May 6 – 7, 2021
UTC timezone
OARC 35 Day 1 - begins 01:00 UTC Today 6 May.

Behind Closed Doors: A Network Tale of Spoofing, Intrusion, and False DNS Security

May 7, 2021, 1:25 AM
Standard Presentation Online Workshop OARC 35 Day 2


Casey Deccio (Brigham Young University)


Networks not employing destination-side source address validation (DSAV) expose themselves to a class of pernicious attacks which could be easily prevented by filtering inbound traffic purporting to originate from within the network. In this work, we survey the pervasiveness of networks vulnerable to infiltration using spoofed addresses internal to the network. We issue recursive Domain Name System (DNS) queries to a large set of known DNS servers worldwide, using various spoofed-source addresses. We classify roughly half of the 62,000 networks (autonomous systems) we tested as vulnerable to infiltration due to lack of DSAV. As an illustration of the dangers these networks expose themselves to, we demonstrate the ability to fingerprint the operating systems of internal DNS servers. Additionally, we identify nearly 4,000 DNS server instances vulnerable to cache poisoning attacks due to insufficient---and often non-existent---source port randomization, a vulnerability widely publicized 12 years ago. Finally, we introduce a Web-based tool for testing one's own network for DSAV.

Primary authors

Casey Deccio (Brigham Young University) Alden Hilton (Brigham Young University)

Presentation materials