Socket overloading for fun and cache-poisoning
Proceedings of the 29th Annual Computer Security Applications Conference
Hi-index | 0.00 |
Following to Kaminsky's attack (2008), cachingresolvers were patched with defenses against poisoning. So far, the main improvements were non-cryptographic and easy todeploy (requiring changes only in resolvers). Some of theseimprovements are widely deployed, and it is believed thatthey suffice to prevent poisoning, at least by off-path, spoofingattackers. We perform a critical study of the prominent defensemechanisms against poisoning attacks by off-path adversaries. We present weaknesses and limitations, and suggest counter-measures. Our main message is that the DNS infrastructure shouldnot rely on short term, 'easy-to-deploy' defenses, and effortsshould be increased towards transition to DNSSEC.