A Network-based Solution to Kaminsky DNS Cache Poisoning Attacks

Tsai, Tien-Hao; Su, Yu-Sheng; Chen, Shih-Jen; Hwang, Yan-Ling; Hsu, Fu-Hau; Wu, Min-Hao

Home // INTERNET 2013, The Fifth International Conference on Evolving Internet // View article

A Network-based Solution to Kaminsky DNS Cache Poisoning Attacks

Authors:
Tien-Hao Tsai
Yu-Sheng Su
Shih-Jen Chen
Yan-Ling Hwang
Fu-Hau Hsu
Min-Hao Wu

Keywords: DNS; resolver; cache poisoning attack

Abstract:
In this paper, we propose a network-based solution, Cache Poisoning Solver (CPS), to defend an organization against the notorious Kaminsky DNS cache poisoning attack. DNS cache poisoning has been used to attack DNS servers since 1993. Through this type of attacks, an attacker can change the IP address of a domain name to any IP address chosen by him. Because an attacker cannot obtain the transaction number and port number of a DNS query sent by a DNS resolver, in order to forge the related DNS response with one of the attacker’s IP address, the attacker needs to send many fake DNS responses to the related resolver. All these fake DNS responses map the target domain name to the above attacker’s IP. Based on this observation, CPS solves DNS cache poisoning by detecting, recording, and confirming the IP addresses appearing in contents of fake DNS replies. As a result, CPS not only can block DNS cache poisoning attacks but also can identify the malicious hosts, which attackers plan to use to redirect target hosts’ traffic. Usually, these malicious hosts are botnet members and used as phishing sites; hence, identifying these bots and disconnecting traffic to them can provide further protection to the hosts in a network. Besides, through the utilization of Bloom Counter and host confirmation, CPS maintains its detection accuracy even when it is bombarded with tremendous fake DNS replies. Experimental results show that with low performance overhead, CPS can accurately block DSN cache poisoning attacks and detect the related bots.

Pages: 43 to 47

Copyright: Copyright (c) IARIA, 2013

Publication date: July 21, 2013

Published in: conference

ISSN: 2308-443X

ISBN: 978-1-61208-285-1

Location: Nice, France

Dates: from July 21, 2013 to July 26, 2013