作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2013, Vol. 39 ›› Issue (1): 12-17. doi: 10.3969/j.issn.1000-3428.2013.01.003

• 专栏 • 上一篇    下一篇

Kaminsky域名系统缓存投毒防御策略研究

许成喜,胡荣贵,施 凡,张岩庆   

  1. (电子工程学院网络系,合肥 230037)
  • 收稿日期:2012-01-13 修回日期:2012-03-12 出版日期:2013-01-15 发布日期:2013-01-13
  • 作者简介:许成喜(1989-),男,硕士研究生,主研方向:网络安全;胡荣贵,教授、博士;施 凡,工程师、硕士;张岩庆,硕士研究生

Research on Defense Strategy of Kaminsky DNS Cache Poisoning

XU Cheng-xi, HU Rong-gui, SHI Fan, ZHANG Yan-qing   

  1. (Network Engineering Department, Electronic Engineering Institute, Hefei 230037, China)
  • Received:2012-01-13 Revised:2012-03-12 Online:2013-01-15 Published:2013-01-13

摘要:

当前缓存域名系统(DNS)服务器无法抵抗持续的Kaminsky DNS缓存投毒攻击。为此,提出一种基于应答报文检查的防御策略。应用概率学理论分析Kaminsky投毒成功概率与投毒持续时间的内在联系,通过报文检查策略抑制投毒成功概率随时间的积累效应,达到防御持续Kaminsky投毒的目的。利用概率模型检查工具PRISM进行仿真实验,结果证明该策略可以使攻击难度提高3 600倍以上。

关键词: Kaminsky域名系统, DNS缓存投毒, 概率分析, 报文检查, 防御策略, 模型检查

Abstract:

Current cache Domain Name System(DNS) servers can not resist continuing Kaminsky DNS cache poisoning, so this paper proposes a defense strategy based on response packets checking. Probability theory is used to analyze the internal relation between success probability and continuing time of poisoning, which attests the harmfulness of continuing Kaminsky poisoning. Packet checking suppresses success probability’s accumulative effect on time on the existing basis so that it can be used to defense continuing Kaminsky poisoning. Simulation experiment is conducted based on probabilistic model checking tool PRISM, whose results prove that the strategy can make poison attack more difficult by over 3 600 times than it is now.

Key words: Kaminsky Domain Name System(DNS), DNS cache poisoning, probability analysis, packet checking, defense strategy, model checking

中图分类号: