Protecting Against DNS Cache Poisoning Attacks: Jonathan Trostle Bill Van Besien Ashish Pujari
Protecting Against DNS Cache Poisoning Attacks: Jonathan Trostle Bill Van Besien Ashish Pujari
Protecting Against DNS Cache Poisoning Attacks: Jonathan Trostle Bill Van Besien Ashish Pujari
AbstractDNS is vulnerable to cache poisoning attacks, does not have eavesdropping access to DNS messages over the
whereby an attacker sends a spoofed reply to its own query. network. There are also specifications for Internet standards
Historically, an attacker only needed to guess a predictable, that provide stronger cryptographic mechanisms for DNS
or more recently, a 16 bit pseudorandom ID in order to be
successful. The Kaminsky attack [7] demonstrated successful security including DNSSEC and TSIG [3], [14]. DNSSEC
poisoning attacks that required only 6 seconds on typical net- and TSIG protect against on-the-wire attacks as well as
works. Since then, source port randomization (spr) has been used preventing spoofing in the remote attacker model. However,
for additional protection. Nevetheless, E. Polyakov demonstrated deployment of DNSSEC has not yet occurred due to the
successful poisoning attacks against spr given a Gigabit network, initial deployment costs and policy/legal issues associated with
on the order of 10 hours. Even with slower network speeds,
an attack is likely to be successful in a moderate time period. public key certification. Thus there is value in solutions that
DNSSEC [3] will provide a strong countermeasure to poisoning as can improve DNS security, provided they can be deployed
well as other attacks against the DNS. However, until DNSSEC is immediately. We emphasize that DNSSEC provides security
actually deployed, there is a need for additional countermeasures against a wider range of attacks, in addition to protecting
that can be deployed in the near term. In this paper, we against cache poisoning.
describe a new approach that is based on detecting a poisoning
attack, then sending an additional request for the same DNS In [2], a clever mechanism, 0x20, is proposed to give addi-
Resource Record. Since the defense is only activated when attacks tional protection against DNS poisoning attacks. DNS requests
occur, we expect the performance impact to be minimal. The are sent with a random mixture of lower case and upper case
countermeasure requires no changes to the DNS standards, and characters. Most servers will reply with the same random
only requires modifications to the caching server. Thus it can mixture of characters in the domain name. Thus one additional
be deployed incrementally in order to obtain immediate security
benefits. We show that our proposed defense makes poisoning bit per character in the domain name is gained, for the entropy
attacks substantially more difficult. We have implemented the of the request. Given both spr and 0x20, the attacker has to
countermeasure using a local proxy for the BIND caching server, guess the transaction ID, the source port number, and the
and our tests show that the performance impact is minimal. particular mixture of cases in the request. 0x20 only gives
limited protection for short domain names. A more significant
I. I NTRODUCTION limitation is that not all DNS servers are 0x20 compliant,
The Domain Name Service (DNS) has long been subject to and 0x20 is unlikely to advance as an IETF standard. The
poisoning attacks. A poisoning attack is carried out as follows: effectiveness of this countermeasure is greatly reduced given
(1) a DNS resolver sends a DNS request to a recursive server even a small percentage of non-compliant servers, since then a
(2) the resolver sends an answer to its own query using the list of the non-compliant servers would have to be maintained
address of the authority server as the source address. This by all DNS requestors. It would be difficult to ensure that this
attack has been facilitated historically, since both the source list is up to date and accurate.
port and destination port have been well known ports. Since Given the current countermeasure, random IDs combined
the recursive server caches the answer, a spoofed incorrect with spr, an attacker may need to send requests for a period
answer will also be returned to every other DNS client that of anywhere between 1-5 days in order to successfully poison
requests a RR (Resource Record) for the same name, for the a DNS cache (we have verified this attack in our lab).
duration of the TTL (time to live). Thus this attack can be Unfortunately, a determined attacker could carry out such
used in conjunction with web spoofing [5] to spoof a heavily an attack. In this paper, we present a technique that greatly
used ecommerce web site. Even careful users will be fooled increases the difficulty of DNS cache poisoning. We will show
since the web url will be correct. that a persistent long-lived attack has a minimal chance of
There have been several improvements to DNS that have succeeding, even over a period of a year or longer.
increased the difficulty of mounting poisoning attacks from Our new technique is based on sending additional DNS
trivially easy to requiring substantial work on the part of the queries when a likely poisoning attack is detected. The recur-
attacker. The latest approach is to use random transaction IDs sive DNS server (our implementation uses a proxy) initially
together with source port randomization (spr) [1]. These all listens on k random ports. A packet received on any of
operate in a security model where the attacker is remote and these ports indicates a potential spoofing attack. When such
26
A. DNS Poisoning to mount a successful poisoning attack. Although this raises
Here we briefly overview DNS poisoning attacks includ- the bar, as discussed earlier, an adversary can still successfully
ing their history. Figure 1 shows the three network entities mount a poisoning attack.
discussed above together with a typical poisoning scenario.
Here we assume the DNS recursive server does not have a III. C OUNTERMEASURE O PERATION
RR with the name www.example.org in its cache. In this case,
the stub resolver makes a request for www.example.org to the
recursive server. The recursive server then sends a DNS query
for www.example.org to the authority server (the nameserver
for example.org).
27
port). It has the proper destination IP address to send it successfully spoofing an answer to one of its queries, over a
to (it was the source IP address in the spoofed answer). given time period.
4) When POISON DEFENSE is TRUE, every received As above, we let k by the number of ports that the
DNS question is entered into S. DPS forwards the DNS recursive server listens on (or the DPS listens on for our
request to BIND and sends its own request as well, for implementation). We let w be the number of seconds that DPS
the same DNS question. stays in secure mode, once it enters secure mode. From [2],
5) When POISON DEFENSE is TRUE, DPS checks to the attacker has a certain time window to send answers to its
see that both DNS answers match (i.e., it checks for a own query to the recursive server, prior to when the authority
nonempty intersection between the two returned RRsets. server replies to the recursive server. The length of this time
Two IP addresses are considered equal if they are on window determines the number of packets that the attacker
the same subnet which we have conservatively selected can send. Once the authority server replies, the recursive server
as being determined by the first 24 bits. Therefore one will accept this answer and cache it for the TTL period (which
address can match multiple addresses in another DNS could range from 1-24 hours or even less see Section V).
response. We give a real example below.) If there is The attacker cannot spoof answers to a query for this domain
a match, the addresses in the intersection are cached name again until the TTL has expired. Let n be the number
(with a TTL equal to the minimum of the TTLs for of packets in the time window, and we let t be the length of
the associated RRsets) and forwarded to the client. In the time window in seconds.
any case, the first received answer is entered into S. Prior to the attack, the recursive server is not in secure mode
If there is no match (which is an event we havent (its in normal mode). Thus the attacker only needs to match
encountered in our testing), DPS sends an additional the transaction ID and source port number of its DNS request.
request in order to obtain another response for matching We let
purposes. DPS also contacts a special handler that we = 216 1024
have implemented in BIND, in order to remove the
relevant RRs from the cache (the RRs that arent in be the total number of possible ports that the random k ports
the intersection are removed). DPS will indicate which can be drawn from. The probability that the attacker sends
RRs should be removed. its spoofed reply to one of the k ports is k/. We expect to
6) When the timer expires, DPS sets POISON DEFENSE receive a packet on one of the k ports after the attacker has
is FALSE. DPS will still process through all the remain- sent /k packets.
ing DNS questions and answers in S. When S is empty, Now we assume that the recursive server is using spr plus
it resumes normal operation. random transaction IDs. Following [2], we also assume that
7) DPS only caches high level names (e.g., .com, .org, etc.) the authority server has three public IP addresses (this value
8) If an answer is returned immediately from BIND, then is common but may vary slightly); the attacker must also
it must be in the cache, and DPS will omit sending a guess the correct one of these addresses. Thus the attackers
2nd request. probability of matching these three fields in its spoofed reply
9) DPS does not send extra requests for PTR queries. is
1
DPS defers to DNSSEC/TSIG: if any returned RRset .
216 3
is signed, then that RRset is used without modification.
Since n is the number of packets that can be sent in the time
IV. A NALYSIS window, we have that the probability of obtaining a match is
We analyze our countermeasure with respect to security and bounded by
performance.
n
X i
A. Security Analysis P r[i packets sent bef ore match]
i=1
216 (3)
We analyze the effectiveness of our countermeasure against
poisoning attacks. In particular, the attacker will attempt to X i
< P r[i packets sent bef ore match]
reply to its own query by guessing the correct translation ID 216 (3)
i=1
and port number. If successful, the attackers DNS answer will
/k
be accepted and cached by the recursive server. =
216 3
The attacker is able to mount a Kaminsky-style attack by 1
requesting RRs for random domain names and also including =
216 (3k)
a NS (nameserver) update. Alternatively, the NS update can be
omitted if there are a significant number of names of interest where we have used the union bound, and since /k is the
to the attacker; the attacker can cycle through these names for expected number of packets sent before a match on one of the
its recursive DNS requests. Our goal is to identify the most k ports is obtained.
efficient attacker strategy and give a bound on its success rate. Once DPS enters secure mode, then the attacker must match
We will give an upper bound on the probability of the attacker the 3 fields in each of two queries. The probability of this
28
TABLE I
ATTACKER SUCCESS PROBABILITY BOUNDS , FOR VALUES OF k AND w,
GIVEN SUSTAINED 1 YEAR ATTACK
k w prob. bound
256 10 seconds 1/15.877
1024 10 seconds 1/62.531
8192 10 seconds 1/437.452
256 20 seconds 1/31.92
1024 20 seconds 1/122.524
8192 20 seconds 1/764.166
1
(1 q) +
3k216
For a period consisting of lw seconds, using the union bound,
we can therefore bound the attacker probability of success by
1
l[(1 q) + ].
3k216 Fig. 5. The distribution of DNS query latency, in seconds, for each of three
modes. n = 100 samples.
We may use the values from [2] where t = 1/10, and
n = 13000 (the attacker has a 100Mb/sec. connection). Table I
gives some success probabilities, given lw equal to one year.
If we consider the bound above, we see that as k increases, Our testing indicates that about 10% of the DNS servers
the amount of reduction in the probability bound caused by returned different (but intersecting sets) across multiple DNS
increasing w decreases. Each doubling of w leads to almost a queries. If there was no intersection between two requests, we
1/2 reduction in the probability bound as long as w isnt too would send an additional request (but this did not occur during
large. When k is small, then the reduction is by more than our tests). Table III provides an example of a DNS server
1/2. The probability bound function (of k and w) is depicted providing three different responses for the same request.
in Fig. 4.
29
TABLE II
DNS Q UERY L ATENCIES ( SEC .) defense. (3) DDoS attacks against DNS are harder given the
BIND BIND+DPS BIND+DPS poison mode
use of anycast for authority servers. (4) DNS poisoning attacks
average 0.0571 0.2086 0.2148 are a persistent threat, and there is a need for a defense.
median 0.0310 0.1510 0.1630
std dev 0.0698 0.1713 0.1849 VI. S UMMARY
min 0.0140 0.0200 0.077 DNS is vulnerable to cache poisoning attacks, whereby an
max 0.3640 1.0890 1.4300
attacker sends a spoofed reply to its own query. The Kaminsky
TABLE III attack [7] led vendors to utilize source port randomization
R ESPONSE TO THREE DNS QUERIES FOR TWITTER . COM (spr) together with random transaction IDs. This combination
;; ANSWER SECTION: eliminates the poisoning attacks that take less than 10 seconds,
twitter.com. 16 IN A 168.143.162.52 but slower poisoning attacks are still possible. As network
twitter.com. 16 IN A 128.242.245.84 speeds increase, the threat from these attacks will grow.
twitter.com. 16 IN A 128.242.245.116
twitter.com. 16 IN A 128.242.240.20 DNSSEC [3] will provide a strong countermeasure to poison-
twitter.com. 16 IN A 128.242.240.52 ing as well as other attacks against the DNS. However, until
twitter.com. 16 IN A 128.242.240.148 DNSSEC is actually deployed, there is a need for additional
;; ANSWER SECTION:
twitter.com. 18 IN A 128.242.240.148 countermeasures that can be deployed in the near term.
twitter.com. 18 IN A 128.242.245.116 We have presented a new countermeasure against DNS
twitter.com. 18 IN A 128.242.240.84 poisoning attacks which is based on detecting a poisoning
twitter.com. 18 IN A 128.242.240.20
twitter.com. 18 IN A 128.242.245.20 attack, then sending an additional request for the same DNS
twitter.com. 18 IN A 168.143.162.52 RR. Since the defense is only activated when attacks occur,
;; ANSWER SECTION: the performance impact is minimal. The countermeasure re-
twitter.com. 5 IN A 128.242.245.148
twitter.com. 5 IN A 168.143.162.116 quires no changes to the DNS standards and only requires
twitter.com. 5 IN A 128.242.240.148 modifications to the caching server. Thus it can be deployed
twitter.com. 5 IN A 128.242.240.84 incrementally in order to obtain immediate security benefits.
twitter.com. 5 IN A 128.121.146.228
twitter.com. 5 IN A 168.143.162.52 We have implemented the countermeasure using a local proxy
for the BIND caching server, and our tests show that the
performance impact is minimal. Our analysis shows that we
V. D ISCUSSION significantly increase resistance against poisoning attacks.
Recent studies (e.g., [10]) indicate that DNS caching servers R EFERENCES
may cache RRs for less than the advertised time period. Some [1] D. J. Bernstein. The dns random Library Interface.
CDN (Content Distribution Network) servers cache RRs for http://cr.yp.to/djbdns/dns random.html. 2008.
only 20 seconds. Given a 20 second TTL. [2] D. Dagon, M. Antonakakis, P. Vixie, T. Jinmei, W. Lee. Increased DNS
Forgery Resistance Through 0x20-Bit Encoding. In Proceedings of the
Then we can mount a poison attack against a small set ACM CCS 2008 Conference October, 2008.
of names, more efficiently. Suppose the target set has 200 [3] D. Eastlake 3rd. Domain Name System Security Extensions. RFC 2535,
names. Then we can guess against each of the 200 names Internet Engineering Task Force, March 1999.
[4] D. Eastlake 3rd. Secret Key Establishment for DNS (TKEY RR).
during every 20 second period. Given 13000 guesses per 100 http://tools.ietf.org/html/rfc2930. September 2000.
millisecond time window per the description in Section IV. We [5] E. W. Felten, D. Balfanz, D. Dean, and D. S. Wallach. Web Spoofing:
obtain 13000 guesses against each name during the 20 second An Internet Con Game. 20th National Information Systems Security
Conference, October, 1997.
period. Given 200 names, we need on average 232 /27 = 225 [6] T. Hardie. Distributing Authoritative Name Servers via Shared Unicast
guesses against one of the names. We have 225 /13000 < 212 Addresses. http://tools.ietf.org/html/rfc3258. April 2002.
so 4000(20) = 80000 seconds or 22 hours will be sufficient. [7] D. Kaminsky. Its the End of the Cache As We Know It.
http://www.doxpara.com/DMK BO2K8.ppt. 2008.
Here we are not using the Kaminsky attack of updating the [8] P. Mockapetris. Domain Names - Concepts and Facilities.
nameserver RR cache entry. Thus, if we used our counter- http://www.faqs.org/rfcs/rfc1034. November 1987.
measure to only check high level names and NS (nameserver) [9] P. Mockapetris. Domain Names - Implementation and Specification.
http://www.faqs.org/rfcs/rfc1035. November 1987.
updates, the poison problem would still remain. [10] M. A. Rajab, F. Monrose, A. Terzis, and N. Provos. Peeking Through the
Our countermeasure does make Distributed Denial of Ser- Cloud: DNS-based Estimation and its Applications. In Proceedings of
vice (DDoS) attacks easier. In particular, since an extra DNS the Conference on Applied Cryptography and Network Security (ACNS
2008), New York, NY, USA, June 2008.
request is sent for each request received by the recursive server [11] J. Rosenberg et. al. SIP: Session Initiation Protocol.
during the secure mode, there is an amplification by almost http://www.faqs.org/rfcs/rfc3261. June 2002.
a factor of 2 during the secure mode. DDoS attacks against [12] V. Sacramento. Vulnerability in the sending requests control of BIND
versions 4 and 8 allows DNS spoofing. 19 Nov. 2002. 15 Dec. 2002
DNS are mitigated through the use of anycast [6]. http://www.rnp.br/cais/alertas/2002/caisALR19112002a.html
In summary, we believe the amplification of DDoS attacks [13] J. Stewart. DNS cache poisoning - the next generation.
is acceptable since (1) there are other protocols that can also be http://www.secureworks.com/research/articles/dns-cache-poisoning/,
2003.
used for amplification (e.g., SIP [11], or overlay network based [14] P. Vixie, O. Gudmondsson, D. Eastlake 3rd, and B. Welling-
protocols). (2) Successful DDoS attacks are fully realizable ton. Secret Key Transaction Authentication for DNS (TSIG).
(for services that dont use anycast) without our poisoning http://tools.ietf.org/html/rfc2845. May 2000.
30