Measuring IPv6 DNS Reconnaissance Attacks and Preventing Them Using DNS Guard
| Autor: | Nevil Brownlee, Qinwen Hu, Muhammad Rizwan Asghar |
|---|---|
| Rok vydání: | 2018 |
| Předmět: |
Guard (information security)
IPv4 address exhaustion IPv6 address Computer science business.industry Plug and play Domain Name System ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS 020206 networking & telecommunications 02 engineering and technology Subnet IPv6 Server 0202 electrical engineering electronic engineering information engineering 020201 artificial intelligence & image processing business Computer network |
| Zdroj: | DSN |
| DOI: | 10.1109/dsn.2018.00045 |
| Popis: | Traditional address scanning attacks mainly rely on the naive 'brute forcing' approach, where the entire IPv4 address space is exhaustively searched by enumerating different possibilities. However, such an approach is inefficient for IPv6 due to its vast subnet size (i.e., 2^64). As a result, it is widely assumed that address scanning attacks are less feasible in IPv6 networks. In this paper, we evaluate new IPv6 reconnaissance techniques in real IPv6 networks and expose how to leverage the Domain Name System (DNS) for IPv6 network reconnaissance. We collected IPv6 addresses from 5 regions and 100,000 domains by exploiting DNS reverse zone and DNSSEC records. We propose a DNS Guard (DNSG) to efficiently detect DNS reconnaissance attacks in IPv6 networks. DNSG is a plug and play component that could be added to the existing infrastructure. We implement DNSG using Bro and Suricata. Our results demonstrate that DNSG could effectively block DNS reconnaissance attacks. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|