POPS: From History to Mitigation of DNS Cache Poisoning Attacks

We present a novel yet simple and comprehensive DNS cache POisoning Prevention System (POPS), designed to integrate as a module in Intrusion Prevention Systems (IPS). POPS addresses statistical DNS poisoning attacks-documented from 2002 to the present-and offers robust protection against similar future threats. It comprises a detection module, which employs three simple rules, and a mitigation module that leverages the TC flag in the DNS header to enhance security. Once activated, the mitigation module has zero false positives or negatives, correcting any such errors on the side of the detection module. Thus, the detection module is allowed to err on the false positive side while minimizing false negatives.

We first analyze POPS against historical DNS services and attacks, showing that it would have mitigated all network-based statistical poisoning attacks. We then simulate POPS on traffic benchmarks (PCAPs), incorporating current potential network-based statistical poisoning attacks, and benign PCAPs; the simulated attacks still succeed with a probability of 0.0076%. This occurs because five malicious packets go through before POPS detects the attack and activates the mitigation module. In addition, POPS completes its task using only 20%–50% of the time required by other tools (e.g., Suricata or Snort), and after examining just 5%–10% as many packets. It successfully detects DNS cache poisoning attacks-including fragmentation-based variants-that Suricata and Snort consistently miss, highlighting POPS's superiority.