1. DNS/毒盛/2021/UCR
query source port を推測するための新手法が公表された。 DNS/毒盛/2020/saddns.net の新版
- source port randomization では不足ということ。
-- ToshinoriMaeno 2021-11-19 01:28:30
1.1. UC Riverside 発表
https://www.cs.ucr.edu/~zhiyunq/pub/ccs21_dns_poisoning.pdf
DNS Cache Poisoning Attack: Resurrections with Side Channels
Keyu Man, Xin'an Zhou, Zhiyun Qian
In Proceedings of ACM Conference on Computer and Communications Security (CCS`21), November 15-19, 2021, Virtual Event, Republic of Korea.
- [PDF] [Slides] [Video]
https://twitter.com/pkqzy888/status/1461042249693683714?s=20
https://arstechnica.com/gadgets/2021/11/dan-kaminskys-dns-cache-poisoning-attack-is-back-from-the-dead-again/ /letter
https://twitter.com/jschauma/status/1461360730951749646?s=20
https://www.saddns.net/slides_1.pdf
Conclusion • A novel side channel from next hop exception cache • ICMP-based port scan • Poison the cache of DNS in minutes • Update Linux kernel to mitigate the attack
1.2. ICMP-based port scan
from next hop exception https://www.cisco.com/c/ja_jp/support/docs/ios-nx-os-software/nx-os-software/213841-understanding-icmp-redirect-messages.html
IPv6の方が危ないような話。-- ToshinoriMaeno 2021-11-18 14:27:03
DNS is one of the fundamental and ancient protocols on the Internet that supports many network applications and services. Unfortu- nately, DNS was designed without security in mind and is subject to a variety of serious attacks, one of which is the well-known DNS cache poisoning attack. Over the decades of evolution, it has proven extraordinarily challenging to retrofit strong security features into it. To date, only weaker versions of defenses based on the principle of randomization have been widely deployed, e.g., the randomiza- tion of UDP ephemeral port number, making it hard for an off-path attacker to guess the secret. However, as it has been shown recently, such randomness is subject to clever network side channel attacks, which can effectively derandomize the ephemeral port number. In this paper, we conduct an analysis of the previously over- looked attack surface, and are able to uncover even stronger side channels that have existed for over a decade in Linux kernels. The side channels affect not only Linux but also a wide range of DNS software running on top of it, including BIND, Unbound and dnsmasq. We also find about 38% of open resolvers (by frontend IPs) and 14% (by backend IPs) are vulnerable including the popular DNS services such as OpenDNS and Quad9. We have extensively validated the attack experimentally under realistic configuration and network conditions and showed that it works reliably and fast.
10 CONCLUSION This paper presents novel side channels during the process of han- dling ICMP errors, a previously overlooked attack surface. We find that side channels can be exploited to perform high-speed off-path UDP ephemeral port scans. By leveraging this, the attacker could effectively poison the cache of a DNS server in minutes. We show that side channels affect many open resolvers and thus have serious impacts. Finally, we present mitigations against the discovered side channels.
ICMP errorをサイドチャネルに使うことで、query送信ポートを特定できる。 これによりDNSキャッシュサーバー毒盛を数分で成功させられるはずだ。