Strange behavior that has been ignored in Linux for more than a decade is resurrecting a horror attack scenario.
About 38% of Internet domain name lookup servers are vulnerable to a new attack that allows hackers to allow victims to be secretly sent to fake addresses. As legal domains, such as bankofamerica.com or gmail.com.
No Entropy h2>
This trick worked because DNS was based on a single site at the time. The transaction ID is used to prove the IP number returned from a reputable server rather than a fake server trying to send people to a malicious site. The transaction number was only 16 bits, which meant that there were only 65,536 possible transaction identifiers, one of which they could take advantage of having no entropy. ID. When the resolver receives an answer with the correct ID, the server accepts the malicious IP address and caches the result so that anyone else using the same solution—usually owned by a company, organization, or ISP—can send it. The malicious server itself. p>
This threat has raised the specter of hackers who can direct thousands or millions of people to phishing or malware websites. The threat led to industry-wide changes to the domain name system, which acts as a phone book that assigns IP addresses to domain names. p>
According to the new DNS specification, port 53 more was not the default to use. Inquiry Search Instead, these requests were sent over a port chosen at random from a wide variety of available UDP ports. By combining 16 random bits of Transaction ID with an additional 16 bits of entropy from the source port randomization, there are now approximately 134 million possible combinations that make the attack mathematically impossible. p>
Now, a research team at the University of California, Riverside has revived the threat. Last year, members of the same team found a side channel in the newer DNS that once again allowed them to infer the transaction number and random port number of the sender of fake IP addresses. p>
More Read reviews Poisoning, a cyberattack since 2008, has come back from death. SADDNS research and operation showed that it led to industry-wide updates that effectively closed the side channel. Now it is the discovery of new collateral channels that makes the poisoning viable again. Researchers Keyu Man and Xin'an Zhou and "In this article, we analyze the previously ignored attack level, and we can see the most powerful side channels that have been in Linux kernels for more than a decade." Let's find out. Zhion Qian writes in a paper presented at the ACM CCS 2021 conference. Terminal channels affect not only Linux, but also the wide range of DNS programs running on top of it, including BIND, Unbound, and dnsmasq. We also found that about 38% of open solvents (by front-end IP addresses) and 14% (by internal IP addresses) including popular DNS services such as OpenDNS and Quad9 are at risk.
Neither OpenDNS nor Quad9 was immediately available for comment.
The side channel of last year's and this year's attacks includes the Internet Control Message Protocol, or ICMP, which is used to send error and status messages between two servers “We have found that ICMP (Network Detection Protocol) message management in Linux uses shared resources in a predictable manner, so that it can be used as an external channel,” researcher Qian wrote in an email. It allows an attacker to infer a DNS query’s transit port number and eventually leads to attacks DNS poisoning. This is a serious flaw because Linux is widely used to host DNS solvents. He continued:
The transient port is supposed to be generated randomly for each DNS query and is unknown to the attacker out of the way. However, once a number is leaked Port is via a side channel, an attacker can spoof and legally accept valid DNS responses with the correct port number containing malicious records (eg a malicious record might tell chase.com that a map is showing an attacker's IP address, i.e. through ICMP messages. They are essentially network diagnostic messages that have adverse effects Expected on Linux (a major discovery of our work this year). Our observation is that ICMP messages can include UDP packets, which indicates an error in a previous UDP packet (eg, the destination cannot be reached). Check ICMP for DNS resolver. If the guess port is correct, it will change some global resource in the Linux kernel, which is indirectly visible. This is how an attacker can infer which transient port is being used.
Internal state change using ICMP probes
The last channel was the ICMP rate limit. To conserve bandwidth and computing resources, servers respond to only a few requests and then shut down. SADDNS exploits the rate limitation used as a side channel. But while last year the port inference method used UDP packets to check ports designed to request ICMP responses, this time the attack uses ICMP probes directly. p> Advertising
"By RFC standards are ICMP packets. Entity added: It will only produce *response* to something. They should never ask for any response, which means they are not suitable for port scanning (because you won't receive any feedback). However, we found that ICMP investigations can actually change some of the internal states that can already be viewed through a side channel, which is why the entire attack is new.
The researchers suggested a defense to prevent their attack.. The first is Setting appropriate socket options such as IP_PMTUDISC_OMIT, which instructs the operating system to ignore so-called ICMP messages and effectively close the side channel. So one downside is that these messages are ignored, and sometimes these messages are legitimate.
Another proposed defense is to randomize the cache architecture to make the side channel unusable. The third is to reject ICMP redirects.
This vulnerability affects DNS programs, including BIND, Unbound, and dnsmasq when Running on Linux Researchers tested whether the DNS software is vulnerable when Run it on Windows or Free BSD, and they found no evidence of that. Since BOS-based macOS is free, they assume it's not vulnerable. p>
Dan Kaminski's DNS poisoning attack comes back from the dead (again)
After launch, some Chromebooks take some time to fully respond to us...