TY - GEN
T1 - POPS
T2 - 34th USENIX Security Symposium, USENIX Security 2025
AU - Afek, Yehuda
AU - Berger, Harel
AU - Bremler-Barr, Anat
N1 - Publisher Copyright:
© 2025 by The USENIX Association All Rights Reserved.
PY - 2025
Y1 - 2025
N2 - We present a novel yet simple and comprehensive DNS cache POisoning Prevention System (POPS), designed to integrate as a module in Intrusion Prevention Systems (IPS). POPS addresses statistical DNS poisoning attacks-documented from 2002 to the present-and offers robust protection against similar future threats. It comprises a detection module, which employs three simple rules, and a mitigation module that leverages the TC flag in the DNS header to enhance security. Once activated, the mitigation module has zero false positives or negatives, correcting any such errors on the side of the detection module. Thus, the detection module is allowed to err on the false positive side while minimizing false negatives. We first analyze POPS against historical DNS services and attacks, showing that it would have mitigated all network-based statistical poisoning attacks. We then simulate POPS on traffic benchmarks (PCAPs) incorporating current potential network-based statistical poisoning attacks, and benign PCAPs; the simulated attacks still succeed with a probability of 0.0076%. This occurs because five malicious packets go through before POPS detects the attack and activates the mitigation module. In addition, POPS completes its task using only 20%-50% of the time required by other tools (e.g., Suricata or Snort), and after examining just 5%-10% as many packets. It successfully detects DNS cache poisoning attacks-including fragmentation-based variants-that Suricata and Snort consistently miss, highlighting POPS’s superiority.
AB - We present a novel yet simple and comprehensive DNS cache POisoning Prevention System (POPS), designed to integrate as a module in Intrusion Prevention Systems (IPS). POPS addresses statistical DNS poisoning attacks-documented from 2002 to the present-and offers robust protection against similar future threats. It comprises a detection module, which employs three simple rules, and a mitigation module that leverages the TC flag in the DNS header to enhance security. Once activated, the mitigation module has zero false positives or negatives, correcting any such errors on the side of the detection module. Thus, the detection module is allowed to err on the false positive side while minimizing false negatives. We first analyze POPS against historical DNS services and attacks, showing that it would have mitigated all network-based statistical poisoning attacks. We then simulate POPS on traffic benchmarks (PCAPs) incorporating current potential network-based statistical poisoning attacks, and benign PCAPs; the simulated attacks still succeed with a probability of 0.0076%. This occurs because five malicious packets go through before POPS detects the attack and activates the mitigation module. In addition, POPS completes its task using only 20%-50% of the time required by other tools (e.g., Suricata or Snort), and after examining just 5%-10% as many packets. It successfully detects DNS cache poisoning attacks-including fragmentation-based variants-that Suricata and Snort consistently miss, highlighting POPS’s superiority.
UR - https://www.scopus.com/pages/publications/105021382622
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:105021382622
T3 - Proceedings of the 34th USENIX Security Symposium
SP - 3537
EP - 3556
BT - Proceedings of the 34th USENIX Security Symposium
Y2 - 13 August 2025 through 15 August 2025
ER -