DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels

In this paper, we report a series of flaws in the software stack that leads to a strong revival of DNS cache poisoning --- a classic attack which is mitigated in practice with simple and effective randomization-based defenses such as randomized source port. To successfully poison a DNS cache on a typical server, an off-path adversary would need to send an impractical number of $2^32 $ spoofed responses simultaneously guessing the correct source port (16-bit) and transaction ID (16-bit). Surprisingly, we discover weaknesses that allow an adversary to "divide and conquer'' the space by guessing the source port first and then the transaction ID (leading to only $2^16 +2^16 $ spoofed responses). Even worse, we demonstrate a number of ways an adversary can extend the attack window which drastically improves the odds of success. The attack affects all layers of caches in the DNS infrastructure, such as DNS forwarder and resolver caches, and a wide range of DNS software stacks, including the most popular BIND, Unbound, and dnsmasq, running on top of Linux and potentially other operating systems. The major condition for a victim being vulnerable is that an OS and its network is configured to allow ICMP error replies. From our measurement, we find over 34% of the open resolver population on the Internet are vulnerable (and in particular 85% of the popular DNS services including Google's 8.8.8.8). Furthermore, we comprehensively validate the proposed attack with positive results against a variety of server configurations and network conditions that can affect the success of the attack, in both controlled experiments and a production DNS resolver (with authorization).

[1]  Vernon Schryver,et al.  DNS Response Policy Zones (RPZ) , 2016 .

[2]  Mark Allman,et al.  On measuring the client-side DNS infrastructure , 2013, Internet Measurement Conference.

[3]  Amir Herzberg,et al.  Security of Patched DNS , 2012, ESORICS.

[4]  Fred Baker,et al.  Requirements for IP Version 4 Routers , 1995, RFC.

[5]  Robert Beverly,et al.  Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet , 2019, CCS.

[6]  Randy Bush,et al.  The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1 , 2017, RFC.

[7]  Jeffrey Knockel,et al.  Counting Packets Sent Between Arbitrary Internet Hosts , 2014, FOCI.

[8]  Derek Atkins,et al.  Threat Analysis of the Domain Name System (DNS) , 2004, RFC.

[9]  Remco van Mook,et al.  Measures for Making DNS More Resilient against Forged Answers , 2009, RFC.

[10]  Amir Herzberg,et al.  Socket overloading for fun and cache-poisoning , 2013, ACSAC.

[11]  Haya Shulman,et al.  Domain Validation++ For MitM-Resilient PKI , 2018, CCS.

[12]  Nick Feamster,et al.  Oblivious DNS: Practical Privacy for DNS Queries , 2018, Proc. Priv. Enhancing Technol..

[13]  Donald E. Eastlake,et al.  Domain Name System (DNS) Cookies , 2016, RFC.

[14]  Nael B. Abu-Ghazaleh,et al.  Collaborative Client-Side DNS Cache Poisoning Attack , 2019, IEEE INFOCOM 2019 - IEEE Conference on Computer Communications.

[15]  Craig A. Shue,et al.  Touring DNS Open Houses for Trends and Configurations , 2011, IEEE/ACM Transactions on Networking.

[16]  Jedidiah R. Crandall,et al.  Detecting TCP/IP Connections via IPID Hash Collisions , 2019, Proc. Priv. Enhancing Technol..

[17]  Yue Cao Principled Unearthing of TCP Side Channel Vulnerabilities , 2019 .

[18]  Mike Bishop,et al.  Hypertext Transfer Protocol Version 3 (HTTP/3) , 2020 .

[19]  Wenke Lee,et al.  Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries , 2008, CCS.

[20]  Zhongjie Wang,et al.  Investigation of the 2016 Linux TCP Stack Vulnerability at Scale , 2017, Proc. ACM Meas. Anal. Comput. Syst..

[21]  Bruce M. Maggs,et al.  A Longitudinal, End-to-End View of the DNSSEC Ecosystem , 2017, USENIX Security Symposium.

[22]  Baojun Liu,et al.  Poison Over Troubled Forwarders: A Cache Poisoning Attack Targeting DNS Forwarding Devices , 2020, USENIX Security Symposium.

[23]  Haya Shulman,et al.  Internet-wide study of DNS cache injections , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[24]  Giovane C. M. Moura,et al.  Recursives in the wild: engineering authoritative DNS servers , 2017, Internet Measurement Conference.

[25]  Godred Fairhurst,et al.  UDP Usage Guidelines , 2017, RFC.

[26]  Deepak Kapur,et al.  Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking , 2010, USENIX Security Symposium.

[27]  Zhuoqing Morley Mao,et al.  Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security , 2012, 2012 IEEE Symposium on Security and Privacy.

[28]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[29]  J. Alex Halderman,et al.  Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web , 2019, CCS.

[30]  Jedidiah R. Crandall,et al.  Off-path round trip time measurement via TCP/IP side channels , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[31]  Amir Herzberg,et al.  Fragmentation Considered Poisonous, or: One-domain-to-rule-them-all.org , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[32]  Ying Liu,et al.  An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come? , 2019, Internet Measurement Conference.

[33]  Srikanth V. Krishnamurthy,et al.  Off-Path TCP Exploits: Global Rate Limit Considered Dangerous , 2016, USENIX Security Symposium.

[34]  Amir Herzberg,et al.  Unilateral Antidotes to DNS Poisoning , 2011, SecureComm.

[35]  Martin Thomson,et al.  QUIC: A UDP-Based Multiplexed and Secure Transport , 2020, RFC.

[36]  Stephen E. Deering,et al.  IP Version 6 Addressing Architecture , 1995, RFC.

[37]  C. Deccio,et al.  A Quantitative Study of the Deployment of DNS Rate Limiting , 2019, 2019 International Conference on Computing, Networking and Communications (ICNC).