Faculty Publications

Permanent URI for this communityhttps://idr.nitk.ac.in/handle/123456789/18736

Publications by NITK Faculty

Browse

Author: search.filters.author.Rajendran, B.Has files: No

Search Results

Now showing 1 - 7 of 7
  • No Thumbnail Available
    Item
    Key update mechanism in PKI: Study & a new approach
    (IEEE Computer Society help@computer.org, 2013) Spoorthi, V.; Rajendran, B.; Chandrasekaran, K.
    Public-Key Infrastructure (PKI) provides robust and scalable security services like authentication and non-repudiation using digital certificates. An efficient key management is necessary for a long term implementation of PKI. As a part of key management, key pair of all the entities within the PKI system is updated regularly to minimize overuse of keys and to comply with the organization's policies. In a hierarchical PKI system, root Certificate Authority (CA) is the highest trust anchor and hence updating its key pair is a challenging task. It requires proper authentication of certificate issuing entities to its subordinates and storage of keys for future reference. This paper discusses the various mechanisms available for updating root CA key pairs and brings out pros and cons in each. Considering the shortcomings of these methods, a new method for key pair update has been proposed, which is less complex and easy to implement. In addition, some of the open-source tools available to implement these techniques and open challenges which need to be addressed to have been highlighted. © 2013 IEEE.
  • No Thumbnail Available
    Item
    DANE: An inbuilt security extension
    (Institute of Electrical and Electronics Engineers Inc., 2016) Aishwarya, C.; Raghuram, M.A.; Hosmani, S.; Sannidhan, M.S.; Rajendran, B.; Chandrasekaran, K.; Bindhumadhava, B.S.
    Use of TSL and certificates in secure applications in the internet is very common today. Certificate authorities are playing the important role of trust anchors. But this means that third party certificate authorities have to be trusted by both domain owners and their clients. Compromises of certificate authorities will put many users under a huge risk. To solve this problem, the DANE protocol was proposed that is used on top of DNSSEC. It allows using the chain of trust in DNS for authenticating certificates and makes clients impose many constraints on the certificates they receive. We analyze the performance of the DANE protocol at the client side and also present a tool for deploying and administrating DANE with BIND servers in a local network. © 2015 IEEE.
  • No Thumbnail Available
    Item
    DNS Amplification DNS Tunneling Attacks Simulation, Detection and Mitigation Approaches
    (Institute of Electrical and Electronics Engineers Inc., 2020) Sanjay; Rajendran, B.; Shetty D, P.
    DNS is a critical infrastructure service of the Internet that translates hostnames to network IP addresses and vice versa. The criticality of DNS can be evidenced by the fact that all most all organizations and enterprises do not block DNS traffic, as it would eventually stop access to the Internet. As a result, attackers have been exploiting the DNS infrastructure and using it as a launchpad for carrying out various attacks e.g. DoS/DDoS, DNS reflection amplification, DNS tunneling, NXDOMAIN attack, and DNS hijacking, etc. During the historic implementation of DNS protocol, its security was not considered which lead to the exploitation of various vulnerabilities in the DNS infrastructure.This paper brings out the technicalities behind DNS amplification and DNS tunneling attacks and presents a number of countermeasures and mitigation techniques to protect against these attacks and the DNS Infrastructure. © 2020 IEEE.
  • No Thumbnail Available
    Item
    Health Assessment of 1485 Top Level Domain's Name Servers
    (Institute of Electrical and Electronics Engineers Inc., 2023) Adiwal, S.; Rajendran, B.; Shetty D, D.; Sudarsan, S.D.
    Domain Name System (DNS) has evolved as a critical component in the accessibility of Internet services and has therefore become a key attack vector in major Internet attacks. It is essential to monitor various DNS communications parameters, take corrective actions when needed, and prevent abuse. We propose a new set of metrics that could be monitored to assess the health of a given Top Level Domains (TLDs) nameserver. We then conduct passive probes and determine the values of the proposed parameters for the nameservers serving the 1485 TLDs of the Internet. The values of the identified metrics help to detect sluggishness in performance and form the basis for arriving at a score of their health. The presented approach is scalable across the DNS hierarchy and can be repeated periodically to detect and prevent DNS abuses. © 2023 IEEE.
  • No Thumbnail Available
    Item
    Revisiting the Performance of DNS Queries on a DNS Hierarchy Testbed over Dual-Stack
    (Oxford University Press, 2021) Adiwal, S.; Rajendran, B.; Shetty D, P.; Palaniappan, G.
    The exponential growth of IoT devices and their need to use IPv6 addresses has the potential to create load stress on the existing DNS infrastructure and it is imperative that DNS servers to be deployed on IPv6 networks. The DNS query latency from a particular Internet vantage point for IPv4 and IPv6 network cannot be compared directly due to variations in the number of hops of query on IPv4 and IPv6 communication networks. Moreover, there is no assurance that DNS server in the hierarchy is hosted on a dual-stack. This work brings out the DNS query resolution latency over the IPv4 and IPv6 protocol stacks with better accuracy. The experiments are carried out by setting up a complete DNS hierarchy (ROOT, TLD, STLD, TTLD and recursive resolver) on dual IP stack (IPv4 and IPv6), enabling both forward and reverse lookup tree on a live testbed, ensuring a constant number of hops between the recursive resolver and each of the DNS servers in the hierarchy. This live testbed is a first of its kind and is made available for Internet researchers. The operational issues encountered during this deployment and service provisioning are discussed and documented in this paper. This paper also gives a clear illustration and provides reference guidelines for the DNS hierarchy setup, and also aims to bridge the knowledge gap required for deploying DNS over IPv6. © 2021 The British Computer Society.
  • No Thumbnail Available
    Item
    A Quantitative Method for Measuring Health of Authoritative Name Servers
    (IGI Global, 2022) Adiwal, S.; Rajendran, B.; Shetty D, P.D.
    The domain name system (DNS) is regarded as one of the critical infrastructure components of the global internet because a large-scale DNS outage would effectively take a typical user offline. Therefore, the internet community should ensure that critical components of the DNS ecosystem—that is, root name servers, top-level domain registrars and registries, authoritative name servers, and recursive resolvers—function smoothly. To this end, the community should monitor them periodically and provide public alerts about abnormal behavior. The authors propose a novel quantitative approach for evaluating the health of authoritative name servers – a critical, core, and a large component of the DNS ecosystem. The performance is typically measured in terms of response time, reliability, and throughput for most of the internet components. This research work proposes a novel list of parameters specifically for determining the health of authoritative name servers: DNS attack permeability, latency comparison, and DNSSEC validation. The aim is to understand the general behavior of authoritative name servers, detect sluggishness in their performance, and arrive at a score of their health through the aforesaid parameters. The effectiveness of identified parameters is evaluated by devising the corresponding probing algorithms and experimented with them among the authoritative name servers serving the world’s top 500 domains. This approach could be used periodically to assess and take necessary measures to protect authoritative domain name servers from abuse. © © 2022, IGI Global.
  • No Thumbnail Available
    Item
    DNS Intrusion Detection (DID) — A SNORT-based solution to detect DNS Amplification and DNS Tunneling attacks
    (Elsevier B.V., 2023) Adiwal, S.; Rajendran, B.; Shetty D, P.S.; Sudarsan, S.D.
    Domain Name System (DNS) plays a critical role in the Internet ecosystem, translating numerical IP addresses to memorable domain names and vice versa. The malicious user targets DNS by taking advantage of vulnerabilities in DNS. The most complex attacks in the DNS attacks vector include Distributed Denial of Service (DDoS) based DNS amplification attacks and sophisticated DNS tunneling attacks. An Intrusion Detection System (IDS) is a solution available to monitor the traffic for intrusion in the network but not exclusively for DNS intrusions. In this research paper, we present – DNS Intrusion Detection (DID), a system integrated into SNORT – a prominent open-source IDS, to detect major DNS-related attacks. We developed novel IDS signatures for various tools used in the tunneling, amplification, and DoS attacks and added them to the existing ruleset file of IDS to detect DNS-based intrusions. Our approach successfully identifies empirical DNS attacks carried out by various known tools available over the Internet. Evaluation of DID showed a high detection rate and a very low false-positive rate. © 2023 The Author(s)