally, this would not be con- sidered a properly secured network (Godber The aim of this research is to design, im- & Dasgupta, 2003, pp. 425-431), but this plement and test a tool able to automate scheme, or similar, is often used by large ven- the process of accessing a secured WLAN dors like Cisco (Deal & Cisco Systems, 2006) and to perform data interception. Further- or Microsoft (Thomas, 2017) for branch of- more, this tool should be able to tamper with fice deployment and can also be seen in home the network to collect more evidence by redi- routers1. In such cases, intercepting traffic recting traffic to place itself in the middle on the ISP level would not yield meaning- of the communication and tamper with it, ful results, because all the communication is to access otherwise encrypted data in plain encrypted by the hardening. On the other form. Using the automated tool should not hand, direct attack on the suspect's LAN require any expert knowledge from the in- will intercept plain communication. But, vestigator. even when an investigator is legally permit- We designed a generic framework, see Fig- ted to carry out such an attack to acquire ure 3, capable of accessing and acquiring evidence from a wireless network regardless 1Asus RT-AC5300 { Merlin WRT has an option of used security mechanisms. This frame- to tunnel all traffic thought Tor. work can be split into several steps. First, Page 60 c 2018 ADFSL Automated Man-in-the-Middle Attack Against . JDFSL V13N1 it is necessary for an investigator to ob- 2. SECURITY tain access to the WLAN used by the sus- pect. Therefore, this research focuses on WEAKNESSES IN exploitable weaknesses of particular secu- WLAN TECHNOLOGIES rity mechanisms, see Section 2 for more de- Following network technologies (Sec- tails. Upon successful connection to the net- tions 2.1, 2.2), which find a significant work, the investigator needs to tamper with utilization, unfortunately, suffer from the network topology. For this purpose, security weaknesses in their protocols. weaknesses of several network technologies These flaws can be used in the process of can be exploited. From this point on, the in- the MitM attack. vestigator can start to capture and break the encryption on the suspect's communication. 2.1 Wireless Security Wired Equivalent Privacy (WEP) is a se- Specialized tools focused on exploiting in- curity algorithm introduced as a part of dividual weaknesses in security mechanisms the IEEE 802.11 standard (Halsall, 2005, currently used by WLAN s are already avail- p. 665; IEEE-SA, 2012, pp. 1167{1169). To- able. There are also specialized tools focused day, WEP is deprecated and superseded by on individual steps of MitM attacks. Tools subsequent algorithms, but is still sometimes that were analyzed and used in implemen- used, as can be seen from Table 1 avail- tation of the wifimitm package are outlined able from Wifileaks.cz 2. Fluhrer, Mantin, in Section 2. and Shamir (2001) presented that WEP is broken. There are tools that provide access Based on the acquired knowledge, refer- to wireless networks secured by WEP avail- enced studies and practical experience from able (Tews, Weinmann, & Pyshkin, 2007). manual experiments, authors were able to Regarding WEP secured WLAN s, authenti- create an attack strategy which is composed cation can be either Open System Authenti- of a suitable set of available tools. The strat- cation (OSA) or Shared Key Authentication egy is then able to select and manage in- (SKA) (IEEE-SA, 2012, pp. 1170{1174). In dividual steps for a successful MitM at- the case of WEP OSA, any station (STA) tack tailored to a specific WLAN configura- can successfully authenticate to the Access tion.
Load more

Recommended publications
  • DNS Spoofing 2
    Professor Vahab COMP 424 13 November 2016 DNS Spoofing DNS spoofing, also known as DNS Cache Poisoning, is one of the most widely used man-in-the-middle attacks that capitalizes on vulnerabilities in the domain name system that returns a false IP address and routes the user to a malicious domain. Whenever a machine contacts a domain name such as www.bankofamerica.com, it must first contact its DNS server which responds with multiple IP addresses where your machine can reach the website. Your computer is then able to connect directly to one of the IP addresses and the DNS is able to convert the IP addresses into a human-readable domain name. If an attacker is able to gain control of a DNS server and change some of its properties such as routing Bank of America’s website to an attacker’s IP address. At that location, the attacker is then able to unsuspectingly steal the user’s credentials and account information. Attackers use spam and other forms of attack to deliver malware that changes DNS settings and installs a rogue Certificate Authority. The DNS changes point to the hacker's secret DNS name server so that when the users access the web they are directed to proxy servers instead of authorized sites. They can also start to blacklist domains and frustrate the user with their day to day activities. All blacklisted domains would have their traffic dropped instead of forwarded to their intended destination. Based on the rogue Certificate Authority the system has no sign that an attack is taking place or ever took place.
    [Show full text]
  • Secure Shell- Its Significance in Networking (Ssh)
    International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: [email protected] Volume 4, Issue 3, March 2015 ISSN 2319 - 4847 SECURE SHELL- ITS SIGNIFICANCE IN NETWORKING (SSH) ANOOSHA GARIMELLA , D.RAKESH KUMAR 1. B. TECH, COMPUTER SCIENCE AND ENGINEERING Student, 3rd year-2nd Semester GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India 2.Assistant Professor Computer Science and Engineering GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India ABSTRACT This paper is focused on the evolution of SSH, the need for SSH, working of SSH, its major components and features of SSH. As the number of users over the Internet is increasing, there is a greater threat of your data being vulnerable. Secure Shell (SSH) Protocol provides a secure method for remote login and other secure network services over an insecure network. The SSH protocol has been designed to support many features along with proper security. This architecture with the help of its inbuilt layers which are independent of each other provides user authentication, integrity, and confidentiality, connection- oriented end to end delivery, multiplexes encrypted tunnel into several logical channels, provides datagram delivery across multiple networks and may optionally provide compression. Here, we have also described in detail what every layer of the architecture does along with the connection establishment. Some of the threats which Ssh can encounter, applications, advantages and disadvantages have also been mentioned in this document. Keywords: SSH, Cryptography, Port Forwarding, Secure SSH Tunnel, Key Exchange, IP spoofing, Connection- Hijacking. 1. INTRODUCTION SSH Secure Shell was first created in 1995 by Tatu Ylonen with the release of version 1.0 of SSH Secure Shell and the Internet Draft “The SSH Secure Shell Remote Login Protocol”.
    [Show full text]
  • Threat Modeling and Circumvention of Internet Censorship by David Fifield
    Threat modeling and circumvention of Internet censorship By David Fifield A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of California, Berkeley Committee in charge: Professor J.D. Tygar, Chair Professor Deirdre Mulligan Professor Vern Paxson Fall 2017 1 Abstract Threat modeling and circumvention of Internet censorship by David Fifield Doctor of Philosophy in Computer Science University of California, Berkeley Professor J.D. Tygar, Chair Research on Internet censorship is hampered by poor models of censor behavior. Censor models guide the development of circumvention systems, so it is important to get them right. A censor model should be understood not just as a set of capabilities|such as the ability to monitor network traffic—but as a set of priorities constrained by resource limitations. My research addresses the twin themes of modeling and circumvention. With a grounding in empirical research, I build up an abstract model of the circumvention problem and examine how to adapt it to concrete censorship challenges. I describe the results of experiments on censors that probe their strengths and weaknesses; specifically, on the subject of active probing to discover proxy servers, and on delays in their reaction to changes in circumvention. I present two circumvention designs: domain fronting, which derives its resistance to blocking from the censor's reluctance to block other useful services; and Snowflake, based on quickly changing peer-to-peer proxy servers. I hope to change the perception that the circumvention problem is a cat-and-mouse game that affords only incremental and temporary advancements.
    [Show full text]
  • Thesis That TW-OR Forwards All DNS Queries to a Resolver in China
    The Impact of DNSSEC on the Internet Landscape Von der Fakult¨atf¨urIngenieurwissenschaften, Abteilung Informatik und Angewandte Kognitionswissenschaft der Universit¨atDuisburg-Essen zur Erlangung des akademischen Grades Doktor der Ingenieurwissenschaften genehmigte Dissertation von Matth¨ausWander aus Lubin (L¨uben) Gutachter: Prof. Dr.-Ing. Torben Weis Prof. Dr.-Ing. Felix Freiling Tag der m¨undlichen Pr¨ufung:19. Juni 2015 Abstract In this dissertation we investigate the security deficiencies of the Domain Name System (DNS) and assess the impact of the DNSSEC security extensions. DNS spoofing attacks divert an application to the wrong server, but are also used routinely for blocking access to websites. We provide evidence for systematic DNS spoofing in China and Iran with measurement-based analyses, which allow us to examine the DNS spoofing filters from van- tage points outside of the affected networks. Third-parties in other countries can be affected inadvertently by spoofing-based domain filtering, which could be averted with DNSSEC. The security goals of DNSSEC are data integrity and authenticity. A point solution called NSEC3 adds a privacy assertion to DNSSEC, which is supposed to prevent disclosure of the domain namespace as a whole. We present GPU-based attacks on the NSEC3 privacy assertion, which allow efficient recovery of the namespace contents. We demonstrate with active measurements that DNSSEC has found wide adoption after initial hesitation. At server-side, there are more than five million domains signed with DNSSEC. A portion of them is insecure due to insufficient cryptographic key lengths or broken due to maintenance failures. At client-side, we have observed a worldwide increase of DNSSEC validation over the last three years, though not necessarily on the last mile.
    [Show full text]
  • Protecting Browsers from DNS Rebinding Attacks
    Protecting Browsers from DNS Rebinding Attacks Collin Jackson Adam Barth Andrew Bortz Stanford University Stanford University Stanford University [email protected] [email protected] [email protected] Weidong Shao Dan Boneh Stanford University Stanford University [email protected] [email protected] ABSTRACT these security goals, modern browsers implement the same- DNS rebinding attacks subvert the same-origin policy of origin policy that attempts to isolate distinct “origins,” pro- browsers and convert them into open network proxies. We tecting sites from each other. survey new DNS rebinding attacks that exploit the inter- DNS rebinding attacks subvert the same-origin policy by action between browsers and their plug-ins, such as Flash confusing the browser into aggregating network resources Player and Java. These attacks can be used to circumvent controlled by distinct entities into one origin, effectively con- firewalls and are highly cost-effective for sending spam e- verting browsers into open proxies. Using DNS rebinding, mail and defrauding pay-per-click advertisers, requiring less an attacker can circumvent firewalls to spider corporate in- than $100 to temporarily hijack 100,000 IP addresses. We tranets, exfiltrate sensitive documents, and compromise un- show that the classic defense against these attacks, called patched internal machines. An attacker can also hijack the “DNS pinning,” is ineffective in modern browsers. The pri- IP address of innocent clients to send spam e-mail, commit mary focus of this work,
    [Show full text]
  • Dns / Opennic / Dnscrypt
    dns / opennic / dnscrypt Serial: 2015111401 What is DNS ● Domain Name System ● In simple words when you are looking for hackerspace.gr you 're looking for the IP of the server that hosts the hackerspace site. ● But how ? How DNS works public/open dns ● Goodle dns – 8.8.8.8 2001:4860:4860::8888 – 8.8.4.4 2001:4860:4860::8844 ● OpenDNS – 208.67.222.222 2620:0:ccc::2 – 208.67.220.220 2620:0:ccd::2 ● norton dns/comodo/dns advantage/dns.watch ● fdn/freeDNS/Verisign ● BUT THEY ALL track what you are watching!!!! https://www.opennicproject.org/ ● OpenNIC is an alternate network information center/alternative DNS root which lists itself as an alternative to ICANN and its registries. ● Total DNS Neutrality ● Have A Say In Your DNS ● Protect Your Privacy ● No More ISP DNS Hijacking ● No Cost (Gratis) ● Freedom From Government Intervention openic website/wiki New Top Level Domains .bbs .ing .dyn .micro .free .neo .fur .null .geek .oss .gopher .oz .indy .parody 1. How does opennic work? . 82796 IN NS ns9.opennic.glue. 82796 IN NS ns3.opennic.glue. 82796 IN NS ns8.opennic.glue. 82796 IN NS ns4.opennic.glue. 82796 IN NS ns10.opennic.glue. 82796 IN NS ns6.opennic.glue. 82796 IN NS ns7.opennic.glue. 82796 IN NS ns2.opennic.glue. ;; Received 174 bytes from 94.242.59.170#53(94.242.59.170) in 126 ms 2. gr. 172800 IN NS gr-br.ics.forth.gr. gr. 172800 IN NS gr-at.ics.forth.gr. gr. 172800 IN NS estia.ics.forth.gr.
    [Show full text]
  • DNS and the DNS Cache Poisoning Attack
    Lecture 17: DNS and the DNS Cache Poisoning Attack Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) June 25, 2021 3:21pm ©2021 Avinash Kak, Purdue University Goals: The Domain Name System BIND Configuring BIND Running BIND on your Ubuntu laptop Light-Weight Nameservers (and how to install them) DNS Cache Poisoning Attack Writing Perl and Python code for cache poisoning attacks Dan Kaminsky’s More Virulent DNS Cache Poisoning Attack CONTENTS Section Title Page 17.1 Internet, Harry Potter, and the Magic of DNS 3 17.2 DNS 5 17.3 An Example That Illustrates Extensive DNS 13 Lookups in Even the Simplest Client-Server Interactions 17.4 The Domain Name System and The dig Utility 28 17.5 host, nslookup, and whois Utilities for Name 42 Lookup 17.6 Creating a New Zone and Zone Transfers 45 17.7 DNS Cache 48 17.7.1 The TTL Time Interval 51 17.8 BIND 56 17.8.1 Configuring BIND 58 17.8.2 An Example of the named.conf Configuration File 64 17.8.3 Running BIND on Your Ubuntu Laptop 68 17.9 What Does it Mean to Run a Process in a 70 chroot Jail? 17.10 Phishing versus Pharming 73 17.11 DNS Cache Poisoning 74 17.12 Writing Perl and Python Code for Mounting a 81 DNS Cache Poisoning Attack 17.13 Dan Kaminsky’s More Virulent Exploit for 92 DNS Cache Poisoning 17.14 Homework Problems 99 Computer and Network Security by Avi Kak Lecture 17 Back to TOC 17.1 INTERNET, HARRY POTTER, AND THE MAGIC OF DNS If you have read Harry Potter, you are certainly familiar with the use of owl mail by the wizards and the witches.
    [Show full text]
  • A Review of Man-In-The-Middle Attacks
    A Review of Man-in-the-Middle Attacks Subodh Gangan Abstract: This paper presents a survey of man-in-the-middle (MIM) attacks in communication networks and methods of protection against them. In real time communication, the attack can in many situations be discovered by the use of timing information. The most common attacks occur due to Address Resolution Protocol (ARP) cache poisoning, DNS spoofing, session hijacking, and SSL hijacking. Introduction Man-in-the-Middle (MIM) attacks make the task of keeping data secure and private particularly challenging since attacks can be mounted from remote computers with fake addresses. Whereas communications security was primarily that of breaking of encryption transformations (as in the case of the Enigma machine during the Second World War [1]), the problem of security in computer networks also involves active interference by intruders, and of these MIM attack is one of the most spectacular. The MIM attack takes advantage of the weaknesses in the authentication protocols being used by the communicating parties. Since authentication is generally provided by third parties who issue certificates, the system of certificate generation becomes another source of potential weakness. The MIM attack allows the intruder or the unauthorized party to snoop on data through the backdoor. This intervention is also being used by companies to pry upon their employees and for adware. For example, in early 2015, it was discovered that Lenovo computers came preinstalled with adware called Superfish that injects advertising on browsers such as Google Chrome and Internet Explorer. Superfish installs a self-generated root certificate into the Windows certificate store and then resigns all SSL certificates presented by HTTPS sites with its own certificate.
    [Show full text]
  • Attack Packet Victim Response Rate
    CS 361S Attacks on TCP/IP, BGP, DNS Denial of Service Vitaly Shmatikov slide 1 Reading Assignment “SYN cookies” by Bernstein “IP spoofing demystified” from Phrack magazine “It’s the end of the cache as we know it” by Kaminsky (BlackHat 2008) slide 2 Warm Up: 802.11b NAV (Network Allocation Vector) • 15-bit field, max value: 32767 • Any node can reserve channel for NAV microseconds • No one else should transmit during NAV period … but not followed by most 802.11b cards De-authentication • Any node can send deauth packet to AP • Deauth packet unauthenticated … attacker can repeatedly deauth anyone slide 3 Internet Is a Network of Networks backbone ISP local network Internet service provider (ISP) Autonomous system (AS) is a local network collection of IP networks under control of a single administrator (e.g., ISP) TCP/IP for packet routing and connections Border Gateway Protocol (BGP) for route discovery Domain Name System (DNS) for IP address discovery slide 4 OSI Protocol Stack email, Web, NFS application presentation RPC session TCP transport IP network Ethernet data link physical slide 5 Data Formats application Application data message layer transport TCP TCP TCP segment layer header data header data header data network IP TCP packet layer header header data data link Ethernet IP TCP Ethernet frame layer header header header data trailer slide 6 IP (Internet Protocol) Connectionless • Unreliable, “best-effort” protocol Uses numeric addresses for routing Typically several hops in the route Alice’s computer Bob’s ISP Packet Alice’s
    [Show full text]
  • Whac-A-Mole: Six Years of DNS Spoofing Lan Wei John Heidemann {Weilan,Johnh}@Isi.Edu University of Southern California/ Information Sciences Institute
    Whac-A-Mole: Six Years of DNS Spoofing Lan Wei John Heidemann {weilan,johnh}@isi.edu University of Southern California/ Information Sciences Institute ABSTRACT cryptographic signature that can verify each level of the DNS is important in nearly all interactions on the Internet. DNS tree from the root. Unfortunately, DNSSEC deployment All large DNS operators use IP anycast, announcing servers is far from complete, with names of many organizations in BGP from multiple physical locations to reduce client la- (including Google, Facebook, Amazon, and Wikipedia) still tency and provide capacity. However, DNS is easy to spoof: unprotected [23], in part because of challenges integrating third parties intercept and respond to queries for benign or DNSSEC with DNS-based CDN redirection. Even for domains malicious purposes. Spoofing is of particular risk for services protected by DNSSEC, client software used by many end- using anycast, since service is already announced from mul- users fail to check DNSSEC. tiple origins. In this paper, we describe methods to identify While there has been some study of how DNS spoofing DNS spoofing, infer the mechanism being used, and identify works [10], and particularly about the use of spoofing for organizations that spoof from historical data. Our methods censorship [15], to our knowledge, there has been little pub- detect overt spoofing and some covertly-delayed answers, lic analysis of general spoofing of DNS over time. (Wessels although a very diligent adversarial spoofer can hide. We currently has an unpublished study of spoofing [36].) Increas- use these methods to study more than six years of data about ing use of DNSSEC [11], and challenges in deployment [5] root DNS servers from thousands of vantage points.
    [Show full text]
  • How India Censors The
    How India Censors the Web Kushagra Singh∗ Gurshabad Grover∗ Varun Bansal Centre for Internet and Society Centre for Internet and Society Centre for Internet and Society [email protected] [email protected] [email protected] ABSTRACT First, the regulations do not mandate ISPs to use specific filter- One of the primary ways in which India engages in online censor- ing mechanisms. Thus, ISPs are are at liberty to employ various ship is by ordering Internet Service Providers (ISPs) operating in its technical methods [47]. jurisdiction to block access to certain websites for its users. This pa- Second, website-blocking orders, especially those issued by the per reports the different techniques Indian ISPs are using to censor Government, are rarely available in the public domain. ISPs are, in websites, and investigates whether website blocklists are consistent fact, mandated by regulations to maintain confidentiality of cer- across ISPs. We propose a suite of tests that prove more robust than tain website-blocking orders issued by the Government [3].Various previous work in detecting DNS and HTTP based censorship. Our attempts by researchers and advocacy organisations to obtain the tests also discern the use of SNI inspection for blocking websites, complete list of blocked websites have failed [4, 24]. which is previously undocumented in the Indian context. Using Third, the whimsy of ISPs and the Government aggravates these information from court orders, user reports and government orders, problems. Despite strict net neutrality regulations in India that we compile the largest known list of potentially blocked websites in prohibit ISPs from arbitrarily restricting access to websites [35], India.
    [Show full text]
  • DNS Spoofing and Poisoning
    DNS Spoofing and Poisoning: Trust, Danger, and Solutions Alex Polyakov [email protected] Mentor: Ming Chow, Department of Computer Science, Tufts University Abstract. The Domain Name System is the way in which human-readable domain names resolve to numeric IP addresses. This protocol is meant to facilitate an easy, streamlined navigation pattern for human users across the web. Unfortunately, the user-friendly choices made in the design of the protocol come with tradeoffs when considering the security qualities thereof. This paper is meant as an overview of the threats facing the protocol, and by extension users on networks where DNS is in use as an address resolution mechanism. We will explore methods of attacking the system as well as potential motivations and benefits for attackers. Finally, the paper will propose several techniques defend the system against attacks, both on the level of individual users or providers, and on the level of protocol features that govern the functionality of DNS. 1. Introduction – The Domain Name System The Domain Name System (DNS, for short), is the application-layer protocol which governs the way that Human-Readable addresses (i.e. a URI in the form “http://www.google.com”) resolve to numeric IP addresses for the purpose of sending requests and responses along a network. The chief use of DNS is to provide human users of the Internet with a way to access the network, but abstract away the necessity for users to memorize the actual numeric identifiers for the resources therein. Often, a network DNS is likened to a physical phonebook, where human-readable names are also translated to numeric identifiers for navigation of the network (i.e.
    [Show full text]