Is DNS Cache Poisoning Back with SAD DNS Attack?

Is DNS Cache Poisoning Back with SAD DNS Attack?

Tracked as CVE-2020-25705, a novel vulnerability that could lead to Domain Name System (DNS) poisoning attacks has been announced. Named as SAD (Side channel AttackeD) DNS, the attack tries to defeat source port randomization via ICMP error messages in order to forge DNS responses sent from an authoritative name server to a resolver.

Overview

Is DNS Cache Poisoning Back with SAD DNS Attack? Tracked as CVE-2020-25705, a novel vulnerability that could lead to Domain Name System (DNS) poisoning attacks has been announced by the researchers from the University of California and Tsinghua University. Named as SAD (Side channel AttackeD) DNS, the attack tries to defeat source port randomization via ICMP error messages in order to forge DNS responses sent from an authoritative name server to a resolver.

The details of the attack has been published by the researchers on an academic paper (DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels) and presented at the ACM Conference on Computer and Communications Security.

Background

As being one of the fundamental protocols of the Internet, Domain Name System (DNS) translates human memorizable alphabetic names (URLs for the websites) into numeric Internet Protocol (IP) addresses.

Originally, DNS used UDP (User Datagram Protocol) for the transport protocol, since it has the advantage of being fast and requiring no setup. However, UDP is a stateless and unauthenticated protocol and this opens up a range of vulnerabilities that the attackers can exploit, such as spoofing the DNS responses with a forged source address and port.

To overcome the weaknesses of the UDP, DNS protocol included an entropy in its design as an additional mechanism to protect against forged responses. Simply, the entropy mechanism requires assigning a DNS transaction ID in the first two bytes of a message that should be the same in the query and response. This unpredictability decreased the probability that attackers construct valid DNS replies without first seeing the queries.

However, the introduced entropy was only 16-bits (about 65 thousand possibilities) and it was overcome by the Kaminsky’s attack in 2008. Simply, the attack involved flooding the resolver (Recursive DNS Server) with all the possible DNS responses upon a resolver has made a request to an authoritative name server. In this attack, if the forged responses arrive before the authoritative name server response, the resolver gets poisoned with the attacker defined IP address for a given URL address.

In response to this attack, DNS resolvers started using source port randomization as an additional entropy, rendering the Kaminsky’s attack infeasible (since the number of possibilities that an attacker could guess was increased to over a billion via an increased entropy of 32-bits).

Description – Is DNS Cache Poisoning Back with SAD DNS Attack?

As in the Kaminsky’s attack, the SAD DNS attack targets the communication between recursive resolvers and name servers. The novelty in the attack is that it tries to defeat this extra countermeasure of source port randomization via ICMP error messages in order to forge DNS responses sent from an authoritative name server to a resolver. In doing so, the attack also overcomes the ICMP rate limiting measure since it is predictable by the attackers.

In essence, ICMP port unreachable messages could allow an attacker to deduce the open and closed UDP ports for a given authoritative name server. This information further allows an attacker to reduce the 32-bits of entropy (introduced via DNS ID and source port randomization) to around 17-bits. As 16-bits entropy was previously overcome by Kamisky’s attack, 17-bits entropy is only twice as hard for an attacker to conduct the Kaminsky’s Attack.

As a side note, trying to hide source IPs or open ports is a form of security by obscurity. Both Kamisky’s and SAD attacks reminds us that security by obscurity should be avoided since such measures could be overcome by attackers given enough resources.

Quote by Bruce Schneier
Quote by Bruce Schneier

History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It’s always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you’ll be glad you did.

Bruce Schneier

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

Impact

An attacker could poison a resolver (Recursive DNS Server) by forging the DNS responses sent from an authoritative name server, leading users querying the poisoned resolver to be redirected to the IP addresses that the attacker choose. 

Impact Summary

Category: Spoofing (DNS Poisoning)
CVSS 3.1 Base Score: 7.4 High
CVSS 3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Solution (Update/Workaround)

Operating system kernels are being updated to randomize ICMP rate limits to stop attackers from abusing the static rate value to identify open UDP ports numbers through ICMP error messages.

Additionally, as a workaround, ICMP could be blocked to prevent attackers from gaining information about open UPD ports.

References to Advisories, Solutions and Tools

To learn more about DNS based attacks, you could also read our article DNSpooq vulnerabilities.

You could also read our popular articles What is a Security Vulnerability? or What is Vulnerability Scanning?