This project simulates DNSSEC (especially NSEC) focusing how to prevent zone walking attack. For simplification, DNSSEC server has been seen as a single server instead of multiple servers. It also contains an experimental mechanism (called low profiling) to prevent such attack.
For automatic testing, only the main method in this source should be used. It automatically runs server with low profiling mechanism and attacker clients. It also generates files (in AutomatedTest folder) containing the test results. The results contain the data of
1 input column for attacker (AttackNoise) and 1 input column for server (TotalSuspiciousRecords):
AttackNoise(for attacker): The amount of noise in scale of 0.0 to 1.0 (inclusive), higher noise for stronger attackTotalSuspiciousRecords(for server): The limiting value of total suspicious records for each client to detect attacker
Each input column has 4 output columns common for both attacker and server:
DomainFetched: The number of domains fetched from the server by the attacker using zone walking attackAttackCoverage: The ratio between the number of domains fetched by the attacker and the number of domains stored in the serverAttackRuntime (msec): The elapsed runtime of the attacker client (in milliseconds)AttackSpeed (domain per msec): The speed of fetching domain by the attacker (in the number of domains fetched per millisecond)
Serverclass: It is an abstract class. The methodssetupServerandrespondmust be implemented in subclasses.Securitypackage: All the classes inside the package implementServerabstract class. Here are the classes:NSECclass: It contains standard NSEC implementation.LowProfilingclass: It contains an experimental mechanism to prevent zone walking attack. It is based on NSEC but with added mechanism to detect and block probable attackers.
Clientclass: It is an abstract class. The methodssetupClientandrequestmust be implemented in subclasses.Behaviourpackage: All the classes inside the package implementClientabstract class. Here are the classes:Legitimateclass: It contains a standard implementation in which a domain from console input will be sent to the server.Attackerclass: It contains a possible behaviour to perform zone walking attack. It is interesting that only the DNSSEC server implemented byLowProfilingcan prevent the attack. But the DNSSEC server implemented byNSECcannot prevent the attack at all.
It contains the classes which is common for both server and client. Here are the classes:
RSA_Cryptographyclass: It contains all the methods related to RSA encryption and decryption. They have been used in signature creation (inside server) and verification (inside client).NetworkTaskclass: It contains common network task(s).
It contains the public key (publicKey file) and the private key (privateKey file). Both files are binary files. It is obvious that the private key cannot be accessed by any of the classes inside Client package.
It contains more than 200 domains along with their corresponding IP addresses. For simulation purpose, all the records will be stored at a time in the volatile memory (RAM) by the server at the beginning of the simulation.
It contains the file(s) created by Attacker client. If zone walking attack is successful, then the file in the folder will store almost all the data from the server's domain-IP records.
These are the classes containing main methods for server and client. To test the simulation in various server-client combinations, these files may be edited. It is obvious that server must be run before running any client. Only a single server can be run at a time using same port, but more than one clients can be run simultaneously.
The sources which have been used in this simulation:
- Domain-IP records: The domain list has been taken from a Github user named Hipo. To retrieve the corresponding IP addresses, a Python script by hasan151623 has been used.
- RSA cryptography and RSA keys: The main part of RSA cryptography and RSA keys has been taken from Mkyong.com. I have only added the signature and hashing part here.