DNS-DNS: DNS-Based De-NAT Scheme

Orevi, Liran; Herzberg, Amir; Zlatokrilov, Haim

doi:10.1007/978-3-030-00434-7_4

Cited by 14 publications

(14 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…with IPv6 ID [11]. Client de-NATting based on the IPv4 ID of outbound DNS queries over UDP was described in [41]. This attack relies on the incremental nature of the IP ID for a fixed (IP SRC , IP DST ) tuple, and thus cannot be applied to server de-NATting where a single host may use multiple source IP addresses.…”

Section: Host Alias Detection and De-nattingmentioning

confidence: 99%

Subverting Stateful Firewalls with Protocol States (Extended Version)

Klein¹

2021

Preprint

View full text Add to dashboard Cite

We analyzed the generation of protocol header fields in the implementations of multiple TCP/IP network stacks and found new ways to leak information about global protocol states. We then demonstrated new covert channels by remotely observing and modifying the system's global state via these protocol fields. Unlike earlier works, our research focuses on hosts that reside in firewalled networks (including source address validation -SAV), which is a very common scenario nowadays. Our attacks are designed to be non-disruptive -in the exfiltration scenario, this makes the attacks stealthier and thus extends their longevity, and in case of host alias resolution and similar techniques -this ensures the techniques are ethical. We focused on ICMP, which is commonly served by firewalls, and on UDP, which is forecasted to take a more prominent share of the Internet traffic with the advent of HTTP/3 and QUIC, though we report results for TCP as well.The information leakage scenarios we discovered enable the construction of practical covert channels which directly pierce firewalls, or indirectly establish communication via hosts in firewalled networks that also employ SAV. We describe and test three novel attacks in this context: exfiltration via the firewall itself, exfiltration via a DMZ host, and exfiltration via co-resident containers. These are three generic, new use cases for covert channels that work around * This is an extended version of a paper that will be published in NDSS 2022.firewalling and enable devices that are not allowed direct communication with the Internet, to still exfiltrate data out of the network. In other words, we exfiltrate data from isolated networks to the Internet. We also explain how to mount known attacks such as host alias resolution, de-NATting and container coresidence detection, using the new information leakage techniques.

show abstract

Section: Host Alias Detection and De-nattingmentioning

confidence: 99%

Subverting Stateful Firewalls with Protocol States (Extended Version)

Klein¹

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Once NATed, it becomes difficult to correlate each packet to its packet stream from the outside. As described by [19], deNATing is the reverse of NATing, and it aims at re-identifying the communication flowing through a NAT. In Section 4, we survey existing deNATing methods and illustrate their shortcomings with regard to our use case.…”

Section: Nating Denating and Iot Identification Behind A Natmentioning

confidence: 99%

“…We empirically evaluate our method on genuine NetFlow records collected in our lab for a period of ten days from numerous commercial smart home IoT devices. We also compare our NetFlow-based method to two existing deNATing methods: (1) a domain-based method [11] and (2) a method which is based on DNS IP-ID [19]; we evaluate them empirically on packet-level data collected simultaneously from the same network. Unlike some past studies which applied their methods to partially, questionably, or completely unlabeled datasets, our datasets are explicitly labeled with the device model.…”

Section: Introductionmentioning

confidence: 99%

Privacy-Preserving Detection of IoT Devices Connected Behind a NAT in a Smart Home Setup

Sachidananda¹,

Elovici²,

Shabtai³

2019

Preprint

View full text Add to dashboard Cite

Today, telecommunication service providers (telcos) are exposed to cyber-attacks executed by compromised IoT devices connected to their customers' networks. Such attacks might have severe effects not only on the target of attacks but also on the telcos themselves. To mitigate those risks we propose a machine learning based method that can detect devices of specific vulnerable IoT models connected behind a domestic NAT, thereby identifying home networks that pose a risk to the telco's infrastructure and availability of services. As part of the effort to preserve the domestic customers' privacy, our method relies on NetFlow data solely, refraining from inspecting the payload. To promote future research in this domain we share our novel dataset, collected in our lab from numerous and various commercial IoT devices.

show abstract

“…Other operating systems, such as new Linux versions, use unpredictable IP ID assignment. For instance, Linux and MacOS to use local counters and OpenBSD use pseudo-random IP ID assignment [21]. In this work we focus on servers with global incremental IP ID counters.…”

Section: Introductionmentioning

confidence: 99%

DNS-over-TCP considered vulnerable

Dai

Shulman

Waidner

2021

Proceedings of the Applied Networking Research Workshop

View full text Add to dashboard Cite

The research and operational communities believe that TCP provides protection against IP fragmentation attacks and recommend that servers avoid sending DNS responses over UDP but use TCP instead.In this work we show that IP fragmentation attacks also apply to servers that communicate over TCP. Our measurements indicate that in the 100K-top Alexa domains there are 393 additional domains whose nameservers can be forced to (source) fragment IP packets that contain TCP segments. In contrast, responses from these domains cannot be forced to fragment when sent over UDP.Our study not only shows that the recommendation to use TCP instead of UDP in order to avoid attacks that exploit fragmentation is risky, but it also unveils that the attack surface due to fragmentation is larger than was previously believed. We evaluate IP fragmentation-based DNS cache poisoning attacks against DNS responses over TCP. CCS CONCEPTS• Security and privacy → Network security.

show abstract

DNS-DNS: DNS-Based De-NAT Scheme

Cited by 14 publications

References 13 publications

Subverting Stateful Firewalls with Protocol States (Extended Version)

Subverting Stateful Firewalls with Protocol States (Extended Version)

Privacy-Preserving Detection of IoT Devices Connected Behind a NAT in a Smart Home Setup

DNS-over-TCP considered vulnerable

Contact Info

Product

Resources

About