A group of academics from the University of California and Tsinghua University has uncovered a series of critical security flaws that could lead to a revival of DNS cache poisoning attacks.
Dubbed "SAD DNS attack" (short for Side-channel AttackeD DNS), the technique makes it possible for a malicious actor to carry out an off-path attack, rerouting any traffic originally destined to a specific domain to a server under their control, thereby allowing them to eavesdrop and tamper with the communications.
"This represents an important milestone — the first weaponizable network side channel attack that has serious security impacts," the researchers said. "The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache."
Tracked as CVE-2020-25705, the findings were presented at the ACM Conference on Computer, and Communications Security (CCS '20) held this week.
The flaw affects operating systems Linux 3.18-5.10, Windows Server 2019 (version 1809) and newer, macOS 10.15 and newer, and FreeBSD 12.1.0 and newer.
DNS Forwarders Become New Attack Surface
DNS resolvers typically cache responses to IP address queries for a specific period as a means to improve response performance in a network. But this very mechanism can be exploited to poison the caches by impersonating the IP address DNS entries for a given website and redirect users attempting to visit that website to another site of the attacker's choice.
However, the effectiveness of such attacks has taken a hit in part due to protocols such as DNSSEC (Domain Name System Security Extensions) that creates a secure domain name system by adding cryptographic signatures to existing DNS records and randomization-based defenses that allow the DNS resolver to use a different source port and transaction ID (TxID) for every query.
Noting that the two mitigation measures are still far from being widely deployed due to "incentives and compatibility" reasons, the researchers said they devised a side-channel attack that can be successfully used against the most popular DNS software stacks, thus rendering public DNS resolvers like Cloudflare's 1.1.1.1 and Google's 8.8.8.8 vulnerable.
A Novel Side-Channel Attack
The SAD DNS attack works by making use of a compromised machine in any network that's capable of triggering a request out of a DNS forwarder or resolver, such as a public wireless network managed by a wireless router in a coffee shop, a shopping mall, or an airport.
It then leverages a side channel in the network protocol stack to scan and discover which source ports are used to initiate a DNS query and subsequently inject a large number of spoofed DNS replies by brute-forcing the TxIDs.
More specifically, the researchers used a channel used in the domain name requests to narrow down the exact source port number by sending spoofed UDP packets, each with different IP addresses, to a victim server and infer whether the spoofed probes have hit the right source port based on the ICMP responses received (or lack thereof).
This port scan method achieves a scanning speed of 1,000 ports per second, cumulatively taking a little over 60 seconds to enumerate the entire port range consisting of 65536 ports. With the source port thus derandomized, all an attacker has to do is to insert a malicious IP address to redirect website traffic and successfully pull off a DNS cache poisoning attack.
Mitigating SAD DNS Attacks
Aside from demonstrating ways to extend the attack window that permits an attacker to scan more ports and also inject additional rogue records to poison the DNS cache, the study found that over 34% of the open resolvers on the Internet are vulnerable, 85% of which comprise of popular DNS services like Google and Cloudflare.
To counter SAD DNS, the researchers recommend disabling outgoing ICMP responses and setting the timeout of DNS queries more aggressively.
The researchers have also put together a tool to check for DNS servers that are vulnerable to this attack. In addition, the group worked with the Linux kernel security team for a patch that randomizes the ICMP global rate limit to introduce noises to the side channel.
The research "presents a novel and general side channel based on [the] global ICMP rate limit, universally implemented by all modern operating systems," the researchers concluded. "This allows efficient scans of UDP source ports in DNS queries. Combined with techniques to extend the attack window, it leads to a powerful revival of the DNS cache poisoning attack."