Study on the latent state of Kaminsky-style DNS cache poisoning: Modeling and empirical analysis
Introduction
As a significant component of the Internet infrastructure, Domain Name System (DNS) (Mockapetris, 1987a) has been facing various security issues since its inception. One of the primary reasons is because the DNS system is a distributed structure that does not require strong data consistency (recursive servers, i.e., resolvers, use caching technology to improve performance). Therefore, changes to the data of authoritative nameservers are not immediately updated to resolvers’ cache. As such, the out-of-date data at resolvers will still be used to provide service until either its time-to-live (TTL) expires or certain events trigger its update. This weak data consistency may lead to potential problems, such as ghost domain name (Jiang et al., 2012) discovered in 2012, which is the domain name deleted by the authoritative nameserver that can still be resolved, thereby causing security risks. Furthermore, the insecurity of DNS communication protocols and the slow deployment of DNSSEC (DNS Security Extensions, Arends, Austein, Larson, Massey, Rose, 2005, Arends, Austein, Larson, Massey, Rose, 2005, Arends, Austein, Larson, Massey, Rose, 2005) have resulted in attackers being able to poison cached records in resolvers (Klein et al., 2017) via on-path man-in-the-middle (MitM) (Duan et al., 2012a) or off-path Kaminsky attacks (Alexiou, Basagiannis, Katsaros, Dashpande, Smolka, 2010, Herzberg, Shulman, 2013). Due to this weak data consistency between authoritative and recursive servers, the resolver cannot detect and update poisoned records in cache in a timely manner, leading to security issues such as domain name hijacking.
After Kaminsky DNS vulnerability (Kaminsky, 2008) was discovered in 2008, academic research on the defense strategy against Kaminsky-style attacks falls into two categories. The first is to protect DNS communication using encryption mechanisms, as in Fan et al. (2011); Perdisci et al. (2009). Such defense methods are subject to high management costs, processing overheads and deployment difficulties. The second category relies on challenge-response mechanisms (Gilad et al., 2014) which enhance DNS security by reusing existing protocol fields as in Chen et al. (2006); Yuan et al. (2006). These studies focused on preventing spoofed referral records (commonly used as intermediate targets by attackers, hereinafter we refer to them as bounce records) such as NS records from being injected into the cache (Duan, Weaver, Zhao, Hu, Liang, Jiang, Li, Paxson, 2012, Musashi, Kumagai, Kubota, Sugitani, 2011, Tzur-David, Lashchiver, Dolev, Anker, 2011), but omitted the subsequent domain hijacking phase. In this study, we mathematically modeled this phase and quantitatively analyzed the hijacking effect of Kaminsky-style poisoning. Our findings show current defense against Kaminsky-style cache poisoning still mainly relies on DNS transaction identifier (TXID) and source port verification, and is not taking full advantage of security-enhanced protocols or standards, which may lead to serious security risks especially with the growing development of IPv6 and Internet of Things (IoT). Therefore, it is of great significance to deploy a second line of defense specifically aiming at the hijacking phase protection at resolvers.
The main contributions of this paper are: (1) We anatomized the entire process of the Kaminsky-style attack from a novel perspective, and mathematically modeled and analyzed the hijacking phase (i.e., the latent state) based on TTL; (2) We analyzed the practical applications derived from the model and conducted simulation and experiments to investigate the effect of domain hijacking. (3) Based on the analytical and empirical study, we offered suggestions to mitigate the success rate of domain hijacking.
The rest of the paper is organized as follows. Section 2 provides a brief background of Kaminsky DNS cache poisoning. In Section 3, the entire Kaminsky-style poisoning process is outlined from the perspective of an attacker with a focus on the latent state. The concept of bounce hijacking and a conventional defense mechanism are also introduced. In Section 4, two typical poisoning scenarios are mathematically modeled to analytically study the effect of bounce hijacking and the influence of TTL on cache poisoning. In Sections 5 and 6, the mathematical model are verified via simulation, and experiments are conducted to empirically demonstrate the effect of domain hijacking. We present some related works and conclude this paper with an outlook in Sections 7 and 8, respectively.
Section snippets
Kaminsky DNS cache poisoning
Kaminsky cache poisoning was discovered in 2008. As an off-path attack that can be launched continuously, it has attracted widespread attention from academics over the last decade and still remains a major topic. Unlike MitM attacks, an off-path attack can be launched almost anytime, anywhere. But if the attacking target record exists in resolvers’ cache, the attacker cannot trigger the resolver to send external queries through normal queries, thereby cannot poison the cache by forging a
A fresh model of cache poisoning
Kaminsky-style poisoning can be interpreted from different perspectives. Herein, we provide a tri-state model of the Kaminsky-style poisoning from an attacker’s view (Fig. 2), which is composed of not only the injection phase, but also, most importantly, the domain hijacking phase we will profoundly study in this paper.
Target record and bounce record Target record, i.e., victim record, is the domain name record an attacker attempts to eventually tamper, commonly including A, AAAA, CNAME, MX, PTR
Modeling the latent state
We have abstracted the attack process of Kaminsky-style poisoning and proposed a poisoning model as well as related concepts. The test results showed that the success of a hijacking in the latent state depends on the expiration sequence of target and bounce records in cache. The NTMD rule indicates that the hijacking success rate is related to the TTL values of bounce and target records. To determine the impact of these factors on the hijacking success rate, it is necessary to perform
Numerical simulation
As mentioned above, the success of hijacking depends on the expiration sequence of target records and bounce records. If the target record expires first, the hijacking succeeds, otherwise the hijacking fails. TTL, which determines whether a domain name record is expired or not, is a non-negative integer, and its attenuation over time in a resolver’s cache is not fundamentally different from that in simulation. In view of this, in this section we verify the mathematical model in terms of
Empirical analysis
In this section, we empirically analyze the applications of the model which can be exploited to augment the success of domain hijacking. Countermeasures against such potential attacks are also provided based on the analysis as well as experiment results.
Related work
DNS cache poisoning DNS cache poisoning have been studied extensively in the past decade. Since the discovery of Kaminsky DNS vulnerability in 2008, many efforts, such as Alexiou et al. (2010); Musashi et al. (2011); Wang (2015), to name a few, have been devoted to developing corresponding defense mechanisms. And some of the security enhancements have been patched in practical deployment (Herzberg and Shulman, 2012). In 2013, Herzberg and Shulman (2013); Shulman and Waidner (2014) exposed a new
Conclusion
By anatomizing the entire Kaminsky-style poisoning process, we introduced the concept of the latent state and established its mathematical model based on which the risk of domain hijacking was quantitatively and empirically analyzed and the defense strategy was proposed. The latent state mathematical model provides a novel angle and method for the future study of DNS cache poisoning, and sheds light on the multiple lines of defense strategy which can mitigate the effects of both record
CRediT authorship contribution statement
Haikuo Zhang: Conceptualization, Methodology, Writing – original draft. Jueyu Ye: Conceptualization, Methodology, Writing – original draft. Weihong Hu: Conceptualization, Writing – original draft, Writing – review & editing. Qian Wang: Investigation. Xiali Yan: Software. Qiaoli Yue: Data curation. Wanbo Lv: Validation. Ming He: Visualization. Jue Wang: Writing – review & editing.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgments
The authors would like to thank the anonymous reviewers for their valuable comments and suggestions. This research did not receive any specific grant from funding agencies in the public, commercial, or not-for-profit sectors.
Haikuo Zhang received the Ph.D degree from Computer Network Information Center, Chinese Academy of Sciences. He joined China Internet Network Information Center in 2010, and currently is the director of Engineering Lab. His research interests include cyber security, high performance computing and distributed computing.
References (51)
- et al.
Poison over troubled forwarders: a cache poisoning attack targeting DNS forwarding devices
29th USENIX Security Symposium (USENIX Security 20)
(2020) - Alexa. Top sites. Available:...
- et al.
Formal analysis of the Kaminsky DNS cache-poisoning attack using probabilistic model checking
2010 IEEE 12th International Symposium on High Assurance Systems Engineering
(2010) - APNIC Labs. Use of DNSSEC validation for world (XA)....
- et al.
DNS Security Introduction and Requirements
RFC
(2005) - et al.
Protocol Modifications for the DNS Security Extensions
RFC
(2005) - et al.
Resource Records for the DNS Security Extensions
RFC
(2005) Essai d’arithmétique morale
Histoire Naturelle, Générale er Particuliére
(1777)Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.1)
CCITT Recommendation
(1988)- et al.
ECO-DNS: expected consistency optimization for DNS
2015 IEEE 35th International Conference on Distributed Computing Systems
(2015)
DNScup: strong cache consistency protocol for DNS
26th IEEE International Conference on Distributed Computing Systems (ICDCS’06)
A longitudinal, end-to-end view of the DNSSEC ecosystem
26th USENIX Security Symposium (USENIX Security 17)
Increased DNS forgery resistance through -bit encoding: security via leet queries
Proceedings of the 15th ACM Conference on Computer and Communications Security
Domain Name System (DNS) Cookies
RFC
Hold-on: protecting against on-path DNS poisoning
Proc. Workshop on Securing and Trusting Internet Names, SATIN
Hold-on: protecting against on-path DNS poisoning
Proc. Workshop on Securing and Trusting Internet Names, SATIN
Clarifications to the DNS Specification
RFC
Prevent DNS cache poisoning using security proxy
2011 12th International Conference on Parallel and Distributed Computing, Applications and Technologies
Off-path hacking: the illusion of challenge-response authentication
IEEE Secur. Privacy
Security of patched DNS
European Symposium on Research in Computer Security
Fragmentation considered poisonous, or: one-domain-to-rule-them-all.org
2013 IEEE Conference on Communications and Network Security (CNS)
DNS Queries over HTTPS (DoH)
RFC
Specification for DNS over Transport Layer Security (TLS)
RFC
Measures for Making DNS More Resilient against Forged Answers
RFC
Cited by (0)
Haikuo Zhang received the Ph.D degree from Computer Network Information Center, Chinese Academy of Sciences. He joined China Internet Network Information Center in 2010, and currently is the director of Engineering Lab. His research interests include cyber security, high performance computing and distributed computing.
Jueyu Ye received a master's degree from Beijing Institute of Technology. He is an engineer at China Internet Network Information Center. His research interests include high performance computing, edge computing and cyber security.
Weihong Hu received his Ph.D degree in computer engineering from the University of California, Irvine. Currently he is with China Internet Network Information Center and his research interests include network security, network architectures and protocols, next generation networks.
Qian Wang received the Master's degree from Beijing University of Posts and Telecommunications. She is the tTest development engineer at China Internet Network Information Center. Her research interests include DNS security and automated test.
Xiali Yan received a master's degree from Beihang University. She is an engineer at China Internet Network Information Center. Her research interests include DNS security and high performance resolving.
Qiaoli Yue received a master's degree from Beijing University of Posts and Telecommunications. She is an engineer at China Internet Netwo rk Information Center. Her research interests include DNS security and high performance resolving.
Wanbo Lv received a bachelor's degree from Heilongjiang University. He is an engineer at China Internet Network Information Center. His research interests include DNS system security, cloud computing.
Ming He received a master's degree from Beijing University of Technology. He is an engineer at China Internet Network Information Center. His research interests include DNS security and high performance resolving.
Jue Wang received the Ph.D degree from University of Science and Technology Beijing. He is an associate professor at Computer Network Information Center, Chinese Academy of Sciences. His research interests include parallel computing and artificial intelligence.
- 1
Haikuo Zhang and Jueyu Ye are co-first authors.