Information fusion-based method for distributed domain name system cache poisoning attack detection and identification

Information fusion-based method for distributed domain name system cache poisoning attack detection and identification

For access to this article, please select a purchase option:

Buy article PDF
(plus tax if applicable)
Buy Knowledge Pack
10 articles for £75.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Your details
Why are you recommending this title?
Select reason:
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

In this study, the authors consider the detection and identification problems of distributed domain name system (DNS) cache poisoning attack. In the considered distributed attack, multiple cache servers are invaded simultaneously and the attack intensity for each cache server is slight. It is difficult to detect and identify the distributed attack by the existing local information-based detection methods, as the abnormal features for each cache server are indistinctive under distributed attack. To handle this problem, they propose an information fusion-based detection and identification methods. They find that the entropies of the query Internet protocol (IP) addresses for all cache servers are approximately stationary and statistically independent under normal cases. When distributed attack happens, they show the fact that the correlation of the entropies among all cache servers could increase dramatically. On the basis of this feature, they make use of principal component analysis to design the detection and identification methods. Specifically, attack is true when the maximum eigenvalue of the normalised entropies matrix exceeds a threshold, and the attacked servers are identified by the main loading vector. At last, they take a large-scale DNS in China and a simulation as two examples to show the effectiveness of their methods.


    1. 1)
      • 1. Fetzer, C., Pfeifer, G., Jim, T.: ‘Enhancing DNS security using the SSL trust infrastructure’. The Tenth Int. Workshop on Object-Oriented Real-Time Dependable Systems, 2005, pp. 2127.
    2. 2)
      • 2. Afonso, J., Veiga, P.: ‘Enhancing DNS security using dynamic firewalling with network agents’. Federated Conf. on Computer Science and Information Systems, 2011, pp. 777782.
    3. 3)
    4. 4)
    5. 5)
    6. 6)
      • 6. Kaminsky, D.: ‘Its the end of the cache as we know it’. Black Hat Conf., 2008.
    7. 7)
      • 7. Hubert, A., van Mook, R.: ‘Measures for making DNS more resilient against forged answers’, RFC 5452, 2009.
    8. 8)
      • 8. CERT: ‘Multiple DNS implementations vulnerable to cache poisoning’. Technical Report Vulnerability Note, 800113, 2008.
    9. 9)
      • 9. Dagon, D.: ‘Increased DNS forgery resistance through 0 × 20 bit encoding: security via leet queries’. ACM Conf. on Computer and Communications Security, 2008, pp. 211222.
    10. 10)
      • 10. Perdisci, R., Antonakakis, M., Day, K., Luo, X., Lee, W.: ‘WSEC DNS: protecting recursive DNS resolvers from poisoning attacks’. DSN, 2009, pp. 312.
    11. 11)
      • 11. Herzberg, A., Shulman, H.: ‘Security of patched DNS, lecture notes in computer science’ (Springer, 2012), pp. 271284.
    12. 12)
      • 12. Herzberg, A., Shulman, H.: ‘Fragmentation considered poisonous’. IEEE Conf. on Communications and Network Security, 2013.
    13. 13)
      • 13. Herzberg, A., Shulman, H.: ‘Towards adoption of DNSSEC: availability and security challenges’. IEEE Conf. on Communications and Network Security, 2013.
    14. 14)
      • 14. Bau, J., Mitchell, J.C.: ‘A security evaluation of DNSSEC with NSEC3’. Network and Distributed Systems Security Symp., 2010.
    15. 15)
      • 15. Musashi, Y.: ‘Detection of Kaminsky DNS cache poisoning attack’. The Fourth Int. Conf. on Intelligent Networks and Intelligent Systems (ICINIS), 2011.
    16. 16)
      • 16. Zdrnja, B., Brownlee, N., Wessels, D.: ‘Passive monitoring of DNS anomalies’. The Fourth Int. Conf., DIMVA 2007 Lucerne, Switzerland, 2007.
    17. 17)
      • 17. Herzberg, A., Shulman, H.: ‘Unilateral antidotes to DNS poisoning’. The Seventh Int. ICST Conf., SecureComm, London, 2011.

Related content

This is a required field
Please enter a valid email address