1. How has DNS cache poisoning returned?

To prevent DNS cache poisoning attacks source port randomization had been implemented.

This means, even as an attacker even if I could eventually guess one of the 65,536 transaction IDs specified by your device in a DNS request, I wouldn't know where to send the DNS response—because now your device making a DNS lookup is doing so from a randomized port (which in theory has 65,536 values too) instead of port 53.

This solution had made it virtually impossible for DNS cache poisoning attacks to be carried out via Kaminsky's discovered method, given the billions of possibilities.

2. new attack

But researchers at Tsinghua University and the University of California published a method which takes advantage of a side-channel attack to deduce the source port number of the DNS client.

With the source port being out of the bag, it becomes once again possible to conduct Kaminsky's DNS cache poisoning attacks by guessing the transaction IDs as described above.

Guessing the source port becomes possible because of how the Linux kernel handles ICMP requests (think ping or tracert).

3. ICMP

To save bandwidth, the rate limiter built into Linux defaults the number of incoming requests to 1,000 per second and uses a counter to keep track of these requests.

For every request received at a closed port on a Linux-based server, the counter would decrement by 1 and the server would respond with "unreachable."

Meaning, in a second, if you sent 1,000 packets to different random ports on a server, all of which were closed, the server would cut you off for that second.

But, this would also tell you that all of your 1,000 guesses for which port could be open were incorrect.

Interestingly, the counter does not decrement for every request that is received at a valid, open port. And, further, "unreachable" would obviously not be sent by the server.

This means, every second, an attacker could flood a DNS resolver with 1,000 spoofed packets destined for random ports.

In this manner, in a matter of seconds, the attacker will be able to deduce what all ports are open on the DNS resolver that they are trying to poison.

With the knowledge of the right port, they can then re-exploit Kaminsky's bug to cause DNS poisoning attacks.

4. history


CategoryDns CategoryWatch CategoryTemplate

MoinQ: DNS/毒盛/2020/bleeping (last edited 2020-11-14 22:54:57 by ToshinoriMaeno)