Understanding the security risks and censorship behaviors on the exploitation of domain names
Date
2021
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
University of Delaware
Abstract
Domain names are the identification of Internet services and resources, which greatly facilitate human users to access the Internet. However, adversaries also leverage domain names to pinpoint their targets and conduct malicious activities. In this dissertation, we study the security risks and censorship behaviors on the exploitation of domain names through large-scale measurements. ☐ First, we explore the security risks on the adoption of the DDoS Protection Service (DPS) through DNS resolution. The increasing prevalence of DDoS attacks on the Internet has led to the wide adoption of DPS. A DPS works by hiding the IP address of an origin server and rerouting the traffic to the DPS provider’s distributed infrastructure, where malicious traffic can be blocked. However, an exposed origin IP address nullifies the protection from DPS as adversaries can launch the DDoS attacks directly to the origin server. To investigate the problem of origin exposures in DPS, we perform a measurement study on the usage dynamics of DPS customers and reveal a new vulnerability, called residual resolution, by which a DPS provider may leak origin IP addresses when its customers terminate the service or switch to other platforms, resulting in the failure of protection from future DPS providers. ☐ Then, we evaluate the impact of the encrypted DNS on Internet censorship. Encrypted DNS protocols have been used to mitigate the problem of DNS privacy leakage and DNS manipulation. Existing studies have investigated the privacy benefits of encrypted DNS communications, yet little has been done from the perspective of censorship. Therefore, we study the impact of the encrypted DNS on Internet censorship in two aspects. On one hand, we explore the severity of DNS manipulation, which could be leveraged for Internet censorship, given the use of encrypted DNS resolvers. On the other hand, we evaluate the effectiveness of using encrypted DNS resolvers for censorship circumvention. ☐ Finally, we investigate the domain-name-based censorship on DNS, HTTP, and HTTPS through accurate and end-to-end measurements. It is challenging to conduct a large-scale censorship measurement, as it involves triggering censors through artificial requests and identifying abnormalities from corresponding responses. To achieve our goal, we propose a novel framework called Disguiser. The core of Disguiser is a control server that replies with a static payload to provide the ground truth of server responses. As such, we send requests from various types of vantage points across the world to our control server, and the censorship activities can be recognized if a vantage point receives a different response. In addition, we perform application traceroute towards our control server to explore censors’ behaviors and their deployment.
Description
Keywords
Security risks, Censorship behaviors, Exploitation, Domain names