A team of scientists from the University of California and Tsinghua University have identified a number of critical security vulnerabilities that could revive attacks on DNA cache poisoning.
This technology, known as a SAD-DNS attack (short for Side-Channel AttackeD DNS), allows an attacker to carry out an out-of-path attack by diverting all traffic originally destined for a particular domain to a server under his control, allowing connections to be eavesdropped and intercepted.
This is an important milestone – the first armed attack on the network’s side channel, which, according to the researchers, has serious security implications. In case of an attack, an attacker can inject a malicious DNS item into the DNS cache.
The results, recorded as CVE-2020-25705, were presented at this week’s ACM Information and Communications Security Conference (CCS ’20).
The disadvantages are Linux 3.18-5.10, Windows Server 2019 (version 1809) and above, MacOS 10.15 and above, and FreeBSD 12.1.0 and above.
DNS redirection becomes a new target
DNS resolvers typically cache the answers to questions about IP addresses over a period of time to improve response performance on the network. But it is this mechanism that can be used to poison the cache by mimicking the DNS records of that site’s IP address and redirecting users trying to visit that site to another site of the attacker’s choice.
However, the effectiveness of these attacks is partially limited by protocols such as DNSSEC (Domain Name System Security Extensions), which creates a secure domain name system by adding cryptographic signatures to existing DNS records and provides randomized protection, allowing the DNS resolver to use different source ports and transaction identifiers (TxIDs) for each query.
The researchers noted that these two measures are far from widespread for incentive and compatibility reasons, and explained that they have developed a secondary channel attack that can be successfully used against the most popular DNS software stacks, making public DNS resolvers such as Cloudflare 1.1.1 and Google 8.8.8 vulnerable.
Attack on the new side channel
A DNS SAD attack occurs using a compromised machine on any network capable of initiating a request from a DNS forwarder or converter, such as B. in a public wireless network operated by a wireless router in a coffee shop, shopping mall, or airport.
It then uses the side channel of the network protocol stack to analyze and find out which source ports are used to initiate a DNS query, and then enters a large number of spoofed DNS responses via TxID in brute force.
In particular, the researchers used the channel used for domain name queries to reduce the exact number of source ports by sending fake UDP packets, each with a different IP address, to the victim’s server and deduce from the ICMP responses received whether the fake probes reached the correct source port (or not).
This port scanning method offers a scanning speed of 1000 ports per second, which in total takes just over 60 seconds to recalculate all 65536 ports. If the source port is randomized this way, all the attacker needs to do is enter a malicious IP address to divert website traffic and succeed in a DNS cache poisoning attack.
reduces SAD-DNS attacks
In addition to demonstrating ways to broaden the attack window so that the attacker can scan more ports and inject additional records to poison the DNS cache, the study found that more than 34% of converters open on the Internet are vulnerable, with 85% of them being popular DNS services such as Google and Cloudflare.
To counteract DNS SAD, researchers recommend disabling outgoing ICMP responses and setting more aggressive deadlines for DNS queries.
Researchers have also developed a tool to monitor DNS servers that are vulnerable to this attack. The team also worked with the Linux kernel security team on a patch that randomizes the ICMP global speed limit to introduce noise into the side channel.
The study is a new common side channel based on the ICMP [global] speed limit, which is used universally by all modern operating systems, the researchers concluded. This allows UDP source ports in DNS queries to be scanned efficiently. Combined with methods to broaden the attack window, this results in a powerful relaunch of the DNS cache poisoning attack.
Related Tags:
dnssec,dns server,dns cache poisoning attack tutorial,arp poisoning,vpn,dns meaning,sad dns checker,sad dns test,sad dns attack,sad dns windows,sad dns poc