Enhancing DNS Security using Dynamic Firewalling with Network Agents

Transcription

1 Proceedings of the Federated Conference on Computer Science and Information Systems pp ISBN Enhancing DNS Security using Dynamic Firewalling with Network gents Joao fonso Foundation for National Scientific Computing Lisbon, Portugal Pedro Veiga Department of Informatics University of Lisbon Lisbon, Portugal bstract In this paper we propose a solution to strengthen the security of Domain Name System (DNS) servers associated with one or more Top Level Domains (TLD). In this way we intend to be able to reduce the security risk when using major internet services, based on DNS. The proposed solution has been developed and tested at FCCN, the TLD manager for the.pt domain. Through the implementation of network sensors that monitor the network in real-time, we are capable to dynamically prevent, detect or limit the scope of attempted intrusions or other types of occurrences to the DNS service. The platform relies heavily on cross-correlation allowing data from a particular sensor to be shared with the others. dministration tasks such as setting up alarms or performing statistical analysis are made through a web-based interface. Index Terms DNS; risk; security; intrusion detection system; real-time;monitoring. O I. INTRODUCTION BSERVING internet usage and world population statistics [1] updated on March 2011, there are 30.2% internet users of the estimated world population of 6.8 billion. If we take a closer look to Europe this value increase to 58.3 %(with a growth rate of 353.1% between 2000 and 2011) and in North merica, there are 78.3 % of internet users (growth rate of 151.7% at same period), as shown in Fig. 1. Figure1. Internet penetration (% population) The DNS service is required to access , browse Web sites, and is needed for normal operation in all major services in the Internet (most of them use critical information, like e-banking). Taking care of the huge number of internet users, and the risk associated with the fact that all major applications requires the DNS service, there is a security risk needed to be reduced. DNS servers assume a pivotal role in the regular running of IP networks today and any disruption to their normal operation can have a dramatic impact on the service they provide and on the global Internet. lthough based on a small set of basic rules, stored in files, and distributed hierarchically, the DNS service has evolved into a very complex system [2]. ccording to other recent studies [3], there are nearly 11.7 million public DNS servers available on the Internet. It is estimated that 52% of them allow arbitrary queries (thus allowing the risks of denial of service attacks or poisoning of the cache). They are still nearly 33% of the cases where the authoritative nameservers of an area are on the same network, which facilitates the attacks of Denial of Service (DOS). Furthermore, the type of attacks targeting the DNS are becoming more sophisticated, making them more difficult to detect and control on time. Examples are the attacks by Fast Flux (ability to quickly move the DNS information about the domain to delay or evade detection) and its recent evolution to Double Flux [4]. central aspect of a security system is the ability to collect statistically useful information about network traffic. This information can be used to monitor the effectiveness of the protective actions, to detect trends in the collected data that might suggest a new type of attack or simply to record important parameters to help improve the performance of the service. The fact that the DNS is based on an autonomous database, distributed by hierarchy, means that whatever solution we use to monitor, it must respect this topology. In this paper we propose a distributed system using a network of sensors, which operate in conjunction with the DNS servers of one or more TLDs, monitoring in real-time the data that passes through them /$25.00 c 2011 IEEE 777

2 778 PROCEEDINGS OF THE FEDCSIS. SZCZECIN, 2011 '/DDC&CEEECD&DDDDC/ "FEDDC&E&CCD & 7D ECDE B CD&D C/ C/E EC/EDDC/ED%EC& CC7EBDECBCC/E"FC '/ DE*CD*/CEDEDE B&D& ECB & C/ C*E7 E D BC C C/ &C C DCE CC7D &CBECEDCC/DDCDDCCD*/C/E C DCE BDEC CED CCE / B C?DC EC C CDD C/ CE D E* C7 C DDDC C/ BCCD CD%BDCD% '/ EDD C/ E D CCEB * CD0E%DB7BDECDEEBDECB *E7CD2DCEB&C(=DEC#CD B* BED C/ EB CD CD 9 EC CB& E%DBCD C/ E# CD 5 C/ C C/EB D C/ CB& E &CB D& CD < EC D B BDECD E EC/E*E7 ## (8'8">)(D )C/DECCBDC/C*DCBDC/DE /C/C/E/DCEBDE*DC/CCDCB =BB +9-'/DE DCD BDDB%ED C/CEBDCDF#F"+5-*E7DCC/E*DC/CCEB GE&:G;%EDDDB(CDBC C &C :("F.; E "F DC C/D CDDCEECBC/EDBDEED F#F" HBE ECB &C E EDC&.DCED "F CED +<- D C*E7 E*DC/C DCEED *DC/C/"FE%ECDCEB'/DDCEEC CD C/C B C ED C//D/ %DDDC& BBEC/"FE%D!D?D EB "F CED CE CDDC& B "F+6-'/DCDCEBDE&BCD ECDC/ECBEBCCEDD%B D'/ DCDDDDECCB+I- 4 B DCEDCEDC*E7CEDB/DEEDB 7C EDCD CDEB E "F CECD B EC CD *D E DC C C/ "F */CB&/*DE& C/EC%DD""FCCDCDCE +,1-" D DCD E CD B &CD CCDCD&"FE%E.ECEDBC/ DDC& C E EDC B E/ DDB"F =ED BCDBCDCEBDGBC'/DC *E7DDB"FE%EEDC/EE%EC/CJCEJ DBDECDCEDE"FB DEDC EB CCB DDBC E &CDF#F"=E&+,,-'/DECDE&C DB C/ CCDCD &D E%DB DECDEEBDC/7DBCCDECB DECDD%DC//C/>BEC8/ EDC&DDBCCDECBCD%CD ###.8'K)"))EL 'CEBC/DDBCED7D"FECD C/E/DCCEC/&CC/C*/%B%DC DE%C/EDC&EEBDD&C/"F EC E%D *CB CED B EDE C/ EDD ' % "D > E E/DCCEEDDDCECB ECCDCD "FE%E*E7DCC/E*DC/%EC*E7E C/C&D%CBBDCBDE*CDCED /DC E & CBDC/C*E7 DCE C/ CED D C C/"F DECCE DBCD& CCD& /CEDDEDC/C/C*/%B%BB CCBBC/DDECDCDCCEDC/C/ DBCDDB/EDC&C/EC %E C*E7 E DCE BDEC EC C/ DECCE B?/ DECD ECB C EDC& CC7#C/D*&/*D D0DC/B D C?/ EDCD EDC& DECD C* C/ E# BBDCD C DE D EE C/D ECD/BE%CCC7E%EE DBCDDB & C/E E DD'/D ED D E%C D 7DB CC7 E BDECB C %E CC/"FDECCE DE0"DEC/BDEBCD B C D )C/D ECE*E7DC/EDC/C DBCD& CED/ C C/"F# EBE C DC C/ CCB/&C/D D C/ E/DCCE B 7 C/"F EC DDC D DC D E& C & /EDCD*/D/ D E CD %C C/ DECD CB E BDEC E B D %DC *D/CC/CBCEBD& '/CC/C*/%/C/%DCD C/ EDC& DDBC "F E C/ E EE &D C& =ED B C/ CCDC*EEC/EE CB B DECD EECB E DCD BCCD &C )E &C C/ *D C %C ECEC/CEC/D7D/BC/EE EDC&DDBC : ; = ,9+ F 109+ E 101

3 JOO FONSO, PEDRO VEIG: ENHNCING DNS SECURITY USING DYNMIC FIREWLLING WITH NETWORK GENTS 779 ECEDBEBD&DC/D )EE:); (EC C/ E CD :DC; C/C/% D% DD E* 7B C/C C/ BDCEDCB C/ BDCB D '# 'F8#4)F'(#F$'#)F) 'K8F$.F8() )$((8F8) )$(8#F.##)$K8$(#'# D, <93 BEE,113 &D:;(CD%CDC/B%DCD C/% EEBB D ECD C C/ %E E%BCCDCDBC/EDCEDB*D/C DBCDDB*D'## 'F8##4)F'(#F$'#)F) 8!8F''L# #8")'8F'#L.##)$)$(8E#!8F#FK8$(#'# 8CDECCEECCC:M (;,113 ECDCEECCCC:#M (; 913 #EEC=E&%91C<93 <93 %EE #EEC=E&%?BD<93,113 GE&%913C/%E 913 &EDD FCC/CC/CDC&C/%D%EEC/ BCEDCD EE % D% C/ D B%CBCCB 'D C* EE:E; CD D C EE D% E BDCEDCB*DC/ C/ *D/CDCBCC/CD*DDC 'F8###4>8#EK') "# 8(8F''#.8F8'>88F8K)$((8F8 C/,.DC,113 C/,KE <93 C/,"& 913 C/,>7 093 #DB:F;FEEC/CEEC7 DC/BBE EC/CD*E%B?ED, O! ND D OD DN # C/ %?ED C/ CE"!#D D EECC/EEDCC/ED C/ DECCE B C?/ DECD C/% '/ C/E CE OENCC7B CB E C/ EEC/CEECEECDEDC& DDBC #CD"CCD&C:#;>DBEBC/ C/ EC CE D E C B C/E E E CEDCB DCE EDC&DDBCECDCC/"FE%D 'F8#!4#F'8()FF8'#)F>#'K'8.)("'E'K8(8" (). #F'($#)F"8'8'#)FL'8. $% &!'!( (D)&* *% 2B3.DBB% 5<3 KD/%,113 E C/ CD%CD D DE* E*D E=DE, '/ /* %C7% =C EECEC/109P 0 '/DCDC*EEEDCEDC/ 8?CD*/ED%DDECDE C/C/EED*/D/DEDCED DDDCP 2 #C ECB C/?DCD */DC DC D C/ EDCE& *D DBEB ED%DB EC/CEC7B #C/D*&*%DBEDDC/#CEC E%D DBED C/ 7& E &B & "F C/ >/DC DC ECC 7& BBE E D 7B D DCD% %C '/D DC D ECB E EEB CCB E*DBBEDCB/EC ECCB E D BBB C C/ DE* )? D C/ DC DCE BBE BC/"FE%E# #CBEC/E%DC/DE**DB CEDC&C/*DCD, 8?BB C/ =ECD EDB B C/ ECEDP 0 '/?ED CD%CD:/EDCD; B C:CD;/7C/EEBE

4 780 PROCEEDINGS OF THE FEDCSIS. SZCZECIN, 2011 #! ())8")$'#)F + /*D D2C/DCDDBC*E7 EDC/C&CCED*DDCC/"F E%E D C/ E %DB E D%DB =ED E C/ DECDED%BEC/EEBDECEDCD EDDC*E7BBE#E/%DE D BCCB E C/E D DD /%DE E ECD C*E7 BBE DC*D 7B D C/ DE* B C/ C/EECDDBC/&CEBD&'/&C C C/ E CD E / ECD C %CC/EEC/E%E B F,!, DEBGECDEBE%EC/ DE* EBDCE BDBCC/C*C//C/ E/BD E C/"F E%E D CECB EBD C CBEB C DE* *B & DD EEBDCC/BBEC/CED7B DECD'/=EDEC/BD%EBCC/EEC &CBBCEBDC/("F.CC/CDC/&C EBC/>EC: D9; DE2F7"DEEBCD E/DECBDC/EDE*C/E*D EDB=ECDBCC/BC/DCDC/E *D %C C/ /%DE C/C E C %C C/ BBCE%C//*D DB DE9FC*E7BC* DECD CB D CEB D BC DCBD.&G+,0-'7DDCDBECDC/ B C CDDC C/ EE C/ =ED B C EBC/%DECDCEBC/BCDBD%DBB DCEBDECC '/ %ED C/ # BBE E B BCDCD:"FE%E;DCDCEEC/*B E / E DDC BC CE B DDDC DE%CDC/%EEEC/CD

5 JOO FONSO, PEDRO VEIG: ENHNCING DNS SECURITY USING DYNMIC FIREWLLING WITH NETWORK GENTS 781 '/ DECD EEBD =ED B D CEB BD&DCB7C%DBEDC/?C21B& '* C CDD C/ C C/C E B&D& DB 4 BB E E%B B DCCD C/C/%CEDEBCEC/EECECDC/ DE* BDCDE%E&CDDEDCEB '/DECDE=DEBBDCDBCCDCDC7 %E?DE D!!(DD-! '/ CCDCD DECD CB B CEB D C/ BC/DDDCCBCD#CDDE? C C E / E C/ %CD =ED E DC CD:/E B& C; B& ECCB E=C"F =ED EE C& B BCED C/ EC/CEBC/ECCD#CD DCC/CBEBB%DCDD%E *ECDCCC/CD*DC/C/C/E/DC+,9- '/ EE C/ "F EC E D EC& EB EEBD C/ E CD E E=C"CDCC&EDCEBBEDEDB DEECDE?BB! 8'$"L )E E /% BE B%C D CE 0115 C F 4*// C/ EDDDC& C EDCE B DCD C/ BD BE C/ ' '" CECCDC/EEC*EDCC/BC C/"F E%E: C C/ EDE&"F B C/E *E7DCC/E*DC/BE&"FE%E; '/C*E7&CEDC/E7+,5-BC/DE*B D# DCE +,2-'/ E CD EE* EEB D % CD C/ DECD ED%B E C/ C/E7 '/>E%EDD/*DC/K (EBD C/ M E%E +,B-* / C/ D% ECE BEDCECBCC/E '/CDECDBEDB%* C/* CE* B%B*C D C/,C E& 011< B C/ BC E C/%ED C* CBEC/,1C/.&0116CD*: D5; DE5>EC # BBDCD C C/ ECD DCED B CD CCDCD ECD C C/ ECD "F E%D /* % C/ CD EB/E D&BCCDDDCCDD%C/CC/CDCD &DE ) C/ DCD* C/ %C FEC/ CCD 'EC&)EDCCD:F');CD01,1CC/ EDB,9C0,F%E01,1 ' EB EDC& ED7 D C/ E C/#CEC D%%B D %C E E DBEB C %E*ECBBBBD&DCED%E C/ '/& *E DDB DC E CED * EC 7D %EC B DBCE&'/ BC CB & / E ECB CCE CCD E / C/ CED B BCC E DCCD EEB*/B%DCD/ECCE: D<; EDC CDDCD*E EEB D F. CE DE<.DCED"FE%DCF')%CQD01,1!# (8$' > EC/E C/ C C/ C,0 C/ BC CD:C*,C.& 011I B 2,C.& 01,1; '/%EE=CCC/EDE&"FE%E DC,I<5IIB5EB&:006E;DCEEB C< C/ C01,, '/ EE C/ BC &D EE D %,0B1 E=C EB E :DCEB%DBCB B DECBDC/BC; $DC/BCCB&C/EBEDC/DCD EDB**ECCCCDCDDECD "D& CCDCD & C& "F EC EDCE BP FE #CECDDCB BD :#"F; =EDP FEBD&=EDC#!5"FC& : D6;

6 782 PROCEEDINGS OF THE FEDCSIS. SZCZECIN, 2011 DE6CCDCD&D&#!5EEBB:; "CC? E :C/C E C EDC& DDBC; E?**E C BCC C/C D%#* D C/ EDE& ' "FE%ECDE%E '/ E =ED B*?D%*/ EB *DC/ C/ %E % E E E/D % C #CEC E%D E%DBEC/CECBEC/'BD "CCDCCDDBDBDE%D CC7*DC/C/?CDD%=ED#C,0 C/ &D C/E E,<") CC7 CEDEB '/&*EDCC&7BBBBEBD =ECD:'!; 'F8! 8M.8 >K8F'K8 8F)("8'8'8" #'$'#)F'K' (8G$#(8"'K8 #(8>($8')KFE D DD????011B9 01,,161910,9BB BB????BB52????,<,00 01,, ,0 (%????BB52????,0I9, 01,,16191BB<,B BB????BB50????,B02I 01,, <0I BB????BB50????,B,2, 01,, (%????BB52!## )F$#)FF" $'$(8>)(D '/DECD/ECB%E/CEBC/ EDC& ED7 C/ DCEC DCD C/C "F E%D)CDDBC/?DCDCDC/C C CCDCD DECD EEBD"F E%D & BBDC/DDC&CBCCBCEDC&DDBCD E CD#C BB C/ B%C ECD D BDCEDCB *& *D C/?/ DECD C* ECD E B C/ EDEC DC *EDC&%EDCDC/ECB EEC& C/ CD ECB B C * C/ ED BBE D C/#%5 EC'/ C/D C C/C B C C/D DCCD E D7B C C/ B C CDDC C/ EE C/ BC EEBE DCD 7D DC D C CE C/ BC E CCD ) D CD E % C/D D D C / C/ BCDCC/CDEDCED F%EC/ =ED B C#%5 BBE E CDBDC/DCD:C&; > E *E7D?CBD C/ BC EECD DDCD C/ &C & BBD DECD CB EC/E:DCDBCCD&CEDC; > CDDC C/C C/D B % E/ C EB DBE& C/ E DCD% B CD%+,<- (8 8(8F8 +,- #CEC $ B >EB CD CCDCD*DC + /CCQQ***DCEC*EBCCQCC/C- C B <C01,, +0-!D?D@"F?DC&.G%92ED 011< +2- " > J (C "F E%&J "F)( F%E011< +B- "%DDC@D7E&B(%D*#FF.&01,1 +9- G"F *DC +/CCQQ/CDDC6161QRC0,1990Q =B/C-CB<C01,, +5- F#F" *DC +/CCQQ***DEQEBCQF#F"- C B<C01,, +<- F HBE@EDC&.DCED "F CED.& !D?D" > "F 4"F CED CE CDDC&#">E7/&011< +I- " > J>/C F* *DC/ "J "F)( F%E011< +,1- *E FE7& FCD ECE&'B*DC /CCQQ***CBE +,,- / DEDC J CCB#DBC( &C $DF#F"GE&J0115 +,0-.&G *DC 4 :) E "C; +/CCQQ***&=-CB<C01,, +,2-# #'8( 4 'Q# DE*QF' C*E +/CCQQBQR%- C B < C01,, +,B- DCBE 8B 8?CD.D B E EC:M.;E( 2I01011B +,9- S 8BB.CDE J"%C #CECB CD E#CD"CCD.B FB "C EECDJ D E C/ #888 #FT15 #CECD E FC*E7D B E%D #FT15DD!&$&0115 +,5-'/E7 *DC 4 '/ >DE/E7 FC*E7 &CE +/CCQQ****DE/E7E-CB<C01,, +,<- SBE!D@ECCDC/"F#ECCE '%"D('DDCED*DC/FC*E7 >F0116B C/ #8884#CECD>E7/ >DE B E FC*E7 EDC& CC $ 0I CE40)CE0116