POPS: From History to Mitigation of DNS Cache Poisoning Attacks
Yehuda Afek, Harel Berger, Anat Bremler-Barr
TL;DR
This paper presents DNS-CPM, a two-stage DNS cache poisoning prevention system integrated into IPS that combines a fast, rule-based detection module with a TCP-based mitigation module using the TC flag. The detection relies on three practical rules to flag poisoning attempts, while mitigation ensures only legitimate responses proceed by establishing TCP sessions, yielding near-zero false positives and negatives in practice. Through historical analysis and PCAP-based simulations, DNS-CPM demonstrates exceptionally low attacker success rates (around 0.0076%) and significantly faster operation than Suricata or Snort, with the added ability to detect fragmentation and other attacks that prior tools miss. The approach provides proactive CVE mitigation, broad DNS protection with low overhead, and a clear path toward deployment in real-world DNS infrastructures.
Abstract
We present a novel yet simple and comprehensive DNS cache POisoning Prevention System (POPS), designed to integrate as a module in Intrusion Prevention Systems (IPS). POPS addresses statistical DNS poisoning attacks, including those documented from 2002 to the present, and offers robust protection against similar future threats. It consists of two main components: a detection module that employs three simple rules, and a mitigation module that leverages the TC flag in the DNS header to enhance security. Once activated, the mitigation module has zero false positives or negatives, correcting any such errors on the side of the detection module. We first analyze POPS against historical DNS services and attacks, showing that it would have mitigated all network-based statistical poisoning attacks, yielding a success rate of only 0.0076% for the adversary. We then simulate POPS on traffic benchmarks (PCAPs) incorporating current potential network-based statistical poisoning attacks, and benign PCAPs; the simulated attacks still succeed with a probability of 0.0076%. This occurs because five malicious packets go through before POPS detects the attack and activates the mitigation module. In addition, POPS completes its task using only 20%-50% of the time required by other tools (e.g., Suricata or Snort), and after examining just 5%-10% as many packets. Furthermore, it successfully identifies DNS cache poisoning attacks-such as fragmentation attacks-that both Suricata and Snort fail to detect, underscoring its superiority in providing comprehensive DNS protection.
