POPS: From History to Mitigation of DNS Cache Poisoning Attacks

TL;DR

POPS is a new DNS cache poisoning prevention system integrated into IPS that effectively detects and mitigates attacks with high accuracy, low false positives, and improved efficiency over existing tools, including detection of complex attack types.

Contribution

It introduces a simple, comprehensive DNS cache poisoning prevention system with zero false positives and negatives, outperforming existing tools in detection speed and scope.

Findings

Mitigates 99.9924% of historical DNS attacks

Detects attacks faster and with fewer packets than existing tools

Successfully identifies complex attacks like fragmentation that others miss

Abstract

We present a novel yet simple and comprehensive DNS cache POisoning Prevention System (POPS), designed to integrate as a module in Intrusion Prevention Systems (IPS). POPS addresses statistical DNS poisoning attacks, including those documented from 2002 to the present, and offers robust protection against similar future threats. It consists of two main components: a detection module that employs three simple rules, and a mitigation module that leverages the TC flag in the DNS header to enhance security. Once activated, the mitigation module has zero false positives or negatives, correcting any such errors on the side of the detection module. We first analyze POPS against historical DNS services and attacks, showing that it would have mitigated all network-based statistical poisoning attacks, yielding a success rate of only 0.0076% for the adversary. We then simulate POPS on traffic benchmarks (PCAPs) incorporating current potential network-based statistical poisoning attacks, and benign PCAPs; the simulated attacks still succeed with a probability of 0.0076%. This occurs because five malicious packets go through before POPS detects the attack and activates the mitigation module. In addition, POPS completes its task using only 20%-50% of the time required by other tools (e.g., Suricata or Snort), and after examining just 5%-10% as many packets. Furthermore, it successfully identifies DNS cache poisoning attacks-such as fragmentation attacks-that both Suricata and Snort fail to detect, underscoring its superiority in providing comprehensive DNS protection.