CGuard: Adaptive Defense Against DNS Cache Poisoning Attacks By Off-path Adversaries
Primary Investigator:
Ninghui Li
Omar Chowdhury, Sze Yiu Chau, Victor Gonsalves, Weining Yang, Huangyi Ge, Sonia Fahmy, Ninghui Li
Abstract
Since its inception, the DNS protocol has been susceptible to DNS cache poisoning (DCP) attacks. We introduce an enhancement to the Kaminsky attack, dubbed parallel Kaminsky attack, which can bypass existing defenses based on source port randomization with high probability. To thwart this and other DCP attacks, we propose CGuard, an adaptive defense that switches to a high confidence and high overhead channel for cache updates only when it detects an attack, paying the overhead only when an attack is present. CGuard by design ensures that no matter how large an attacker’s bandwidth is, and what strategy it uses, its DCP attack can succeed only with low probability. This removes incentives for attackers to carry out DCP attacks. In this way, CGuard complements long-term defenses, since it turns the existence of high confidence and high overhead channels (e.g., DNSSEC) into a deterrence; one gets its protection against DCP attacks “for free”, i.e., seldom have to pay for performance overhead. CGuard is also incrementally deployable and incentive compatible, as when implemented to a DNS server code, each server can deploy it and enjoy the security advantage. We have implemented CGuard in Unbound 1.5.4; experiments demonstrate CGuard’s effectiveness.