IPAM

Researchers from the University of California and Tsinghua University in China have published discovery of a new form of DNS cache poisoning attack. This form of attack leverages "side channels" through use of the Internet Control Message Protocol (ICMP) to improve the likelihood of attack success by identifying the subset of source UDP ports actually used by a recursive server when issuing queries. Confining this pool of randomized ports helps reduce the universe of port numbers the attacker can try when attempting to emulate a proper query response.  Source port and DNS transaction identifier randomization has been the recommended mitigation approaches against cache poisoning attacks, even for more nefarious Kaminsky-discovered attacks. However, this use of side channels reduces the robustness of source port randomization mitigation. Of course, DNS security extensions (DNSSEC) remains the only definitive means to mitigate cache poisoning attacks, including this new variant.