Systems and methods for detecting the insertion of poisoned DNS server addresses into DHCP servers

US 8,370,933 B1
Filed: 11/24/2009
Issued: 02/05/2013
Est. Priority Date: 11/24/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting the insertion of poisoned Domain Name System (“

DNS”

) server addresses into Dynamic Host Configuration Protocol (“

DHCP”

) servers, at least a portion of the method being performed by a client computing device comprising at least one processor, the method comprising;

monitoring, at the client computing device, a DHCP server that provides DHCP services to the client computing device;

identifying, by monitoring the DHCP server at the client computing device, a DNS server address provided by the DHCP server to the client computing device;

determining, at the client computing device, that the DNS server address provided by the DHCP server differs from a prior DNS server address that was previously provided to the client computing device by the same DHCP server;

determining, at the client computing device due at least in part to the DNS server address differing from the prior DNS server address, that a DNS server located at the DNS server address provided by the DHCP server represents a potential security risk;

performing, at the client computing device, a security operation in an attempt to remedy the potential security risk.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for detecting the insertion of poisoned DNS server addresses into DHCP servers may include: 1) identifying a DNS server address provided by a DHCP server, 2) determining that the DNS server address provided by the DHCP server differs from a prior DNS server address provided by the DHCP server, 3) determining, due at least in part to the DNS server address differing from the prior DNS server address, that a DNS server located at the DNS server address provided by the DHCP server represents a potential security risk, and then 4) performing a security operation in an attempt to remedy the potential security risk.

Citations

20 Claims

1. A computer-implemented method for detecting the insertion of poisoned Domain Name System (“
- DNS”
  
  ) server addresses into Dynamic Host Configuration Protocol (“
  
  DHCP”
  
  ) servers, at least a portion of the method being performed by a client computing device comprising at least one processor, the method comprising;
  
  monitoring, at the client computing device, a DHCP server that provides DHCP services to the client computing device;
  
  identifying, by monitoring the DHCP server at the client computing device, a DNS server address provided by the DHCP server to the client computing device;
  
  determining, at the client computing device, that the DNS server address provided by the DHCP server differs from a prior DNS server address that was previously provided to the client computing device by the same DHCP server;
  
  determining, at the client computing device due at least in part to the DNS server address differing from the prior DNS server address, that a DNS server located at the DNS server address provided by the DHCP server represents a potential security risk;
  
  performing, at the client computing device, a security operation in an attempt to remedy the potential security risk.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising, prior to identifying the DNS server address provided by the DHCP server, issuing a DHCP request to the DHCP server.
  - 3. The method of claim 2, wherein issuing the DHCP request to the DHCP server comprises periodically issuing the DHCP request to the DHCP server.
  - 4. The method of claim 2, wherein identifying the DNS server address provided by the DHCP server comprises receiving, in response to the DHCP request, the DNS server address from the DHCP server.
  - 5. The method of claim 1, wherein identifying the DNS server address provided by the DHCP server comprises:
    - accessing the DHCP server;
      
      retrieving the DNS server address from the DHCP server.
  - 6. The method of claim 5, wherein accessing the DHCP server comprises at least one of:
    - accessing the DHCP server using login information provided by a user of the client computing device;
      
      accessing the DHCP server using default login information assigned to the DHCP server.
  - 7. The method of claim 1, wherein determining that the DNS server located at the DNS server address provided by the DHCP server represents a potential security risk further comprises at least one of:
    - determining that the DNS server address is listed on a DNS server blacklist;
      
      determining that the DNS server address is not listed on a DNS server whitelist;
      
      determining that a communication latency associated with the DNS server exceeds a predetermined threshold;
      
      detecting modification of a DNS resolver configuration file on the client computing device.
  - 8. The method of claim 1, wherein the DHCP server comprises a residential gateway.
  - 9. The method of claim 1, wherein performing the security operation comprises at least one of:
    - preventing the client computing device from communicating with the DNS server;
      
      deleting the DNS server address from the DHCP server;
      
      replacing the DNS server address with a legitimate DNS server address;
      
      adding the DNS server address to a DNS server blacklist;
      
      informing a government authority that the DNS server represents a potential security risk;
      
      modifying login information required to access the DHCP server.

10. A system for detecting the insertion of poisoned Domain Name System (“
- DNS”
  
  ) server addresses into Dynamic Host Configuration Protocol (“
  
  DHCP”
  
  ) servers, the system comprising;
  
  an address-identification module programmed to cause a client computing device to;
  
  monitor a DHCP server that provides DHCP services to the client computing device;
  
  identify, by monitoring the DHCP server, a DNS server address provided by the DHCP server to the client computing device;
  
  an address-comparison module programmed to cause the client computing device to determine that the DNS server address provided by the DHCP server differs from a prior DNS server address that was previously provided to the client computing device by the same DHCP server;
  
  a security module programmed to cause the client computing device to;
  
  determine, due at least in part to the DNS server address differing from the prior DNS server address, that a DNS server located at the DNS server address provided by the DHCP server represents a potential security risk;
  
  perform a security operation in an attempt to remedy the potential security risk;
  
  at least one processor and a memory device configured to execute the address-identification module, the address-comparison module, and the security module.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the address-identification module is further programmed to issue a DHCP request to the DHCP server.
  - 12. The system of claim 11, wherein the address-identification module issues the DHCP request to the DHCP server by periodically issuing the DHCP request to the DHCP server.
  - 13. The system of claim 11, wherein the address-identification module identifies the DNS server address provided by the DHCP server by receiving the DNS server address from the DHCP server in response to the DHCP request.
  - 14. The system of claim 10, wherein the address-identification module identifies the DNS server address provided by the DHCP server by:
    - accessing the DHCP server;
      
      retrieving the DNS server address from the DHCP server.
  - 15. The system of claim 14, wherein the address-identification module accesses the DHCP server by at least one of:
    - accessing the DHCP server using login information provided by a user of the client computing device;
      
      accessing the DHCP server using default login information assigned to the DHCP server.
  - 16. The system of claim 10, wherein the security module determines that the DNS server located at the DNS server address provided by the DHCP server represents a potential security risk by at least one of:
    - determining that the DNS server address is listed on a DNS server blacklist;
      
      determining that the DNS server address is not listed on a DNS server whitelist;
      
      determining that a communication latency associated with the DNS server exceeds a predetermined threshold;
      
      detecting modification of a DNS resolver configuration file on the client computing device.
  - 17. The system of claim 10, wherein the DHCP server comprises a residential gateway.
  - 18. The system of claim 10, wherein the security module performs the security operation by at least one of:
    - preventing the client computing device from communicating with the DNS server;
      
      deleting the DNS server address from the DHCP server;
      
      replacing the DNS server address with a legitimate DNS server address;
      
      adding the DNS server address to a DNS server blacklist;
      
      informing a government authority that the DNS server represents a potential security risk;
      
      modifying login information required to access the DHCP server.

19. A non-transitory computer-readable medium comprising computer-executable instructions that, when executed by at least one processor of a client computing device, cause the client computing device to:
- monitor, at the client computing device, a Dynamic Host Configuration Protocol (“
  
  DHCP”
  
  ) server that provides DHCP services to the client computing device;
  
  identify, by monitoring the DHCP server at the client computing device, a Domain Name System (“
  
  DNS”
  
  ) server address provided by the DHCP server to the client computing device;
  
  determine, at the client computing device, that the DNS server address provided by the DHCP server differs from a prior DNS server address that was previously provided to the client computing device by the same DHCP server;
  
  determine, at the client computing device due at least in part to the DNS server address differing from the prior DNS server address, that a DNS server located at the DNS server address provided by the DHCP server represents a potential security risk;
  
  perform, at the client computing device, a security operation in an attempt to remedy the potential security risk.
- View Dependent Claims (20)
- - 20. The computer-readable medium of claim 19, wherein the DHCP server comprises a residential gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Buckler, Daniel
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
Alvarado David, Dorianne

Application Number

US12/624,480
Time in Patent Office

1,169 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 61/5014   using dynamic host configur...

H04L 63/14   for detecting or protecting...

Systems and methods for detecting the insertion of poisoned DNS server addresses into DHCP servers

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting the insertion of poisoned DNS server addresses into DHCP servers

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links