1. DNS/毒盛/2021/UCR

/CVE-2021-20322 /フラグメント緩和策

query source port を推測するための新手法が公表された。 DNS/毒盛/2020/saddns.net の新版

-- ToshinoriMaeno 2021-11-19 01:28:30



1.1. UC Riverside 発表


DNS Cache Poisoning Attack: Resurrections with Side Channels

Keyu Man, Xin'an Zhou, Zhiyun Qian

In Proceedings of ACM Conference on Computer and Communications Security (CCS`21), November 15-19, 2021, Virtual Event, Republic of Korea.


https://arstechnica.com/gadgets/2021/11/dan-kaminskys-dns-cache-poisoning-attack-is-back-from-the-dead-again/ /letter




• A novel side channel from next hop exception cache
• ICMP-based port scan
• Poison the cache of DNS in minutes
• Update Linux kernel to mitigate the attack

1.2. ICMP-based port scan


from next hop exception https://www.cisco.com/c/ja_jp/support/docs/ios-nx-os-software/nx-os-software/213841-understanding-icmp-redirect-messages.html

IPv6の方が危ないような話。-- ToshinoriMaeno 2021-11-18 14:27:03

DNS is one of the fundamental and ancient protocols on the Internet
that supports many network applications and services. Unfortu-
nately, DNS was designed without security in mind and is subject
to a variety of serious attacks, one of which is the well-known DNS
cache poisoning attack. Over the decades of evolution, it has proven
extraordinarily challenging to retrofit strong security features into

To date, only weaker versions of defenses based on the principle
of randomization have been widely deployed, e.g., the randomiza-
tion of UDP ephemeral port number, making it hard for an off-path
attacker to guess the secret. 

However, as it has been shown recently,
such randomness is subject to clever network side channel attacks,
which can effectively derandomize the ephemeral port number.

In this paper, we conduct an analysis of the previously over-
looked attack surface, and are able to uncover even stronger side
channels that have existed for over a decade in Linux kernels. 

The side channels affect not only Linux but also a wide range of DNS
software running on top of it, including BIND, Unbound and dnsmasq. 
We also find about 38% of open resolvers (by frontend IPs)
and 14% (by backend IPs) are vulnerable including the popular DNS
services such as OpenDNS and Quad9. 
We have extensively validated the attack experimentally under realistic configuration and
network conditions and showed that it works reliably and fast.

This paper presents novel side channels during the process of han-
dling ICMP errors, a previously overlooked attack surface. We find
that side channels can be exploited to perform high-speed off-path
UDP ephemeral port scans. By leveraging this, the attacker could
effectively poison the cache of a DNS server in minutes. We show
that side channels affect many open resolvers and thus have serious
impacts. Finally, we present mitigations against the discovered side

ICMP errorをサイドチャネルに使うことで、query送信ポートを特定できる。 これによりDNSキャッシュサーバー毒盛を数分で成功させられるはずだ。

Moin2Qmail: DNS/毒盛/2021/UCR (last edited 2021-11-25 04:56:51 by ToshinoriMaeno)