Socket overloading for fun and cache-poisoning

Amir Herzberg, Haya Shulman

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

32 Scopus citations


We present a new technique, which we call socket overloading, that we apply for off-path attacks on DNS. Socket overloading consists of short, low-rate, bursts of inbound packets, sent by off-path attacker to a victim host. Socket overloading exploits the priority assigned by the kernel to hardware interrupts, and enables an off-path attacker to illicit a side-channel on client hosts, which can be applied to circumvent source port and name server randomisation. Both port and name server randomisation are popular and standardised defenses, recommended in [RFC5452], against attacks by off-path adversaries. We show how to apply socket overloading for DNS cache poisoning and name server pinning against popular systems that support algorithms recommended in [RFC6056] and [RFC4097] respectively. Our socket overloading technique may be of independent interest, and can be applied against other protocols for different attacks.

Original languageEnglish
Title of host publicationProceedings - 29th Annual Computer Security Applications Conference, ACSAC 2013
Number of pages10
StatePublished - 2013
Event29th Annual Computer Security Applications Conference, ACSAC 2013 - New Orleans, LA, United States
Duration: 9 Dec 201313 Dec 2013

Publication series

NameACM International Conference Proceeding Series


Conference29th Annual Computer Security Applications Conference, ACSAC 2013
Country/TerritoryUnited States
CityNew Orleans, LA


  • Challenge-response mechanisms
  • DNS cache-poisoning
  • DNS security
  • I/O performance
  • IP derandomisation
  • Interrupts
  • Name server pinning
  • Off-path attacks
  • Port derandomization
  • Socket overloading


Dive into the research topics of 'Socket overloading for fun and cache-poisoning'. Together they form a unique fingerprint.

Cite this