DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid - - PowerPoint PPT Presentation

dns cache poisoning attack relo loaded
SMART_READER_LITE
LIVE PREVIEW

DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid - - PowerPoint PPT Presentation

Aug 15, 2022 681 likes •939 views

DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid ide Channels Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan Contents Background DNS Cache Poisoning Part I: Infer

slide-1
SLIDE 1

DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid ide Channels

Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng†, Youjun Huang†, Haixin Duan†

slide-2
SLIDE 2

Contents

  • Background
  • DNS Cache Poisoning
  • Part I: Infer Ephemeral Port
  • Part II: Extend Attack Window
  • Our Attacks
  • Defenses
  • Conclusion
  • Disclosure

2

slide-3
SLIDE 3

DNS Cache Poisoning

www.bank.com IP=?

Resolver bank.com Nameserver (NS) 5.6.7.8

www.bank.com IP=2.2.2.2

Trudy (Off-path) 5.6.7.8

www.bank.com IP=6.6.6.6

Cached Wrong record!

3

www.bank.com IP=? www.bank.com IP=6.6.6.6

Alice’s Browser

2.2.2.2 6.6.6.6 www.bank.com IP=? www.bank.com IP=6.6.6.6

Trudy

slide-4
SLIDE 4

DNS Cache Poisoning

www.bank.com IP=6.6.6.6 Resolver

Traditional: 216 × 216 = 232 (Impossible in short time) Our Side Channel: 216 + 216 ≈ 216

4

IP Layer Src: 5.6.7.8 Dst: (resolver) UDP Layer Src Port: 53 Dst Port: ? (16 bit) DNS Layer TxID: ? (16 bit) Question: www.bank.com A ? Answer: www.bank.com A 6.6.6.6, TTL=99999

Trudy (Off-path) 5.6.7.8 Ephemeral Port=Client Port Resolver NS Q:12345->53 R:53->12345

slide-5
SLIDE 5

Contents

  • Background
  • Part I: Infer Ephemeral Port
  • Method I: Direct Scan (Refer to the Paper)
  • Method II: Side-channel-based Scan
  • Part II: Extend Attack Window
  • Our Attacks
  • Defenses
  • Conclusion
  • Disclosure

5

slide-6
SLIDE 6

Port In Inference: Basics

6

Resolver Attacker UDP dport=53 UDP dport=67 ICMP: 67 isn’t open OS APP Packet Listen on 53

slide-7
SLIDE 7

Port In Inference: Ephemeral Ports

7

Resolver Attacker UDP dport=1234 Nameserver UDP dport=1234 ICMP: 1234 isn’t open DNS Query (Ephemeral Port) 1234->53

slide-8
SLIDE 8

Port In Inference: IP IP Spoofing

8

Resolver 5.6.7.8 Attacker 5.6.7.8 Nameserver UDP dport=1234 ICMP: 5678 isn’t open UDP dport=5678

slide-9
SLIDE 9

Port In Inference: Side Channel

9

Off-Path TCP Exploits: Global Rate Limit Considered Dangerous USENIX Security 2016

  • ICMP Global Rate Limit: 50 ICMPs / 50 ms
  • Limit sending rate
  • Shared by all IPs
slide-10
SLIDE 10

Resolver with ONE port open

Spoofed

50 UDP Probes 50 ICMPs Verification 49 ICMPs Verification ICMP Reply Attacker Nameserver Resolver with NO port open Nameserver Counter=50 Counter=50-50=0 Counter=50 Counter=50-49=1

Normal

10

50 UDP Probes

Port In Inference: How It It Works

Attacker Hit 50 closed ports Hit 49 closed ports & 1 open port

slide-11
SLIDE 11

11

  • Open Resolvers:
  • 34% Vulnerable
  • Well-known Public Resolvers:
  • 12/14 Vulnerable

Google 8.8.8.8 Cloudflare 1.1.1.1 OpenDNS 208.67.222.222 Comodo 8.26.56.26 Dyn 216.146.35.35 Quad9 9.9.9.9 AdGuard 176.103.130.130 CleanBrowsing 185.228.168.168 Neustar 156.154.70.1 Yandex 77.88.8.1 Baidu DNS 180.76.76.76 114 DNS 114.114.114.114 Tencent DNS 119.29.29.29 Ali DNS 223.5.5.5

Port In Inference: Measurement

slide-12
SLIDE 12

Contents

  • Background
  • Overview
  • Part I: Infer Ephemeral Port
  • Part II: Extend Attack Window
  • Strategy I: Malicious Name Server (Refer to the Paper)
  • Strategy II: Response Rate Limiting
  • Our Attacks
  • Defenses
  • Conclusion
  • Disclosure

12

slide-13
SLIDE 13

Ext xtend Attack Window

13

Client Resolver Attacker Nameserver Query Query Response Fake Response Attack Window Flooding Queries Response Attack Window RRL: 18% Deployed

slide-14
SLIDE 14

Contents

  • Background
  • Part I: Infer Ephemeral Port
  • Part II: Extend Attack Window
  • Our Attacks
  • Forwarder Attack (Refer to the Paper)
  • Resolver Attack
  • Defenses
  • Conclusion
  • Disclosure

14

slide-15
SLIDE 15

Production Resolver Attack

15

Open Resolver Attacker Unbound Worker Unbound Worker 2 Name Servers (Ethical Concerns: Controlled by us)

Pacific Ocean

70M queries/day 20ms delay, 3ms jitter, 0.2% loss

slide-16
SLIDE 16

Resolver Attack: Results

Setup Result Attack # Back Server # NS Jitter Delay Loss Total Time Success Rate Tsinghua 2 2 3ms 20ms 0.2% 15 mins 5/5 Commercial 4 1 2ms 30ms 0.6% 2.45 mins 1/1

16

Refer to the paper for more exciting results!

slide-17
SLIDE 17

Contents

  • Background
  • Part I: Infer Ephemeral Port
  • Part II: Extend Attack Window
  • Our Attacks
  • Defenses
  • Conclusion
  • Disclosure

17

slide-18
SLIDE 18

Defenses

  • DNSSEC
  • 0x20 encoding
  • DNS cookie
  • Only 5% open resolvers deployed
  • Disable ICMP port unreachable
  • Randomize ICMP global rate limit

18

slide-19
SLIDE 19

Contents

  • Background
  • Part I: Infer Ephemeral Port
  • Part II: Extend Attack Window
  • Our Attacks
  • Defenses
  • Conclusion
  • Disclosure

19

slide-20
SLIDE 20

Conclusion

  • Side-channel-based UDP port scan.
  • Make DNS cache poisoning possible again!
  • Real-world attacks.

20

slide-21
SLIDE 21

Contents

  • Background
  • Part I: Infer Ephemeral Port
  • Part II: Extend Attack Window
  • Our Attacks
  • Defenses
  • Conclusion
  • Disclosure

21

slide-22
SLIDE 22

Disclosure

22

slide-23
SLIDE 23

Thank you!

Q & A

Keyu Man kman001@ucr.edu Source code & more interesting projects https://github.com/seclab-ucr/