Fragmentation Considered Poisonous

We present practical poisoning and name-server block- ing attacks on standard DNS resolvers, by off-path, spoofing adversaries. Our attacks exploit large DNS responses that cause IP fragmentation; such long re- sponses are increasingly common, mainly due to the use of DNSSEC. In common scenarios, where DNSSEC is partially or incorrectly deployed, our poisoning attacks allow 'com- plete' domain hijacking. When DNSSEC is fully de- ployed, attacker can force use of fake name server; we show exploits of this allowing off-path traffic analy- sis and covert channel. When using NSEC3 opt-out, attacker can also create fake subdomains, circumvent- ing same origin restrictions. Our attacks circumvent resolver-side defenses, e.g., port randomisation, IP ran- domisation and query randomisation. The (new) name server (NS) blocking attacks force re- solver to use specific name server. This attack allows Degradation of Service, traffic-analysis and covert chan- nel, and also facilitates DNS poisoning. We validated the attacks using standard resolver soft- ware and standard DNS name servers and zones, e.g., org.

[1]  Amir Herzberg,et al.  Security of Patched DNS , 2012, ESORICS.

[2]  Mark P. Andrews,et al.  Negative Caching of DNS Queries (DNS NCACHE) , 1998, RFC.

[3]  Ólafur Guðmundsson Observing DNSSEC validation in the wild , 2011 .

[4]  Duane Wessels,et al.  Authority server selection in DNS caching resolvers , 2012, CCRV.

[5]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[6]  Amir Herzberg,et al.  Fragmentation Considered Vulnerable , 2011, TSEC.

[7]  Paul Vixie,et al.  Extension Mechanisms for DNS (EDNS0) , 1999, RFC.

[8]  Matt Mathis,et al.  Packetization Layer Path MTU Discovery , 2007, RFC.

[9]  Jon Postel,et al.  Internet Protocol , 1981, RFC.

[10]  Matthew Caesar,et al.  Improving robustness of DNS to software vulnerabilities , 2011, ACSAC '11.

[11]  John C. Mitchell,et al.  A Security Evaluation of DNSSEC with NSEC3 , 2010, NDSS.

[12]  Vitaly Shmatikov,et al.  The Hitchhiker's Guide to DNS Cache Poisoning , 2010, SecureComm.

[13]  Daniel Massey,et al.  Impact of configuration errors on DNS robustness , 2004, SIGCOMM 2004.

[14]  Wenke Lee,et al.  Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries , 2008, CCS.

[15]  Emin Gün Sirer,et al.  Perils of transitive trust in the domain name system , 2005, IMC '05.

[16]  Matt Larson,et al.  Observed DNS Resolution Misbehavior , 2006, RFC.

[17]  Stephen E. Deering,et al.  Path MTU discovery , 1990, RFC.

[18]  Matt Mathis,et al.  IPv4 Reassembly Errors at High Data Rates , 2007, RFC.

[19]  Ted Hardie,et al.  Distributing Authoritative Name Servers via Shared Unicast Addresses , 2002, RFC.

[20]  Periklis Akritidis,et al.  Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure , 2008, TSEC.

[21]  Scott Rose,et al.  Protocol Modifications for the DNS Security Extensions , 2005, RFC.

[22]  Jeffrey C. Mogul,et al.  Fragmentation considered harmful , 1987, CCRV.

[23]  Min Zhang,et al.  Understanding and Preparing for DNS Evolution , 2010, TMA.

[24]  Duane Wessels,et al.  Wow, That's a lot of packets , 2003 .

[25]  Scott Rose,et al.  Resource Records for the DNS Security Extensions , 2005, RFC.

[26]  Ben Laurie,et al.  DNS Security (DNSSEC) Hashed Authenticated Denial of Existence , 2008, RFC.

[27]  Remco van Mook,et al.  Measures for Making DNS More Resilient against Forged Answers , 2009, RFC.

[28]  Thomas P. Brisco DNS Support for Load Balancing , 1995, RFC.

[29]  Spyros Antonatos,et al.  Puppetnets: misusing web browsers as a distributed attack infrastructure , 2006, CCS '06.

[30]  Fernando Gont,et al.  ICMP Attacks against TCP , 2010, RFC.

[31]  Kimberly C. Claffy,et al.  Two Days in the Life of the DNS Anycast Root Servers , 2007, PAM.

[32]  Derek Atkins,et al.  Threat Analysis of the Domain Name System (DNS) , 2004, RFC.

[33]  Robert Tappan Morris,et al.  DNS performance and the effectiveness of caching , 2001, IMW '01.

[34]  Xiapu Luo,et al.  WSEC DNS: Protecting recursive DNS resolvers from poisoning attacks , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[35]  Fernando Gont,et al.  Internet Engineering Task Force (ietf) Security Assessment of the Internet Protocol Version 4 , 2011 .