## page was renamed from DNS/毒盛/2020 = DNS/毒盛/2020 = <> <> == saddns.net == [[/saddns.net]] [[/対策]] サイドチャンネルを利用して、query 送信ポートを特定する技法: port randomizationを無力化 キャッシュ毒盛の復活という表現をしたくはないが、脅威だ。-- ToshinoriMaeno <> https://www.isc.org/blogs/2020-saddns/ https://arstechnica.com/information-technology/2020/11/researchers-find-way-to-revive-kaminskys-2008-dns-cache-poisoning-attack/ Cache poisoning redux に open port をguess する手法が説明されている。 DNS cache poisoning, the Internet attack from 2008, is back from the dead DNS cache poisoning attacks return due to Linux weakness [[/bleeping]] https://www.bleepingcomputer.com/news/security/dns-cache-poisoning-attacks-return-due-to-linux-weakness/ ---- researchers from Tsinghua University and the University of California, Riverside presented a technique that, once again, makes cache poisoning feasible. {{{ Their method exploits a side channel that identifies the port number used in a lookup request. }}} Once the attackers know the number, they once again stand a high chance of successfully guessing the transaction ID. Port Inference: Ephemeral Port https://www.rfc-editor.org/rfc/rfc6056.txt == Proof of Concept == https://789498207.www.saddns.net/ 発表: https://www.youtube.com/watch?v=Gogk3yEKnaI https://www.saddns.net/slides.pdf == 論文 == https://dl.acm.org/doi/pdf/10.1145/3372297.3417280 DNS Cache Poisoning Attack Reloaded: Revolutions with SideChannels {{{ 1 INTRODUCTION 2 CURRENT STATE OF DNS CACHE 2.1 State-of-the-Art Defenses 2.2 New Attack Surface in the DNS Hierarchy 3 ATTACK OVERVIEW 4 INFERRING DNS QUERY’S SOURCE PORT 4.1 Analysis of UDP Source Port Scannability 4.2 ICMP Rate Limit Challenge 4.3 Public-Facing Source Port Scan Method 4.4 Private Source Port Scan Method 4.5 Vulnerable DNS Forwarder and Resolver 5 EXTENDING THE ATTACK WINDOW 5.1 Extending Window in a Forwarder Attack 5.2 Extending Window in a Resolver Attack 6 PRACTICAL ATTACK CONSIDERATIONS 7 END-TO-END ATTACKS 7.1 Attacking a Forwarder (Home Router) 7.2 Attacking a Production Resolver 8 DISCUSSION 8.1 Defenses 9 RELATED WORK 10 CONCLUSION 11 ACKNOWLEDGMENT }}} ---- ABSTRACT In this paper, we report a series of flaws in the software stack that leads to a strong revival of DNS cache poisoning — a classic attack which is mitigated in practice with simple and effective randomization-based defenses such as randomized source port. To successfully poison a DNS cache on a typical server, an off-path adversary would need to send an impractical number of 2^32^ spoofed responses simultaneously guessing the correct source port (16-bit)and transaction ID (16-bit). {{{ Surprisingly, we discover weaknesses that allow an adversary to “divide and conquer” the space by guessing the source port first and then the transaction ID (leading to only2^16^ +2^16^spoofed responses). Even worse, we demonstrate a number of ways an adversary can extend the attack window which drastically improves the odds of success. }}} The attack affects all layers of caches in the DNS infrastructure, such as DNS forwarder and resolver caches, and a wide range of DNS software stacks, including the most popular BIND, Unbound,and dnsmasq, running on top of Linux and potentially other oper-ating systems. The major condition for a victim being vulnerable is that an OS and its network is configured to allow ICMP error replies. From our measurement, we find over 34% of the open resolver population on the Internet are vulnerable (and in particular 85% ofthe popular DNS services including Google’s 8.8.8.8). Furthermore,we comprehensively validate the proposed attack with positiveresults against a variety of server configurations and network conditions that can affect the success of the attack, in both controlledexperiments and a production DNS resolver (with authorization).