Adaptive deterrence of DNS cache poisoning

Sze Yiu Chau; Omar Chowdhury; Victor Gonsalves; Huangyi Ge; Weining Yang; Sonia Fahmy; Ninghui Li

doi:10.1007/978-3-030-01704-0_10

Adaptive deterrence of DNS cache poisoning

Sze Yiu Chau
, Omar Chowdhury
, Victor Gonsalves
, Huangyi Ge
, Weining Yang
, Sonia Fahmy
, Ninghui Li

Computer Science

Purdue University
Alphabet Inc.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

8 Scopus citations

Abstract

Many long-lived network protocols were not designed with adversarial environments in mind; security is often an afterthought. Developing security mechanisms for protecting such systems is often very challenging as they are required to maintain compatibility with existing implementations, minimize deployment cost and performance overhead. The Domain Name System (DNS) is one such noteworthy example; the lack of source authentication has made DNS susceptible to cache poisoning. Existing countermeasures often suffer from at least one of the following limitations: insufficient protection; modest deployment; complex configuration; dependent on domain owners’ participation. We propose CGuard which is an adaptive defense framework for caching DNS resolvers: CGuard actively tries to detect cache poisoning attempts and protect the cache entries under attack by only updating them through available high confidence channels. CGuard’s effective defense is immediately deployable by the caching resolvers without having to rely on domain owners’ assistance and is compatible with existing and future solutions. We have empirically demonstrated the efficacy of CGuard. We envision that by taking away the attacker’s incentive to launch DNS cache poisoning attacks, CGuard essentially turns the existence of high confidence channels into a deterrence. Deterrence-based defense mechanisms can be applicable to other systems beyond DNS.

Original language	English
Title of host publication	Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings
Editors	Bing Chang, Yingjiu Li, Raheem Beyah, Sencun Zhu
Publisher	Springer Verlag
Pages	171-191
Number of pages	21
ISBN (Print)	9783030017033
DOIs	https://doi.org/10.1007/978-3-030-01704-0_10
State	Published - 2018
Event	14th International EAI Conference on Security and Privacy in Communication Networks, SecureComm 2018 - Singapore, Singapore Duration: Aug 8 2018 → Aug 10 2018

Publication series

Name	Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume	255
ISSN (Print)	1867-8211

Conference

Conference	14th International EAI Conference on Security and Privacy in Communication Networks, SecureComm 2018
Country/Territory	Singapore
City	Singapore
Period	08/8/18 → 08/10/18

Access to Document

10.1007/978-3-030-01704-0_10

Cite this

Chau, S. Y., Chowdhury, O., Gonsalves, V., Ge, H., Yang, W., Fahmy, S., & Li, N. (2018). Adaptive deterrence of DNS cache poisoning. In B. Chang, Y. Li, R. Beyah, & S. Zhu (Eds.), Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings (pp. 171-191). (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 255). Springer Verlag. https://doi.org/10.1007/978-3-030-01704-0_10

Chau, Sze Yiu ; Chowdhury, Omar ; Gonsalves, Victor et al. / Adaptive deterrence of DNS cache poisoning. Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings. editor / Bing Chang ; Yingjiu Li ; Raheem Beyah ; Sencun Zhu. Springer Verlag, 2018. pp. 171-191 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST).

@inproceedings{4e7c66c055af4f15831d1bdef3289982,

title = "Adaptive deterrence of DNS cache poisoning",

abstract = "Many long-lived network protocols were not designed with adversarial environments in mind; security is often an afterthought. Developing security mechanisms for protecting such systems is often very challenging as they are required to maintain compatibility with existing implementations, minimize deployment cost and performance overhead. The Domain Name System (DNS) is one such noteworthy example; the lack of source authentication has made DNS susceptible to cache poisoning. Existing countermeasures often suffer from at least one of the following limitations: insufficient protection; modest deployment; complex configuration; dependent on domain owners{\textquoteright} participation. We propose CGuard which is an adaptive defense framework for caching DNS resolvers: CGuard actively tries to detect cache poisoning attempts and protect the cache entries under attack by only updating them through available high confidence channels. CGuard{\textquoteright}s effective defense is immediately deployable by the caching resolvers without having to rely on domain owners{\textquoteright} assistance and is compatible with existing and future solutions. We have empirically demonstrated the efficacy of CGuard. We envision that by taking away the attacker{\textquoteright}s incentive to launch DNS cache poisoning attacks, CGuard essentially turns the existence of high confidence channels into a deterrence. Deterrence-based defense mechanisms can be applicable to other systems beyond DNS.",

author = "Chau, \{Sze Yiu\} and Omar Chowdhury and Victor Gonsalves and Huangyi Ge and Weining Yang and Sonia Fahmy and Ninghui Li",

note = "Publisher Copyright: {\textcopyright} ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018.; 14th International EAI Conference on Security and Privacy in Communication Networks, SecureComm 2018 ; Conference date: 08-08-2018 Through 10-08-2018",

year = "2018",

doi = "10.1007/978-3-030-01704-0\_10",

language = "English",

isbn = "9783030017033",

series = "Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST",

publisher = "Springer Verlag",

pages = "171--191",

editor = "Bing Chang and Yingjiu Li and Raheem Beyah and Sencun Zhu",

booktitle = "Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings",

}

Chau, SY, Chowdhury, O, Gonsalves, V, Ge, H, Yang, W, Fahmy, S & Li, N 2018, Adaptive deterrence of DNS cache poisoning. in B Chang, Y Li, R Beyah & S Zhu (eds), Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings. Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, vol. 255, Springer Verlag, pp. 171-191, 14th International EAI Conference on Security and Privacy in Communication Networks, SecureComm 2018, Singapore, Singapore, 08/8/18. https://doi.org/10.1007/978-3-030-01704-0_10

Adaptive deterrence of DNS cache poisoning. / Chau, Sze Yiu; Chowdhury, Omar; Gonsalves, Victor et al.
Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings. ed. / Bing Chang; Yingjiu Li; Raheem Beyah; Sencun Zhu. Springer Verlag, 2018. p. 171-191 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 255).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Adaptive deterrence of DNS cache poisoning

AU - Chau, Sze Yiu

AU - Chowdhury, Omar

AU - Gonsalves, Victor

AU - Ge, Huangyi

AU - Yang, Weining

AU - Fahmy, Sonia

AU - Li, Ninghui

N1 - Publisher Copyright: © ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018.

PY - 2018

Y1 - 2018

N2 - Many long-lived network protocols were not designed with adversarial environments in mind; security is often an afterthought. Developing security mechanisms for protecting such systems is often very challenging as they are required to maintain compatibility with existing implementations, minimize deployment cost and performance overhead. The Domain Name System (DNS) is one such noteworthy example; the lack of source authentication has made DNS susceptible to cache poisoning. Existing countermeasures often suffer from at least one of the following limitations: insufficient protection; modest deployment; complex configuration; dependent on domain owners’ participation. We propose CGuard which is an adaptive defense framework for caching DNS resolvers: CGuard actively tries to detect cache poisoning attempts and protect the cache entries under attack by only updating them through available high confidence channels. CGuard’s effective defense is immediately deployable by the caching resolvers without having to rely on domain owners’ assistance and is compatible with existing and future solutions. We have empirically demonstrated the efficacy of CGuard. We envision that by taking away the attacker’s incentive to launch DNS cache poisoning attacks, CGuard essentially turns the existence of high confidence channels into a deterrence. Deterrence-based defense mechanisms can be applicable to other systems beyond DNS.

AB - Many long-lived network protocols were not designed with adversarial environments in mind; security is often an afterthought. Developing security mechanisms for protecting such systems is often very challenging as they are required to maintain compatibility with existing implementations, minimize deployment cost and performance overhead. The Domain Name System (DNS) is one such noteworthy example; the lack of source authentication has made DNS susceptible to cache poisoning. Existing countermeasures often suffer from at least one of the following limitations: insufficient protection; modest deployment; complex configuration; dependent on domain owners’ participation. We propose CGuard which is an adaptive defense framework for caching DNS resolvers: CGuard actively tries to detect cache poisoning attempts and protect the cache entries under attack by only updating them through available high confidence channels. CGuard’s effective defense is immediately deployable by the caching resolvers without having to rely on domain owners’ assistance and is compatible with existing and future solutions. We have empirically demonstrated the efficacy of CGuard. We envision that by taking away the attacker’s incentive to launch DNS cache poisoning attacks, CGuard essentially turns the existence of high confidence channels into a deterrence. Deterrence-based defense mechanisms can be applicable to other systems beyond DNS.

UR - https://www.scopus.com/pages/publications/85059667236

U2 - 10.1007/978-3-030-01704-0_10

DO - 10.1007/978-3-030-01704-0_10

M3 - Conference contribution

AN - SCOPUS:85059667236

SN - 9783030017033

T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST

SP - 171

EP - 191

BT - Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings

A2 - Chang, Bing

A2 - Li, Yingjiu

A2 - Beyah, Raheem

A2 - Zhu, Sencun

PB - Springer Verlag

T2 - 14th International EAI Conference on Security and Privacy in Communication Networks, SecureComm 2018

Y2 - 8 August 2018 through 10 August 2018

ER -

Chau SY, Chowdhury O, Gonsalves V, Ge H, Yang W, Fahmy S et al. Adaptive deterrence of DNS cache poisoning. In Chang B, Li Y, Beyah R, Zhu S, editors, Security and Privacy in Communication Networks - 14th International Conference, SecureComm 2018, Proceedings. Springer Verlag. 2018. p. 171-191. (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST). doi: 10.1007/978-3-030-01704-0_10

Adaptive deterrence of DNS cache poisoning

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this