2020/saddns.net/3

Contents

  1. 2020/saddns.net/3
  2. 3 ATTACK OVERVIEW
    1. Threat Model.
    2. Attack Workflow.
    3. 1○ Inferring source port.
    4. 2○ Extending attack window.

/3   /4   /5   /8.1   /CVE-2020-25705   /cloudflare   /knot-resolver   /sections   /slashdot   /zdnet   /対策   /調査  

3 ATTACK OVERVIEW

We propose a general and novel attack, applicable to all modern DNS software stack, influencing all layers of DNS caching.

The key characteristic is that it defeats the most effective and commonly deployed defense — randomization of source port.

Threat Model.

In this paper, we focus on the attacks against DNS forwarders and resolvers due to their high impact.

Similar to the classic DNS cache poisoning attack, we assume the attacker is off-path (not able to eavesdrop traffic between a forwarder and resolver), and capability of IP spoofing.

According to a recent study in 2019 [47], 30.5% of ASes do not block packets with spoofed source IP addresses.

In practice, an attacker only needs to find one node that can spoof IPs to carry out the attack.

To demonstrate the ease of this, we rented a bullet-proof-hosting node specifically publicly advertised as IP-spoofing-capable ($50/month with unlimited data) and found that it indeed can spoof “arbitrary IPs”.

In addition, the attacker needs to control a machine that is able to trigger a request out of a forwarder or resolver. In the case of a forwarder attack, this can happen when the attacker is located in a LAN managed by a wireless router. For example, an attacker can join a public wireless network in a coffee shop, a shopping mall, or an airport.

The attacker can also control a puppet whose sole responsibility is to query the forwarder to launch the attack if direct access to the LAN is impossible.

In a resolver attack, this can include any network (enterprise, organization, or institution) where the attacker is an insider or owns a compromised machine. Moreover, any public resolvers on the Internet also satisfy the requirement.

Attack Workflow.

Regardless of a forwarder or resolver, as illusrated in Figure 2, our newly proposed attacks always start from triggering either one to send a DNS query, followed by two key steps as outlined below:

1○ Inferring source port.

To overcome the randomization of source port, we leverage a novel and universal side channel in networking stacks to scan and discover which source ports were used to initiate a DNS query, at a speed of at most 1,000 guesses per second.

../4 で説明する。

2○ Extending attack window.

Normally an outstanding query will receive a reply from the upstream server in a matter of tens or hundreds of milliseconds. This is insufficient, given that the attacker needs time to infer the source port and to inject rogue DNS replies.

We discover effective and novel strategies (different for forwarder and resolver attack) that can greatly extend the attack window to at least seconds (and even more than 10s), allowing realistic cache poisoning opportunities. We will discuss this in §5. 

Once the source port number is known, the attacker simply
injects a large number of spoofed DNS replies bruteforcing the TxIDs, 
which can be done in high speed, given that most servers
have sufficient network bandwidth.

../5 で説明する。

MoinQ: DNS/毒盛/2020/saddns.net/3 (last edited 2020-11-23 09:23:33 by ToshinoriMaeno)