DNS cache poisoning, the Internet attack from 2008, is back from the dead

mood · Nov 12, 2020

DNS cache poisoning, the Internet attack from 2008, is back from the dead
A newly found side channel in a widely used protocol lets attackers spoof domains
November 12, 2020
https://arstechnica.com/information...ve-kaminskys-2008-dns-cache-poisoning-attack/

In 2008, researcher Dan Kaminsky revealed one of the more severe Internet security threats ever: a weakness in the domain name system that made it possible for attackers to send users en masse to imposter sites instead of the real ones belonging to Google, Bank of America, or anyone else. With industrywide coordination, thousands of DNS providers around the world installed a fix that averted this doomsday scenario.

Now, Kaminsky’s DNS cache poisoning attack is back. Researchers on Wednesday presented a new technique that can once again cause DNS resolvers to return maliciously spoofed IP addresses instead of the site that rightfully corresponds to a domain name.

“This is a pretty big advancement that is similar to Kaminsky’s attack for some resolvers, depending on how [they’re] actually run,” said Nick Sullivan, head of research at Cloudflare, a content-delivery network that operates the 1.1.1.1 DNS service.
“This is amongst the most effective DNS cache poisoning attacks we’ve seen since Kaminsky’s attack. It’s something that, if you do run a DNS resolver, you should take seriously.”
Click to expand...

The researchers’ paper, DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels, provides a far more detailed and technical description of the attack. They call the attack SAD DNS short for Side channel AttackeD DNS.

The researchers privately provided their findings to DNS providers and software developers. In response, Linux kernel developers introduced a change that causes the rate limit to randomly fluctuate between 500 and 2,000 per second. Professor Qian said the fix prevents the new technique from working. Cloudflare introduced a fix of its own. In certain cases, its DNS service will fall back to TCP, which is much more difficult to spoof.

The research was presented at the 2020 ACM Conference on Computer and Communications Security, which is being held this year by video because of the COVID-19 pandemic. The researchers provide additional information here, and a UC Riverside press release is here.
Click to expand...

mood · Nov 13, 2020

How to temporarily mitigate SAD DNS for Linux servers and desktops
November 13, 2020
https://www.techrepublic.com/articl...igate-sad-dns-for-linux-servers-and-desktops/

There's a new DNS cache poisoning threat in town and it goes by the name of Side-channel AttackeD DNS (SAD DNS). This new attack works like so: SAD DNS makes it possible for hackers to reroute traffic destined to a specific domain to a server under their control. With this attack they can easily spy on your traffic. This is a weaponized network side-channel attack with serious security implications for both users and businesses.

This new flaw affects operating systems Linux (kernel 3.18-5.10), Windows Server 2019 (version 1809) and newer, macOS 10.15 and newer, and FreeBSD 12.1.0 and newer.
Click to expand...

BlueCat, a software-driven DDI solution, reached out to me about this issue--mostly because the suggested temporary fix of disabling ICMP packets was a bit more nuanced. To that issue, a BlueCat representative said:

"If a DNS server has ICMP blocked completely, zone transfers could fail, if there is a hop with a smaller MTU (blocking ICMP causes PMTUD black hole) between it and the other server."
BlueCat also informed me of a temporary fix for Linux servers and desktops. The fix is in the form of a simple script that can be easily employed. I've tested it and it works.

Let me show you how to deploy it to your Linux desktops and servers, so you can avoid problems until DNS server providers resolve the issue.
Click to expand...

mood · Nov 14, 2020

SAD DNS Explained
November 13, 2020
https://blog.cloudflare.com/sad-dns-explained/

This week, at the ACM CCS 2020 conference, researchers from UC Riverside and Tsinghua University announced a new attack against the Domain Name System (DNS) called SAD DNS (Side channel AttackeD DNS). This attack leverages recent features of the networking stack in modern operating systems (like Linux) to allow attackers to revive a classic attack category: DNS cache poisoning.
As part of a coordinated disclosure effort earlier this year, the researchers contacted Cloudflare and other major DNS providers and we are happy to announce that 1.1.1.1 Public Resolver is no longer vulnerable to this attack.

In this post, we’ll explain what the vulnerability was, how it relates to previous attacks of this sort, what mitigation measures we have taken to protect our users, and future directions the industry should consider to prevent this class of attacks from being a problem in the future.
Click to expand...

mood · Dec 8, 2020

Microsoft issues guidance for DNS cache poisoning vulnerability
December 8, 2020
https://www.bleepingcomputer.com/ne...idance-for-dns-cache-poisoning-vulnerability/

Microsoft issued guidance on how to mitigate a DNS cache poisoning vulnerability reported by security researchers from the University of California and Tsinghua University.
Impacts multiple Windows server platforms
The addressing spoofing vulnerability — tracked as CVE-2020-25705 and nicknamed SAD DNS (Side-channel AttackeD DNS) — exists in the Windows DNS Resolver software component that comes bundled with the Windows Transmission Control Protocol/Internet Protocol (TCP/IP) stack.

"Microsoft is aware of a vulnerability involving DNS cache poisoning caused by IP fragmentation that affects Windows DNS Resolver," the company explains in a security advisory published as part of this month's Patch Tuesday.
SAD DNS is rated by Microsoft as 'Important' severity and it impacts only Windows server platforms, between Windows Server 2008 R2 and Windows 10, version 20H2 (Server Core Installation).
Click to expand...

CVE-2020-25705 mitigation
To mitigate this vulnerability, Windows administrators can alter the Registry to change the maximum UDP packet size to 1,221 bytes which would block any DNS cache poisoning attacks attempting to exploit it on vulnerable devices. [...]
Click to expand...

Log in or Sign up

DNS cache poisoning, the Internet attack from 2008, is back from the dead

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

Log in or Sign up

DNS cache poisoning, the Internet attack from 2008, is back from the dead

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

Useful Searches