1. DNS/毒盛/2020
Contents
1.1. saddns.net
サイドチャンネルを利用して、query 送信ポートを特定する技法: port randomizationを無力化
キャッシュ毒盛の復活という表現をしたくはないが、脅威だ。-- ToshinoriMaeno 2020-11-14 22:54:16
https://www.isc.org/blogs/2020-saddns/
- Cache poisoning redux に open port をguess する手法が説明されている。
DNS cache poisoning, the Internet attack from 2008, is back from the dead
DNS cache poisoning attacks return due to Linux weakness /bleeping https://www.bleepingcomputer.com/news/security/dns-cache-poisoning-attacks-return-due-to-linux-weakness/
researchers from Tsinghua University and the University of California, Riverside presented a technique that, once again, makes cache poisoning feasible.
Their method exploits a side channel that identifies the port number used in a lookup request.
Once the attackers know the number, they once again stand a high chance of successfully guessing the transaction ID.
Port Inference: Ephemeral Port
https://www.rfc-editor.org/rfc/rfc6056.txt
1.2. Proof of Concept
https://789498207.www.saddns.net/
発表: https://www.youtube.com/watch?v=Gogk3yEKnaI
https://www.saddns.net/slides.pdf
1.3. 論文
https://dl.acm.org/doi/pdf/10.1145/3372297.3417280
DNS Cache Poisoning Attack Reloaded: Revolutions with SideChannels
1 INTRODUCTION 2 CURRENT STATE OF DNS CACHE 2.1 State-of-the-Art Defenses 2.2 New Attack Surface in the DNS Hierarchy 3 ATTACK OVERVIEW 4 INFERRING DNS QUERY’S SOURCE PORT 4.1 Analysis of UDP Source Port Scannability 4.2 ICMP Rate Limit Challenge 4.3 Public-Facing Source Port Scan Method 4.4 Private Source Port Scan Method 4.5 Vulnerable DNS Forwarder and Resolver 5 EXTENDING THE ATTACK WINDOW 5.1 Extending Window in a Forwarder Attack 5.2 Extending Window in a Resolver Attack 6 PRACTICAL ATTACK CONSIDERATIONS 7 END-TO-END ATTACKS 7.1 Attacking a Forwarder (Home Router) 7.2 Attacking a Production Resolver 8 DISCUSSION 8.1 Defenses 9 RELATED WORK 10 CONCLUSION 11 ACKNOWLEDGMENT
ABSTRACT
In this paper, we report a series of flaws in the software stack that leads to a strong revival of DNS cache poisoning — a classic attack which is mitigated in practice with simple and effective randomization-based defenses such as randomized source port.
To successfully poison a DNS cache on a typical server, an off-path adversary would need to send an impractical number of 232 spoofed responses simultaneously guessing the correct source port (16-bit)and transaction ID (16-bit).
Surprisingly, we discover weaknesses that allow an adversary to “divide and conquer” the space by guessing the source port first and then the transaction ID (leading to only2^16^ +2^16^spoofed responses). Even worse, we demonstrate a number of ways an adversary can extend the attack window which drastically improves the odds of success.
The attack affects all layers of caches in the DNS infrastructure, such as DNS forwarder and resolver caches, and a wide range of DNS software stacks, including the most popular BIND, Unbound,and dnsmasq, running on top of Linux and potentially other oper-ating systems.
The major condition for a victim being vulnerable is that an OS and its network is configured to allow ICMP error replies.
From our measurement, we find over 34% of the open resolver population on the Internet are vulnerable (and in particular 85% ofthe popular DNS services including Google’s 8.8.8.8).
Furthermore,we comprehensively validate the proposed attack with positiveresults against a variety of server configurations and network conditions that can affect the success of the attack, in both controlledexperiments and a production DNS resolver (with authorization).