1. DNS/毒盛/2020/saddns.net/対策

Contents

  1. DNS/毒盛/2020/saddns.net/対策
    1. DNS Cookies
    2. ICMP port unreachable を止める
    3. Linux kernel patch

共用リゾルバーではなんらかの対策が必要になる。-- ToshinoriMaeno 2020-11-17 00:17:58 

There are three kinds of actions that could be taken to mitigate the attack:

    Destroy the side channel
        Disable outgoing ICMP
        Randomize ICMP global rate limit (used by Linux )
    Add more secrets to DNS messages
        DNSSEC
        0x20 encoding
        DNS cookie
    Reduce the attack window
        Reduce the timeout for outstanding queries

CVE-2020-25705 2020年11月13日 https://access.redhat.com/security/cve/cve-2020-25705

ICMP type 3, code 3 port unreachable 返答をやめる。(やめられるか)

1.1. DNS Cookies

slashdot.org にあった案: DNS Cookies を使う。使えないときはTCPに切り替える。-- ToshinoriMaeno 2020-11-17 00:15:47 

It does require using DNS COOKIE and falling back to TCP 
when the server doesn't support DNS COOKIE.

RFC 7873 にもある。https://tools.ietf.org/html/rfc7873 

Where DNS Cookies are not available but TCP is, falling back to using TCP is reasonable.
If only one party to a DNS transaction supports DNS Cookies, the mechanism does not provide a benefit or significantly interfere, but if both support it, the ..

DNS Transport over TCP - Operational Requirements draft-ietf-dnsop-dns-tcp-requirements-04 2019 https://tools.ietf.org/id/draft-ietf-dnsop-dns-tcp-requirements-04.xml

1.2. ICMP port unreachable を止める

https://www.infraexpert.com/info/5.0adsl.htm

https://twitter.com/tss_ontap_o/status/1327776449273556992?s=20

net.inet.udp.blackhole=1 あるいは 

ipfw add 1 deny log logamount 1000 icmp from me to any icmptypes 3

Workaround (SUSE)

Sample iptables rules: 

iptables -A OUTPUT -p icmp --icmp-type port-unreachable -j DROP
ip6tables -A OUTPUT -p ipv6-icmp --icmp-type port-unreachable -j DROP

This might however restrict network functionality.

https://twitter.com/beyondDNS/status/1327776518731309056?s=20

https://twitter.com/jedisct1/status/1326921483692732416?s=20 

edgedns was never vulnerable to this “new” DNS cache poisoning attack. 
Back in 2012 I also wrote a kernel patch specifically to avoid this (https://sk.tl/4PC5ueLo). 
Resolvers should not send ICMP port unreachable messages to auth servers,
it does more harm than good.
ツイートを翻訳
午前1:15 · 2020年11月13日

https://download.pureftpd.org/misc/linux_udp_tcp_blackhole.diff

1.3. Linux kernel patch

ICMPを送り出す回数を変化させる。

limitに到達していなくとも、ICMP port unreachable を発生しないとかの対策が可能。

MoinQ: DNS/毒盛/2020/saddns.net/対策 (last edited 2020-11-22 05:50:33 by ToshinoriMaeno)