DNS: Domain Name Systems

DNS: Hierarchical Name Space

org, net, edu, com, uk, ca
wisc, ucb, gt, cmu, mit

Client -> locak DNS Resolver -> root&edu DNS server, gatech.edu DNS Server, cc.gatech.edu DNS Server

DNS record types(partial list)
NS: name server
A: address record
MX: address in charge of handling email

DNS responses are cached
DNS negative queries are cached
Cached data periodically times out

Users/hosts trust the host-address mapping provided by DNS

DNS Packet
IP Header, UDP Header, DNS data
Query ID: 16 bit random value

Security IPs (internet protocols)

Internet infrastructure
– local and inter-domain routing
– TCP/IP for routing and messaging
– BGP for routing announcements

@Domain name system
find ip address from symbolic name

AT&T, CenturyLink, KPN International, NTT Communications, Sprint, Telecom Italia Sparkle, Telia Carrier, Zayo Group, Cogent Communications, Deutsche Telekom AG, Level 3 communications, Orange, Tata Comuunications, Telefonica Global Solutions, Verizon Enterprise Solutions

IP Provides only best effort delivery, it is not guaranteed
Due the connectionless nature of IP, data corruption, packet loss, duplication, and out-of-order delivery can occur.

IP Authentication
– Easy to override using raw sockets
– Libnet: a library for formatting raw packets with arbitrary IP headers

Transmission Control Protocol
Connectiion-oriented, preserves order
Acknowledge receipt; lost packets are resent

Random Initial Sequence Numbers

Address Resolution Protocol(ARP)
Open Shortest Path First(OSPF)
Border Gateway Protocol(BGP)

Penetration Testing


footprinting: whois, nslookup
scanning: nmap, fping
enumeration: dumpACL, showmount legion, rpcinfo
gaining access: Tcpdump, Lophtcrack NAT
escalating privilege: Johntheripper, getadmin
Pilfering: Rhosts, user data, Config files, registry
Covering tracks: zap, rootkits
Creating back door: cron, at, startup folder netcat, keystroke logger, remote desktop

Target on cyber attacks
defense contractor, restaurant, software

Structure of the underground

credit card and bank account theft, ddos and ransomware extortion, click fraud and ad injection, spam, bitcoin mining
carder and cashiers, phishing, counterfeit goods, malware attachments

Deep web(96% of WWW content): it is not indexed by standard search engines
Dark web: web content that exists on darknets
surface web(4% of WWW content): readily available to the public, and searchable with standard search engines

Test to evaluate
-strengths of all security controls

Higher Level DoS

SSL/TLS handshake
RSA Encrypt -> RSA Decrypt

DoS Mitigation
Client puzzle: slow down attacker
Moderately hard problem: given challenge c find x such that
-LSBn(SHA-1 (c || x)) = 0^n
hardness of challenge:n
-decided based on DoS attack volume
-requires changes to both clients and servers
-Hurts low power legitimate clients during attack
CPU power ratio
-high end server / low end cell phone = 8000
-> impossible to scale to hard puzzles
Interesting observation
– Main memory access time ratio
– high end server / low end cell phone = 2
Solution requires many main memory accesses
– dwork-goldberg-naor, crypto
– abadi-burrows-manasse-wobber, acm toit

-given set of attack packets
-determine path to source
-most routers remain uncompromised
-attacker sends many packets


IP header format
-best effort

version, header length, type of service, total length, identification, flags, fragment offset, time to live, protocol, header checksum, source address of originating host, destination address of target host, options, padding, ip data

-session based, congestion control, in order delivery
source port, dest port, seq number, ack number, urg, ack, psh, psr, syn, fin, other stuff

TCP handhake
syn: SNc <- randc, ANc <- 0 SYN packets with random source IP addresses Fills up backlog queue on server No further connections possible A classic SYN flood example MS Blaster worm(2003) - SYN flood on port 80 to windowsupdate.com -50 SYN packets every second, each packet is 40 bytes -spoofed source IP:a.b.X.Y where X,Y random Low rate SYN flood defenses Non-solution -increase backlog queue size or decrease timeout Correct solution - sycookies: remove state from server Massive flood
command bot army to flood specific target
20,000 bots can generate 2Gb/sec of SYNs
at web site:
saturates network uplink or network router
random source IP -> attack SYNs look the same as real SYNs

Idea: only forward established TCP connections to site

Stronger attacks: TCP connection flood
Command bot army
-complete TCP connection to web site
-send short HTTP head request

will bypass SYN flood protection proxy but
attacker can no longer use random source IPs
reveals location of bot zombies
proxy can now block or rate-limit bots

Javascript-based DDoS:
github.com <- honest end user <- inject imageFlood.js <- popular server imageFlood.js

Function imgflood(){
	var TARGET = ‘victim-website.com/index.php?’
	var rand = Math.floor(Math.random() * 1000)
	var pic = new Image()
	Pic.src = ‘http://’+TARGET+rand+’=val’

DOS Taxonomy

subnet spoofing: Generate random addresses within a given address space
random spoofing: Generate 32-bit numbers and stamp packets with them.
fixed spoofing: The spoofed address is the address of the target.

server application: the attack is targeted to a specific application on a server
network access: the attack is used to overload or crash the communication mechanism of a network
infrastructure: the motivation of this attack is a crucial service of a global internet operation, for example core router

-> small number of packets -> big effect
application attacks:
DoS bug: Design flaw allowing one Machine to disrupt a service
Dos flood: Command botnet to generate flood of requests
sample Dos at different layers: link, TCP/UDP, application

First Set Algorithm

for each nonterminal X do First(X) :={}
while there are changes to any First(X) do
	for each production rule X ->X1X2...Xn do
		while k<=n do
			First(X) = First(X) U (First(Xk)-{ε})
			if ε is not in First(Xk) then break;
			k := k+1;
		if (k>n) then First(X) = First(X) U {ε} 

follow sets

stmt -> if-stmt|other
if-stmt -> if(exp)stmt else-part
else-part -> else stmt | ε
exp -> 0 | 1

Regular Expressions

Regular Expressions are used in grep, sed, awk, perl, vi, shells, lex, yacc
– Each may use slightly different convention

State Machines

Parser Classification
LR: Bottom Up Parser
-L: scan left to right
-R: traces rightmost derivation of input string

LL: Top Down Parser
-L: Scan left to right
-L: traces leftmost derivation of input string

Typical notation
– LL(0), LL(1), LR(1), LR(k)
– number(k) refers to maximum look ahead

Recursive Descent Parsing
Non-terminal variable
correct select rule for expansion matchToken
consumes token or Error

 ::=  '*'  | 
 ::=  {'*'  }
 ::= '*'   | ε

RegEx: Finite Automata

Deterministic Finite Automata (DFA)

Lexical Analysis(Scanner)
Read input: one character at a time
Group characters into tokens
Remove white spaces and comments
Encode token types and form tuples and return to parser

type value
FloatConst 123.45
VAR String=DaysOfWeek
Operator Value =+

Regular expression r (a pattern of characters) and its language L(r)
-> used in many Unix programs (e.g., grep, vi., etc.)
State machine (finite automata)

Representations of String
Basics of Regular Expression
Σ= AaBbCcDdEeFf…. {}|[]”;’<>?,./

Symbols & alphabet
-> A symbol is a valid character in a language
-> alphabet is set of legal symbols

Metacharacters/metasymbols that have special meanings:
Defining reg-ex operations(e.g. |,(,), *, + etc.)
Escape character(\) to turn off special meanings
Empty string e and empty set

a | b* = {a, ε, b, bb, bbb, …}
(a | b)* = {ε, a, b, ab, ba, aa, bb, aaa, aab, …} = Any number (including zero) of a’s and b’s in any order

unix-style regular expression
a-b same as abcd
^1-3 denotes characters other than 1, 2, or 3
-, [], +, ?, ^ and $