DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection

• Main Authors: Tien-hao Tsai, 蔡天浩
• Other Authors: Fu-Hau Hsu
• Format: Others
• Language: en_US
• Published: 2010
• Online Access: http://ndltd.ncl.edu.tw/handle/80848387491186547932

碩士 === 國立中央大學 === 資訊工程研究所 === 98 === In this paper, we propose a network-based solution, DNSPD, to defend an organization against the notorious DNS cache poisoning attack. DNS cache poisoning has been used to attack DNS servers since 1993 [1]. Through this type of attacks, an attacker can change the IP address of a domain name to any IP address chosen by her/him. Because an attacker can not obtain the transaction number and port number of a DNS query sent by a DNS resolver, in order to forge the related DNS response with a prepared IP address, the attacker needs to send many fake DNS response to the resolver, and all the fake DNS messages may have the same IP address. Based on this observation, DNSPD solves DNS cache poisoning by detecting, recording, and confirming the IP addresses appearing in contents of fake DNS replies. As a result, DNSPD not only can block DNS cache poisoning attacks but also can identify the malicious hosts which attackers plan for redirecting target hosts’ traffic. Usually these malicious hosts are botnet members and used as phishing sites; hence, identifying these bots and disconnecting traffic to them can provide further protection to the hosts in a network. Besides, through the utilization of Bloom Counter [2] and host confirmation, DNSPD maintains its detection accuracy even when it is bombarded with tremendous fake DNS replies. Experimental results show that with low performance overhead, DSNSP can accurate block DSN cache poisoning attacks and detect the related bots.