Antidotes for DNS poisoning by off-path adversaries

Amir Herzberg, Haya Shulman

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

12 Scopus citations

Abstract

Following to Kaminsky's attack (2008), cachingresolvers were patched with defenses against poisoning. So far, the main improvements were non-cryptographic and easy todeploy (requiring changes only in resolvers). Some of theseimprovements are widely deployed, and it is believed thatthey suffice to prevent poisoning, at least by off-path, spoofingattackers. We perform a critical study of the prominent defensemechanisms against poisoning attacks by off-path adversaries. We present weaknesses and limitations, and suggest counter-measures. Our main message is that the DNS infrastructure shouldnot rely on short term, 'easy-to-deploy' defenses, and effortsshould be increased towards transition to DNSSEC.

Original languageEnglish
Title of host publicationProceedings - 2012 7th International Conference on Availability, Reliability and Security, ARES 2012
Pages262-267
Number of pages6
DOIs
StatePublished - 2012
Event2012 7th International Conference on Availability, Reliability and Security, ARES 2012 - Prague, Czech Republic
Duration: 20 Aug 201224 Aug 2012

Publication series

NameProceedings - 2012 7th International Conference on Availability, Reliability and Security, ARES 2012

Conference

Conference2012 7th International Conference on Availability, Reliability and Security, ARES 2012
Country/TerritoryCzech Republic
CityPrague
Period20/08/1224/08/12

Keywords

  • DNS cache poisoning
  • DNS security
  • Kaminsky attack

Fingerprint

Dive into the research topics of 'Antidotes for DNS poisoning by off-path adversaries'. Together they form a unique fingerprint.

Cite this