Internet-wide study of DNS cache injections

Klein, Amit; Shulman, Haya; Waidner, Michael

doi:10.1109/infocom.2017.8057202

Cited by 43 publications

(9 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Despite this significant amount of prior work on online advertising, tracking, and ad-blockers, to the best of our knowledge the impact of advertising-related CNAME cloaking on cookie policies has not been previously investigated in detail. c) DNS Security: DNS is an aging protocol, and efforts to improve its security have been slow and marred by deployment mistakes [32], [20], enabling various attacks [28], [27] and misuse by ISPs [44]. New technologies like DNSover-HTTPS [34] have been proposed for remediation, but deployment has only recently begun.…”

Section: Related Workmentioning

confidence: 99%

An Analysis of First-Party Cookie Exfiltration due to CNAME Redirections

Ren¹,

Wittmany²,

Carli³

et al. 2021

Proceedings 2021 Workshop on Measurements, Attacks, and Defenses for the Web

View full text Add to dashboard Cite

DNS CNAME redirections, which can "steer" browser requests towards a domain different than the one in the request's URI, are a simple and oftentimes effective means to obscure the source of a web object behind an alias. These redirections can be used to make third-party content appear as first-party content. The practice of evading browser security mechanisms through misuse of CNAMEs, referred to as CNAME cloaking, has been recently growing in popularity among advertisers/trackers to bypass blocklists and privacy policies.While CNAME cloaking has been reported in past measurement studies, its impact on browser cookie policies has not been analyzed. We close this gap by presenting an in-depth characterization of how CNAME redirections affect cookie propagation. Our analysis uses two distinct data collection samples (June and December 2020). Beyond confirming that CNAME cloaking continues to be popular, our analysis identifies a number of websites transmitting sensitive cookies to cloaked third-parties, thus breaking browser cookie policies. Manual review of such cases identifies exfiltration of authentication cookies to advertising/tracking domains, which raises serious security concerns.

show abstract

Section: Related Workmentioning

confidence: 99%

An Analysis of First-Party Cookie Exfiltration due to CNAME Redirections

Ren¹,

Wittmany²,

Carli³

et al. 2021

Proceedings 2021 Workshop on Measurements, Attacks, and Defenses for the Web

View full text Add to dashboard Cite

show abstract

“…Although creating the fake certificate is straightforward, to execute this attack, the adversary must also MITM connections in front of the Opera endpoint servers, e.g., by poisoning their DNS cache or performing selective BGP hijacking. Prior work has demonstrated the effectiveness of DNS cache poisoning attacks [40], while security companies have recently issued reports about major DNS hijacking campaigns [2], [5]. We simulate DNS cache poisoning by modifying the authoritative DNS server for our domain to direct traffic to our "attacker" machine.…”

Section: Data Saving Mode Security Degradationmentioning

confidence: 99%

Meddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers

Kondracki

Aliyeva

Egele

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Mobile browsers have become one of the main mediators of our online activities. However, as web pages continue to increase in size and streaming media on-the-go has become commonplace, mobile data plan constraints remain a significant concern for users. As a result, data-saving features can be a differentiating factor when selecting a mobile browser. In this paper, we present a comprehensive exploration of the security and privacy threat that data-saving functionality presents to users. We conduct the first analysis of Android's data-saving browser (DSB) ecosystem across multiple dimensions, including the characteristics of the various browsers' infrastructure, their application and protocol-level behavior, and their effect on users' browsing experience. Our research unequivocally demonstrates that enabling data-saving functionality in major browsers results in significant degradation of the user's security posture by introducing severe vulnerabilities that are not otherwise present in the browser during normal operation. In summary, our experiments show that enabling data savings exposes users to (i) proxy servers running outdated software, (ii) man-in-the-middle attacks due to problematic validation of TLS certificates, (iii) weakened TLS cipher suite selection, (iv) lack of support of security headers like HSTS, and (v) a higher likelihood of being labelled as bots. While the discovered issues can be addressed, we argue that data-saving functionality presents inherent risks in an increasingly-encrypted Web, and users should be alerted of the critical savings-vs-security trade-off that they implicitly accept every time they enable such functionality.

show abstract

“…Our fingerprinting techniques are based on the resolvers' caching behaviour when overwriting already cached records with new values. Our study is carried out using a list of payloads from [5]. When the DNS response changes the state of the cache, the changed state is indicated by the new values that overwrite the previous values that were in the cache.…”

Section: Dns Caches Fingerprintingmentioning

confidence: 99%

“…We define a new metric, the Minimal Hamming Distance (MHD), which measures software similarity. Let S be a set of known resolver software evaluation bitvectors, where each bit represents a payload from [5]. We created fingerprints for a total of 16 different softwares and software versions.…”

Section: Dns Caches Fingerprintingmentioning

confidence: 99%

“…This will cause the resolver not to fetch additional nameservers and to use only one. [5] showed how to remotely identify cache poisoning vulnerabilities and [1] exploited those techniques for issuing fraudulent certificates. Recent work demonstrated that caches in DNS platforms can be enumerated [4] and [3] exploited DNS records for user tracking [3].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Black-box caches fingerprinting

Klein

Heftrig

Shulman

et al. 2020

Proceedings of the 16th International Conference on Emerging Networking EXperiments and Technologies

Self Cite

View full text Add to dashboard Cite

We propose the first methodologies for remotely inferring and fingerprinting the software of DNS caches in the Internet based solely on the exchange of queries/responses with the DNS platform. Our techniques are robust and cannot be altered in transit, e.g., by firewalls, which does not hold for the existing fingerprinting techniques. In particular, the only way to alter the outcome of our fingerprinting methods is by modifying the DNS software itself. CCS CONCEPTS • Applied computing → Investigation techniques; • Networks → Network security; • Security and privacy → Network security.

show abstract

Internet-wide study of DNS cache injections

Cited by 43 publications

References 19 publications

An Analysis of First-Party Cookie Exfiltration due to CNAME Redirections

An Analysis of First-Party Cookie Exfiltration due to CNAME Redirections

Meddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers

Black-box caches fingerprinting

Contact Info

Product

Resources

About