Abstract

Networks not employing destination-side source address validation (DSAV) expose themselves to a class of pernicious attacks which could be prevented by filtering inbound traffic purporting to originate from within the network. In this work, we survey the pervasiveness of networks vulnerable to infiltration using spoofed addresses internal to the network. We issue recursive Domain Name System (DNS) queries to a large set of known DNS servers world-wide using various spoofed-source addresses. In late 2019, we found that 49% of the autonomous systems we tested lacked DSAV. After a large-scale notification campaign run in late 2020, we repeated our measurements in early 2021 and found that 44% of ASes lacked DSAV--though importantly, as this is an observational study, we cannot conclude causality. As case studies illustrating the dangers of a lack of DSAV, we measure susceptibility of DNS resolvers to cache poisoning attacks and the NXNS attack, two attacks whose attack surface is significantly reduced when DSAV in place. We discover 309K resolvers vulnerable to the NXNS attack and 4K resolvers vulnerable to cache poisoning attacks, 70% and 59% of which would have been protected had DSAV been in place.

Degree

MS

College and Department

Physical and Mathematical Sciences; Computer Science

Rights

https://lib.byu.edu/about/copyright/

Date Submitted

2021-10-25

Document Type

Thesis

Handle

http://hdl.lib.byu.edu/1877/etd11917

Keywords

IP Spoofing, DNS Security, Large-scale Vulnerability Disclosure, Network Measurement

Language

english

Share

COinS