Collaborative Client-Side DNS Cache Poisoning Attack

Fatemah Alharbi, Jie Chang, Yuchen Zhou, Feng Qian, Zhiyun Qian, Nael Abu-Ghazaleh

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Scopus citations

Abstract

DNS poisoning attacks inject malicious entries into the DNS resolution system, allowing an attacker to redirect clients to malicious servers. These attacks typically target a DNS resolver allowing attackers to poison a DNS entry for all machines that use the compromised resolver. However, recent defenses can effectively protect resolvers rendering classical DNS poisoning attacks ineffective. In this paper, we present a new class of DNS poisoning attacks targeting the client-side DNS cache. The attack initiates DNS poisoning on the client cache, which is used in all main stream operating systems to improve DNS performance, circumventing defenses targeting resolvers. Our attack allows an off-path attacker to collaborate with a piece of an unprivileged malware to poison the OS-wide DNS cache on a client machine. We developed the attack on Windows, Mac OS, and Ubuntu Linux. Interestingly, the behaviors of the three operating systems are distinct and the vulnerabilities require different strategies to exploit. We also generalize the attack to work even when the client is behind a Network Address Translation (NAT) router. Our results show that we can reliably inject malicious DNS mappings, with on average, an order of tens of seconds. Finally, we propose a defense against this type of poisoning attacks.

Original languageEnglish (US)
Title of host publicationINFOCOM 2019 - IEEE Conference on Computer Communications
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1153-1161
Number of pages9
ISBN (Electronic)9781728105154
DOIs
StatePublished - Apr 2019
Event2019 IEEE Conference on Computer Communications, INFOCOM 2019 - Paris, France
Duration: Apr 29 2019May 2 2019

Publication series

NameProceedings - IEEE INFOCOM
Volume2019-April
ISSN (Print)0743-166X

Conference

Conference2019 IEEE Conference on Computer Communications, INFOCOM 2019
CountryFrance
CityParis
Period4/29/195/2/19

Bibliographical note

Funding Information:
Fatemah Alharbi is supported by Taibah University (TU) and the Saudi Arabian Cultural Mission (SACM). The work is partially supported by the National Science Foundation under grants No. CNS-1619391, CNS-1652954, and CNS-1618898.

Funding Information:
VIII. CONCLUSION To conclude, we are the first to practically report, evaluate, and measure the client-side OS-wide DNS cache poisoning attack against Windows, Mac OS, and Linux operating systems. By understanding the specific OS implementations, we tailor the attacks against them individually and show that the attack can generally succeed in tens of seconds under realistic conditions. We hope that the lessons learned can help improve the future design and implementation of DNS and even other OS-wide caching systems. Acknowledgments: Fatemah Alharbi is supported by Taibah University (TU) and the Saudi Arabian Cultural Mission (SACM). The work is partially supported by the National Science Foundation under grants No. CNS-1619391, CNS-1652954, and CNS-1618898.

Fingerprint Dive into the research topics of 'Collaborative Client-Side DNS Cache Poisoning Attack'. Together they form a unique fingerprint.

Cite this