Protecting Browsers from DNS Rebinding Attacks and Enhancing Byte-Level Network Intrusion Detection Signatures with Context Review Paper By Davina Fogle University Maryland College University CSEC640 Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing November 9, 2014

Contents Introduction: 3 Review of paper #1 4 Article Citation: 4 Summary: 4 Analysis: 4 What are the article’s main contributions and strengths? 4 Are there any weaknesses and limitations? 5 Are there possible improvements? 6 How does the article compare or contrast with other articles that the class has read so far? What concepts, ideas, or techniques read elsewhere strengthen or weaken this paper? 7 Discussion/Conclusion: 8 Review of paper #2 9 Article Citation: 9 Summary: 9 Analysis: 10 What are the article’s main contributions and strengths? 10 Are there any weaknesses and limitations? 11 Are there possible improvements? 11 How does the article compare or contrast with other articles that the class has read so far? What concepts, ideas, or techniques read elsewhere strengthen or weaken this paper? 12 Discussion/Conclusion: 13

Introduction:
I am writing a Review paper on the following articles:

* Collin Jackson et al., “Protecting Browsers from DNS Rebinding Attacks”, In Proceedings of ACM CCS, 2009. * Robin Sommer and Vern Paxson, “Enhancing Byte-Level Network Intrusion Detection Signatures with Context”, Proceedings of the 10th ACM Conference on Computer and Communication Security, 2003.
This paper will showcase two papers debating DNS rebinding onslaughts and enhancing byte-level Network Intrusion Detection System (NIDS). A DNS rebinding onslaught put in jeopardy the honor of brand determination in DNS with the objective of governing the IP address of the host and that the prey finally joins. The same origin policy and DNS
Pinning methods was brought in to defend Internet browsers from DNS rebinding onslaughts, but their performance has been crippled by weaknesses made acquainted by plug-ins such as JavaScript and Adobe Flash Player. The paper by Jackson et al. (2009) describes the suspect’s weaknesses and corrective actions. The writers also show the capabilities and flaws of the preventive actions and enhancements.

The second paper outlines the mechanics of signature equivalency NIDS and procedures for embellishing the machination of that process. NIDS furnish a priceless apparatus for network managers to discover illegal network traffic. Sommer and Paxson (2003) detailed how increasing background signatures to an adjustable stage like NIDS spreads the capability of the network. The writer’s review the process of the benefits and constraints, improvement points, examination of the network and similar endeavors.

Review of paper #1
Article Citation:
Jackson, C., Barth, A., Bortz, A., Shao, W., & Boneh, D. (2009). Protecting browsers from DNS rebinding attacks. ACM Transactions on the Web, 3(1), 1 -26. doi.acm.org/10.1145/1462148.1462150.

Summary:
This report deliberated the DNS rebinding attacks impairing the same-origin procedure of browsers, modifying them into clear network proxies. A perpetrator can avoid consortiums and distinctive firewalls, deliver unsolicited email, and exploit pay-per-click promoters utilizing DNS rebinding. The author determines the overhead importance of intensifying DNS rebinding attacks, noticing that a perpetrator commands lower than $100 to seize 100,000 IP addresses. The author examines countermeasures to DNS rebinding attacks, consisting of enhancements to the ideal “DNS pinning,” and propose modifications to browser plug-ins, firewalls, and Web servers. They’re countermeasures have been embraced by plug-in sellers and by many free public accessible firewall applications.

Analysis:
What are the article’s main contributions and strengths?
The main contributions and strengths of the article are the use of pinning to defend against DNS rebinding. DNS rebinding attacks impairs the same-origin standard by complicating the browser into stirring subject matter regulated by unequal quantities into an independent security baseline. A perpetrator can avoid firewalls to spider enterprise internal networks, steal classified records, and expose interior servers that are not patched utilizing DNS rebinding. A perpetrator can also seize a customer’s IP address to deliver unsolicited email and to exploit pay-per-click promoters. DNS rebinding weaknesses allows the perpetrator to read and write without delay on network openings, nobly elongating on the attacks probable with active JavaScript-based zombies, which can deliver HTTP queries to remote hosts but is unable to review the HTTP feedback.

DNS pinning demonstrates once the browser has adjudicated a host name to an IP address, the browser collects the output for a nonadjustable stretch, notwithstanding TTL. All network links to a said host name will be directed to the same IP address negating the perpetrator from commingling hostile subject matter with substance from a reliable system.
Are there any weaknesses and limitations?
The use of pinning once was an adequate safeguard contrary to DNS rebinding onslaughts as a result of weaknesses made known by browser segments. These segments contribute increased performance, in the same manner as socket-level system passage, to Internet data. The browser along with every plug-in preserve isolated pin tables, constructing a modern collection of DNS rebinding weaknesses without help indicate to as multipin weaknesses. The authors exhibit, such as, whereby utilizing the synergy amid the browser and Java LiveConnect to pin the browser to one IP address at the same time pinning Java to a separate IP address. The author explains that a perpetrator is capable of manipulating multipin weaknesses to read and write precisely on sockets to a host and the port of the perpetrator’s preference. Disastrously, remediating multipin weaknesses come about never in the same manner straightforward equally spawning a routine pin table for browsers and plug-ins (Jackson, Barth, Bortz, Shao, & Boneh, 2009).

Are there possible improvements?
The author advised a well-known preference for safeguarding facing DNS rebinding onslaughts is to thwart a bad-natured Web domain from retrieving socket-level entry to an erratic IP address. The author argued that to thwart socket-level attacks, they suggested alterations to the socket entrance guidelines of Flash Player and Java, the pair of well-nigh universally utilized browser plug-ins. Adobe and Sun acquired and embraced the authors suggested safeguards for Flash Player, Java and Live-Connect. Adobe and Sun implemented patch policies including protections that avoided extensive firewall evasion and IP hijacking (Jackson, Barth, Bortz, Shao, & Boneh, 2009).
The author suggested to battle firewall evasion marshalling DNS resolvers that avoid exterior host names from resolving to interior IP addresses would be they’re proposals to numerous enterprises. They stated that beyond the capacity to decipher attacker.com to an interior IP address, the perpetrator is unable to take advantage of DNS rebinding to evade firewalls. The author suggested the use of dnswall, in which is an open-source resolver tool that can be deployed in different environments. Various operating systems include their distribution, such as FreeBSD and is implemented at numerous enterprises.
The authors suggest that certain systems can protect their interests hindering DNS rebinding onslaughts by confirming the HTTP Host header and disallowing inquiries that consist of an unanticipated Host header benefit. The attackerWeb data is incapable of deceiving the Host header devoid socket-level entrance. This safeguard is pertinent for systems who apply confidence absolutely and completely in the browser’s IP address. Such as, the system obligated for documenting clicks on pay-per-click promotions need to verify the Host header ahead of welcoming an HTTP inquiry as a credible promotion click (Jackson, Barth, Bortz, Shao, & Boneh, 2009).
How does the article compare or contrast with other articles that the class has read so far? What concepts, ideas, or techniques read elsewhere strengthen or weaken this paper?
This article compared to the recommended reading article in Week 4, titled “Security Vulnerabilities in DNS and DNSSEC” by Suranjith Ariyapperuma and Chris J. Mitchell detailed the security problems akin to DNS and demonstrate the disparity in security deriving out of applying distinct corrective actions opposite degrees of complex security. Ariyapperuma and Mitchell believed validation and credibility were large apprehensions as DNS was established to be vulnerable to cache poisoning and man-in-the-middle attacks. Their viewpoints was applicable to the facts given by Jackson et al. as a result of DNSSEC being made known as a possible quick fix to DNS’s security weak spots. Ariyapperuma and Mitchell describe this secure DNS protocol essentially as a technique to focus on the data coherence and origination deceit worry however proceed to debate a number of vulnerabilities innate to DNSSEC (Ariyapperuma & Mitchell, 2007).
Compared to the article “Auto-FBI: a user-friendly approach for secure access to sensitive content on the web” by Mohsen Zohrevandi and Rida A. Bazzi which discussed about innovative and straightforward procedures for attaining entry to classified data on the Internet. This procedure mass produces the perfect standard categorization of methods for infiltrating various types of data with diverse browser instances. The mechanization is clear to the browser and does not depend upon any alteration by means of uncaring data is amassed. Whereas delicate data, a Fresh Browser Instance (FBI) is routinely established to ingress the data. Zohrevandi and Bazzi explained that their model scheme Auto-FBI can afford assistance for beginner users with stated delicate data sites additionally for enhanced seasoned users which manage to describe conflict of interest (COI) collections that data deriving out of sites in the identical user-defined grouping to coincide in a browser instance. Their fundamental operation assessment of Auto-FBI display that the burden made known by the concept is sufficient (less than 160 ms for sites that already have fast load time, but for slow sites the overhead can be as high as 750 ms) (Zohrevandi & Bazzi, 2013).

Discussion/Conclusion:
Each article demonstrates the nuisance and the costly endeavors to mitigate DNS rebinding onslaughts. DNS rebinding has been a persistent origin of browser weaknesses for the previous ten years. The standard safeguard is pinning which limits durability and has complications surmounting to current browsers that adopt various plug-ins to yield Internet data. Albeit, when every plug-in preserve an independent pin table, a perpetrator can deploy a multipin DNS rebinding onslaught utilizing dated high tech interchange. Different plug-ins spawn increased security threats as a result of manifested increased purpose to Internet data along with the capacity to interacting precisely on sockets. The articles showed utilizing DNS rebinding perpetrators are capable of handling this purpose to glean socket-level entrance to a capricious host from the user’s server, evading firewalls and hijacking the user’s IP address.
The articles explained the DNS weaknesses are capable of being taken advantage of on an extensive scope at a minimal burden as a result of DNS rebinding onslaughts do not depend upon the perpetrator to endanger DNS. A perpetrator is capable of affording data to a wide amount of browsers at a portion of a cent per result by executing an Internet promotion. The authors demonstrated that utilizing the operation of executing the perpetrator’s fertile public relations promotions is adequate enough to carry out a DNS rebinding onslaught. The author’s observations point out a certain procedure is an order of magnitude with increased adequate value than spawning and running a classic bot network (Jackson, Barth, Bortz, Shao, & Boneh, 2009).

Review of paper #2
Article Citation:
Sommer, R., & Paxson, V. (2003). Enhancing byte-level network intrusion detection signatures with context. ACM conference on Computer and Communications Security (pp. 262-271). New York: ACM. doi=10.1145/948109.948145 http://doi.acm.org/10.1145/948109.948145.

Summary:
This article illustrates the many network intrusion detection systems (NIDS) in which use byte sequences as signatures to identify bad-natured deeds. The author show that NIDS are inclined to languish from a huge false-positive rate although is actually immensely productive. The authors created the method of contextual signatures as an enhancement of string-based signature-matching. Sommer and Paxson demonstrated alternatively than duplicating rigid strings in confinement, they amplify the duplicating measure with increased background. Sommer and Paxson afford low-level background by adopting traditional phraseology for duplicating and high-level background by enticing favor of the linguistic intelligence made possible by Bro's code evaluation and scripting language when developing a productive signature tool for the NIDS Bro software. In addition to that, Sommer and Paxson incredibly boost the signature's rhetoric and consequently the capacity to limit false positives. Sommer and Paxson introduced numerous samples for instance duplicating inquiries with acknowledgements, employing wisdom of the domain, construing habits amid signatures to copy step-wise onslaughts, and observing exploit scans. Sommer and Paxson further showed that by influencing current operations they remodeled the complete signature collection of the trendy open-source NIDS Snort into Bro's vernacular. Sommer and Paxson realized these modifications does not afford them with enhanced signatures by itself, while deriving a traditional infrastructure to formulate with. Therefore, they assessed their efforts by contrasting to Snort, debating in the procedure numerous generic issues of contrasting various NIDSs (Sommer & Paxson, 2003).

Analysis:
What are the article’s main contributions and strengths?
Sommer and Paxson illustrated that signature-equivalency servers are largely adopted based on their proportionate firmness: candor, rigor, and actual freeware. They determine that by segregating what samples personify hazards they will be able to create a regular design effortlessly detecting those signatures and signal to their existence. Sommer and Paxson then showed that signature-equivalency empower specific markings to be authored in succession to determine gradation server hazards. Lastly, Sommer and Paxson voiced that as fresh hazards materialize they believe obtaining a wide association of users subscribing to a signature information center rendering the joined firmness of numerous entities. They believed the strong point of Bro’s network assessment is that is a nonpartisan practice. Bro typically identify approaching action to its class of signatures by not translating an issue as positive or negative. When verified interactions are depicted traditional programs are carried out to determine whatever reactions are deployed. Sommer and Paxson detailed this advantage of Bro having the adjustability over other NIDs to integrate segment and repositories from other applications (Sommer & Paxson, 2003).

Are there any weaknesses and limitations?
Sommer and Paxson determined that albeit dominant and globally authorized, signature-equivalency does enjoy a serious constraint. They realized that solely traditional onslaughts with reciprocal signatures can be identified through the form of IDS. Also they described exactly descriptive signatures who would capture onslaughts. They verified that relaxed signatures carry the danger of recurring a compelling number of false positives. If the companion is afforded increased knowledge dealing with possible onslaughts a lot of those issues can be conquered. The article also determined that Bro likewise carry a few constraints being the outcome of its composition. Sommer and Paxson stated that signature-equivalency on extensive series of sequences can be embarrassing as a result of every signature has to be programmed as a component of the code object. Sommer and Paxson surmised that despite Bro personifying vastly adjustable IDS in contrast Snort maintains a wider assortment of signatures. After further considerations Sommer and Paxson advised consolidating Snort’s batch inside Bro’s enhanced amenable framework as a result of a transformation procedure to influence the durability of the pair of applications (Sommer & Paxson, 2003).

Are there possible improvements?
Sommer and Paxson determined a possible vulnerability implicit to signature-equivalency is the shortage of increased background. Sommer and Paxson integrated the theory of circumstantial signatures into Bro to combat those vulnerabilities. They verified regular NIDS signature-equivalency is improved by affixing complete traditional phrases instead of rigid strands. Traditional phrases adds flexibility by granting for affixed grammatical framework amidst whatever to hone textual probes. Sommer and Paxson observations allowed for improvements with Bro’s circumstantial signatures as a result of a comparable Python program tested through a vigorous examination. Sommer and Paxon’s Python script transformed Snort structures into patterns suitable with Bro (Sommer & Paxson, 2003).

How does the article compare or contrast with other articles that the class has read so far? What concepts, ideas, or techniques read elsewhere strengthen or weaken this paper?
Compared to the article “Event stream database based architecture to detect network intrusion” by Vikram Kumaran which it introduces a unique network intrusion detection framework assembled on a live emitting database foundation. Kumaran demonstrated that the framework focus on both waste and deviation discovery and is assembled to deal with the big info figure, quickness and array of influx observed in corporate networks as the result of the adoption of in-memory cascade conversion. The article listed standard intrusion pattern discovery systems which peek at the in-house aspect of specific incidents to conclude malignant resolute. Kumaran believed his framework buttress and broadens the standard by increasing the capacity to discover both malignant and atypical encroachment markings in many phase incident series. Kumaran detailed the method applied to the background located cascade disbursing to limit discord in absorption channels. He also stated that the answer exercise incident designation to minimize amplitude and oversee intricacy of organic absorption channels. The framework permits for accumulating alarms from a collection of indicators to afford a larger trustworthy output by reducing false positives. Additionally, it permits residential specialist to delineate high-level regulations to purify not important alarms (Kumaran, 2013).

Discussion/Conclusion:
In conclusion to determine the efficiency of their proposals, Sommer and Paxson ran Snort and Bro opposite to evidence gathered from two independent networks. The focus of the examinations was to determine the alarms provoked and the period time for execution with the two IDS systems. Sommer and Paxson realized deciding explicit enumeration amongst Snort and Bro was difficult for various rationale despite the fact a large number of measurements for the evaluation was registered. Sommer and Paxson surmised that contrasting two NIDS introduce problems in specifications of estimating markings perception and effectiveness. Sommer and Paxson determined the improved form of Bro accomplished many upgrades above Snort in specified caliber alarms recognized. Sommer and Paxson derived this conclusion was accomplish with a versatile foundation like Bro formulating on top of Snort’s traditional signature repository.

References:

Ariyapperuma, S., & Mitchell, C. (2007). Security vulnerabilities in DNS and DNSSEC. Proceedings of the 2nd International Conference on Availability, Reliability, and Security (pp. 335-342). Vienna: ARES. doi: 10.1109/ARES.2007.139 .
Jackson, C., Barth, A., Bortz, A., Shao, W., & Boneh, D. (2009). Protecting browsers from DNS rebinding attacks. ACM Transactions on the Web, 3(1), 1 -26. doi.acm.org/10.1145/1462148.1462150.
Kumaran, V. (2013). Event Stream Database Based Architecture to Detect Network Intrusion. In Proceedings of the 7th ACM international conference on Distributed event-based systems (DEBS '13) (pp. 241-248). New york: ACM.
Sommer, R., & Paxson, V. (2003). Enhancing byte-level network intrusion detection signatures with context. ACM conference on Computer and Communications Security (pp. 262-271). New York: ACM. doi=10.1145/948109.948145 http://doi.acm.org/10.1145/948109.948145.
Zohrevandi, M., & Bazzi, R. (2013). Auto-FBI: a user-friendly approach for secure access to sensitive content on the web. In Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC '13) (pp. 349-358). New York: ACM. doi=10.1145/2523649.2523683.