From IP to transport and beyond: cross-layer attacks against applications

TL;DR

This paper analyzes DNS cache poisoning methods and demonstrates how they can be exploited across network layers to attack various Internet systems, revealing a significant security threat.

Contribution

It provides the first comprehensive analysis of cross-layer DNS cache poisoning attacks and their impact on Internet security, including bypassing cryptographic defenses.

Findings

DNS cache poisoning is practical and widespread.

Cross-layer attacks can compromise security mechanisms like RPKI.

DNS poisoning can enable BGP hijacking despite route validation.

Abstract

We perform the first analysis of methodologies for launching DNS cache poisoning: manipulation at the IP layer, hijack of the inter-domain routing and probing open ports via side channels. We evaluate these methodologies against DNS resolvers in the Internet and compare them with respect to effectiveness, applicability and stealth. Our study shows that DNS cache poisoning is a practical and pervasive threat. We then demonstrate cross-layer attacks that leverage DNS cache poisoning for attacking popular systems, ranging from security mechanisms, such as RPKI, to applications, such as VoIP. In addition to more traditional adversarial goals, most notably impersonation and Denial of Service, we show for the first time that DNS cache poisoning can even enable adversaries to bypass cryptographic defences: we demonstrate how DNS cache poisoning can facilitate BGP prefix hijacking of networks protected with RPKI even when all the other networks apply route origin validation to filter invalid BGP announcements. Our study shows that DNS plays a much more central role in the Internet security than previously assumed. We recommend mitigations for securing the applications and for preventing cache poisoning.