博碩士論文 975202001 詳細資訊


姓名 蔡天浩(Tien-hao Tsai)  查詢紙本館藏   畢業系所 資訊工程學系
論文名稱 DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
(DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection)
檔案 [Endnote RIS 格式]    [Bibtex 格式]    至系統瀏覽論文 ( 永不開放)
摘要(中) ”網域名稱伺服器快取毒害”(DNS Cache Poisoning)自1993年被提出 [1],迄今仍無法徹底解決,此攻擊會造成DNS主機的快取資料錯亂,而本該是連線到正常網站,會被導向至攻擊者的網站,導致一般使用者上當受害。而快取攻擊的原理是猜測先前送出查詢封包(query)中的資料,包含一個0~65535的亂數、連線的IP與Port Number等,回應的封包(response)若通過檢查,就會被視為是正確的答案,並儲存在快取中,以減輕下次查詢的時間;所以攻擊者通常會藉由發送大量的封包來提高猜中的機率。
我們根據此特性建構了一套有效的防範機制DNSPD,適合部署至一般大型組織、企業的網路架構來阻擋攻擊。根據觀察,這些偽造的DNS封包中,通常會含有惡意網站的IP,所以我們將IP取出,並紀錄與持續觀察是否有惡意行為,例如:釣魚網站等。而且這些IP通常也會是網路殭屍(botnet)的成員,我們更可藉由捕捉攻擊封包,建立botnet IP黑名單,提前預防其他潛藏的危機。另外,我們利用Counting Bloom filter [2]來確保DNSPD能有效的處理大量偽造封包;經過運作與測試的証實,DNSPD不僅能阻擋快取毒害的攻擊、找出botnet成員,更重要的是它對原本網路所增加的負擔極小。
摘要(英) In this paper, we propose a network-based solution, DNSPD, to defend an organization against the notorious DNS cache poisoning attack. DNS cache poisoning has been used to attack DNS servers since 1993 [1]. Through this type of attacks, an attacker can change the IP address of a domain name to any IP address chosen by her/him. Because an attacker can not obtain the transaction number and port number of a DNS query sent by a DNS resolver, in order to forge the related DNS response with a prepared IP address, the attacker needs to send many fake DNS response to the resolver, and all the fake DNS messages may have the same IP address. Based on this observation, DNSPD solves DNS cache poisoning by detecting, recording, and confirming the IP addresses appearing in contents of fake DNS replies. As a result, DNSPD not only can block DNS cache poisoning attacks but also can identify the malicious hosts which attackers plan for redirecting target hosts’ traffic. Usually these malicious hosts are botnet members and used as phishing sites; hence, identifying these bots and disconnecting traffic to them can provide further protection to the hosts in a network. Besides, through the utilization of Bloom Counter [2] and host confirmation, DNSPD maintains its detection accuracy even when it is bombarded with tremendous fake DNS replies. Experimental results show that with low performance overhead, DSNSP can accurate block DSN cache poisoning attacks and detect the related bots.
關鍵字(中) ★ DNS
★ 快取攻擊
★ 網路殭屍
關鍵字(英) ★ DNS
★ cache poisoning
★ botnet
論文目次 I. Introductions 1
II. DNS Background 3
2.1 DNS Concepts 3
2.2 DNS Query 4
2.3 DNS Message Format 6
2.4 DNS Cache Poisoning 8
III. Related Work 12
3.1 Encryption 12
3.2 Google method 12
3.3 History 12
3.4 Client side 13
IV. The Design 14
4.1 DNS resolver 15
4.2 Analysis Crawler 16
4.3 Router 17
V. Implementation 18
5.1 DNS resolver 18
5.2 Router 18
5.3 Analysis Crawler 19
VI. Analysis 20
VII. Evaluation & Discussion 24
VIII. Future Work 26
References 27
參考文獻 [1] Christoph Schuba, “ADDRESSING WEAKNESSES IN THE DOMAIN NAME SYSTEM PROTOCOL”, Master's thesis, Purdue University Department of Computer Sciences, (August 1993)
[2] L. Fan, P. Cao, J. Almeida, and A. Z. Broder. “Summary Cache: A
Scalable Wide-Area Web Cache Sharing Protocol.” IEEE/ACM Transactions on
Networking, Volume 8, Issue 3, Pages: 281 – 293, (June 2000).
[3] Dan Kaminsky, “Black Ops 2008: It's The End of The Cache As We Know It,” Black Hat USA 2008 presentation, (Aug. 2008).
[4] A. Hubert, R. van Mook, “Measures for Making DNS More Resilient against Forged Answers,” RFC 5452, (Jan. 2009).
[5] P. Mockapetris, “DOMAIN NAMES - CONCEPTS AND FACILITIES,” RFC 1034, (November 1987)
[6] P. Mockapetris, “DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION,” RFC 1035, (November 1987)
[7] DNSSEC: DNS Security Extensions Securing the Domain Name System. http://www.dnssec.net/
[8] R. Arends, R. Austein, M. Larson, D. Massey, S. Rose, “DNS Security Introduction and Requirements,” RFC 4033, (Mar. 2005)
[9] Andrew Kalafut, Minaxi Gupta , “Pollution Resilience for DNS Resolvers”, IEEE ICC, Dresden, Pages: 281 – 293, (June 2009).
[10] Hung-Min Sun, Wen-Hsuan Chang, Shih-Ying Chang, and Yue-Hsun Lin, “DepenDNS: Dependable Mechanism against DNS Cache Poisoning”, Lecture Notes in Computer Science, Volume 5888, Pages: 174–188, (2009)
[11] Fu-hau Hsu, Chang-kuo Tso, “A Browser-side Solution to Drive-by-Download-Based Malicious Web Pages”, Master's thesis, National Central University, (2009)
[12] Fu-hau Hsu, Chuan-sheng Wang, “Shark: Phishing Information Recycling from Spam Mails”, Master's thesis, National Central University, (2010)
[13] Alexa Top 500 Global Sites. http://www.alexa.com/topsites
[14] US-CERT, “Multiple DNS implementations vulnerable to cache poisoning”, Vulnerability Note VU#800113 (July, 2008)
指導教授 許富皓(Fu-Hau Hsu) 審核日期 2010-7-1
推文 facebook   plurk   twitter   funp   google   live   udn   HD   myshare   reddit   netvibes   friend   youpush   delicious   baidu   

若有論文相關問題,請聯絡國立中央大學圖書館推廣服務組 TEL:(03)422-7151轉57407,或E-mail聯絡