Dai, Tianxiang (2023)
Internet-Wide Evaluations of Security and Vulnerabilities.
Technische Universität Darmstadt
doi: 10.26083/tuprints-00023412
Ph.D. Thesis, Primary publication, Publisher's Version
Text
Dissertation_DAI.pdf Copyright Information: In Copyright. Download (14MB) |
Item Type: | Ph.D. Thesis | ||||
---|---|---|---|---|---|
Type of entry: | Primary publication | ||||
Title: | Internet-Wide Evaluations of Security and Vulnerabilities | ||||
Language: | English | ||||
Referees: | Waidner, Prof. Dr. Michael ; Shulman, Prof. Dr. Haya ; Rossow, Prof. Dr. Christian | ||||
Date: | 30 November 2023 | ||||
Place of Publication: | Darmstadt | ||||
Collation: | 164 Seiten in verschiedenen Zählungen | ||||
Date of oral examination: | 12 December 2022 | ||||
DOI: | 10.26083/tuprints-00023412 | ||||
Abstract: | The Internet significantly impacts the world culture. Since the beginning, it is a multilayered system, which is even gaining more protocols year by year. At its core, remains the Internet protocol suite, where the fundamental protocols such as IPv4, TCP/UDP, DNS are initially introduced. Recently, more and more cross-layer attacks involving features in multiple layers are reported. To better understand these attacks, e.g. how practical they are and how many users are vulnerable, Internet-wide evaluations are essential. In this cumulative thesis, we summarise our findings from various Internet-wide evaluations in recent years, with a main focus on DNS. Our evaluations showed that IP fragmentation poses a practical threat to DNS security, regardless of the transport protocol (TCP or UDP). Defense mechanisms such as DNS Response Rate Limiting could facilitate attacks on DNS, even if they are designed to protect DNS. We also extended the evaluations to a fundamental system which heavily relies on DNS, the web PKI. We found that Certificate Authorities suffered a lot from previous DNS vulnerabilities. We demonstrated that off-path attackers could hijack accounts at major CAs and manipulate resources there, with various DNS cache poisoning attacks. The Domain Validation procedure faces similar vulnerabilities. Even the latest Multiple-Validation-Agent DV could be downgraded and poisoned. On the other side, we also performed Internet-wide evaluations of two important defence mechanisms. One is the cryptographic protocol for DNS security, called DNSSEC. We found that only less than 2% of popular domains were signed, among which about 20% were misconfigured. This is another example showing how poorly deployed defence mechanisms worsen the security. The other is ingress filtering, which stops spoofed traffic from entering a network. We presented the most completed Internet-wide evaluations of ingress filtering, which covered over 90% of all Autonomous Systems. We found that over 80% of them were vulnerable to inbound spoofing. |
||||
Alternative Abstract: |
|
||||
Status: | Publisher's Version | ||||
URN: | urn:nbn:de:tuda-tuprints-234122 | ||||
Classification DDC: | 000 Generalities, computers, information > 004 Computer science | ||||
Divisions: | 20 Department of Computer Science > Security in Information Technology | ||||
Date Deposited: | 30 Nov 2023 13:20 | ||||
Last Modified: | 01 Dec 2023 10:26 | ||||
URI: | https://tuprints.ulb.tu-darmstadt.de/id/eprint/23412 | ||||
PPN: | 513584854 | ||||
Export: |
View Item |