< Back to previous page

Project

Large-scale analysis of attack techniques on Internet domain names

The Domain Name System (DNS) is a fundamental element of today’s Internet. Virtually all online connections depend on resolving a domain name to an IP address. Consequently, DNS is a high-profile target for attackers. Domain names are both exploited and abused to hijack traffic, as well as employed by cybercriminals to set up their infrastructure.In this dissertation, we report on large-scale, data-driven analyses of new attacks and cybercriminal ecosystems concerning Internet Domain names. We start the thesis by presenting an updated view on recent developments in the DNS abuse landscape, incorporating a wide variety of attack vectors.

This work presents two ecosystem analyses that provide insights into how and why malicious registrations are made. The first study extensively scrutinizes 14 months of registration data of the .eu TLD to identify large-scale malicious campaigns. We explore the ecosystem and modus operandi of elaborate cybercriminal entities that recurrently register large amounts of domains for one-shot, malicious use. The second ecosystem analysis focuses on the domain parking industry. We provide an in-depth exploration of domain parking services. In particular, we examine this monetization strategy of deceptive and parasitic registrations and analyze the harmful consequences for users who unwillingly land on parked domains.

Furthermore, the thesis covers two newly discovered DNS vulnerabilities that enable attackers to hijack domain names through their nameserver: “nameserver typosquatting” and “nameserver bitsquatting”. Specifically, we focus on the exploitation of nameserver configuration issues and hardware errors. These server-side security issues allow attackers to seize control over nameserver requests to fully hijack domains. In addition, we present a large-scale analysis that resulted in a high-impact disclosure concerning DNS-based cloud security services. We extensively studied cloud-protected domains to assess the prevalence of “origin-exposure”, i.e. the possibility of bypassing the cloud security and attacking the customer’s server directly.

The research on DNS security, as outlined above, yields a broader reflection on the complex and dispersed attack surface of domain names. Based on the insights gathered from these analyses, we are able to formulate an agenda of key elements to be addressed to achieve a more secure DNS.

Date:2 Sep 2014 →  24 Aug 2018
Keywords:security, domain names
Disciplines:Applied mathematics in specific fields, Computer architecture and networks, Distributed computing, Information sciences, Information systems, Programming languages, Scientific computing, Theoretical computer science, Visual computing, Other information and computing sciences
Project type:PhD project