New Side Channel Attacks Re-Enable Serious DNS Cache Poisoning Attacks
While prior methods, counting SAD DNS, employ UDP probes to determine whether a UDP port is open or closed, the newly discovered DNS cache poisoning attack directly explores a side channel during the process of handling ICMP error messages — i.e., ICMP frag needed or ICMP redirect packets — that by design do not elicit a response, using it as a yardstick to achieve the same goal. "An attacker does not necessarily have to rely on the explicit feedback from an ICMP probe," the researchers noted. "Instead, even if the processing of ICMP probes is completely silent, as long as there is some shared resource whose state is influenced, we may find ways (other probes) to observe the changed state of the shared resource."
The central idea of the attack is to use the limited number of total slots in the global exception cache, a 2048-bucket hash table, to discern if an update has occurred following a batch of ICMP probes. The side channel is also different from SAD DNS in that it arises when processing incoming ICMP messages (as opposed to egress packets) and it "leverages the space resource limit (i.e., the space for storing the next hop exception cache is limited) while SAD DNS' side channel leverages the time resource limit (i.e., ICMP error generating rate is limited). The researchers propose a number of mitigations to prevent the latest attack, such as randomizing the caching structure, rejecting ICMP redirect messages, and setting the socket option IP_PMTUDISC_OMIT, which instructs the underlying operating system not to accept the ICMP frag needed messages and therefore completely eliminates the side channel related processing in the kernel.