logo

"First-try" DNS Cache Poisoning with IPv4 and IPv6 Fragmentation

Conference:  Defcon 27

2019-08-01

Summary

The presentation discusses a new method of DNS cache poisoning that reduces the attack iterations and bypasses current recommendations. The attack was discovered during a pen test and disclosed to Cisco Umbrella. The presentation covers the Kaminski attack and the limitations of DNS ID as a source of entropy.
  • DNS cache poisoning can be done off-path using a puppet to make requests on behalf of the attacker
  • DNS ID is not a reliable source of entropy to prevent spoofing
  • Current recommendations for DNS security are insufficient
  • A new method of DNS cache poisoning reduces attack iterations and bypasses current recommendations
  • The attack was discovered during a pen test and disclosed to Cisco Umbrella
The presenter describes a strange pen test that was a single mitigation in scope and an academic exercise. The test was conducted with Cisco internal to Cisco Umbrella, and the attack was discovered during the test. The presentation also mentions the Kaminski attack and the limitations of DNS ID as a source of entropy.

Abstract

DNS fragmentation attacks are a more recent series of attacks that take advantage of the consistent composition of fragmented DNS responses by sending a crafted (malicious) second fragment to be reassembled with a legitimate first fragment at the IP layer. Even if DNSSEC is fully implemented, an attacker can still poison unsigned "glue" records. These types of attacks are difficult, and have really only been considered remotely feasible over IPv4. Most nameservers use "per-destination" IP-layer ID (IPID) counters, and the IPID in the IPv6 Fragment Extension Header cannot be easily guessed blindly, as the number of bits in the field has been comparatively doubled to 32 bits (making blind-guessing even in ideal conditions take an average 34 million iterations). Unfortunately, as part of optimizations made to Linux. The IPID counter is no longer truly "per-destination" and the IPID for a given destination can be inferred consistently enough to facilitate an attack. This allows DNS poisoning on IPv4 and IPv6 with equal consistency and precision, and makes poisoning on the first attempt "thousands" of times easier. This talk will cover how this attack is carried out, how consistent it really can be, and mitigations that can be put in place by operators of both DNS nameservers and resolvers to limit its effectiveness.

Materials:

Tags: