Check out the new USENIX Web site. next up previous
Next: External collaborator attack Up: Spoofing defense strategy and Previous: Spoofing defense strategy and

Wireless ingress filtering defense

As discussed previously, the simplest form of DNS spoofing involves the attacker lurking for DNS requests to the target site, and then injecting a fake DNS response pointing to a site under the attacker's control. It seems straightforward to defend against this attack through the use of ingress filtering at the AP. Ingress filtering ensures that all traffic broadcast by the AP on the wireless network is checked in terms of IP address and the interface on which it is received. That is, traffic originating from the wireless network should have IP addresses on the local wireless network. (Similarly, but less relevant here, traffic from the external network should not have an IP address on the internal network.) A DNS request is usually sent to a resolver outside the wireless LAN, and therefore the DNS response is expected from an external address. A spoofed response is trivial to detect, as it arrives on the AP from the wireless interface and has an external IP address.