Cryptanalysis of FNV-Based cookies

Amit Klein, Haya Shulman, Michael Waidner

Research output: Contribution to journalConference articlepeer-review

1 Scopus citations


DNS cookies is a recently standardised proposal of the IETF meant to protect DNS against off-path cache poisoning attacks. In contrast to other defences for DNS, DNS cookies is a lightweight mechanism, is easy to deploy and does not introduce overhead on the DNS servers. In this work we demonstrate off-path attacks allowing to circumvent the DNS cookies mechanism and impersonate legitimate Internet sources, exposing the DNS servers to cache poisoning and amplification reflection DoS attacks. We implement and evaluate the attacks, and provide recommendations for countermeasures.

Original languageEnglish
Article number9347968
JournalProceedings - IEEE Global Communications Conference, GLOBECOM
StatePublished - Dec 2020
Externally publishedYes
Event2020 IEEE Global Communications Conference, GLOBECOM 2020 - Virtual, Taipei, Taiwan, Province of China
Duration: 7 Dec 202011 Dec 2020

Bibliographical note

Publisher Copyright:
© 2020 IEEE.


ACKNOWLEDGEMENTS This research work has been funded by the German Federal Ministry of Education and Research and the Hessen State Ministry for Higher Education, Research and Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE and by the DFG as part of project S3 within the CRC 1119 CROSSING.

FundersFunder number
National Research Center for Applied Cybersecurity
Deutsche Forschungsgemeinschaft
Bundesministerium für Bildung und Forschung
Hessisches Ministerium für Wissenschaft und Kunst


    Dive into the research topics of 'Cryptanalysis of FNV-Based cookies'. Together they form a unique fingerprint.

    Cite this