research-article

Open access

DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels

Authors:

Xiaofeng Zheng,

Haixin DuanAuthors Info & Claims

CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Pages 1337 - 1350

https://doi.org/10.1145/3372297.3417280

Published: 02 November 2020 Publication History

Abstract

In this paper, we report a series of flaws in the software stack that leads to a strong revival of DNS cache poisoning --- a classic attack which is mitigated in practice with simple and effective randomization-based defenses such as randomized source port. To successfully poison a DNS cache on a typical server, an off-path adversary would need to send an impractical number of $2^32 $ spoofed responses simultaneously guessing the correct source port (16-bit) and transaction ID (16-bit). Surprisingly, we discover weaknesses that allow an adversary to "divide and conquer'' the space by guessing the source port first and then the transaction ID (leading to only $2^16 +2^16 $ spoofed responses). Even worse, we demonstrate a number of ways an adversary can extend the attack window which drastically improves the odds of success. The attack affects all layers of caches in the DNS infrastructure, such as DNS forwarder and resolver caches, and a wide range of DNS software stacks, including the most popular BIND, Unbound, and dnsmasq, running on top of Linux and potentially other operating systems. The major condition for a victim being vulnerable is that an OS and its network is configured to allow ICMP error replies. From our measurement, we find over 34% of the open resolver population on the Internet are vulnerable (and in particular 85% of the popular DNS services including Google's 8.8.8.8). Furthermore, we comprehensively validate the proposed attack with positive results against a variety of server configurations and network conditions that can affect the success of the attack, in both controlled experiments and a production DNS resolver (with authorization).

Supplementary Material

MOV File (Copy of CCS2020_fpx360_KeyuMan - Ami Eckard-Lee.mov)

Presentation video

Download
167.32 MB

References

[1]

D. Eastlake 3rd and M. Andrews. 2017. RFC 7873, Domain Name System (DNS) Cookies. https://tools.ietf.org/html/rfc7873 .

[2]

Josh Aas, Richard Barnes, Benton Case, Zakir Durumeric, Peter Eckersley, Alan Flores-López, J. Alex Halderman, Jacob Hoffman-Andrews, James Kasten, Eric Rescorla, Seth Schoen, and Brad Warren. 2019. Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19).

Digital Library

[3]

G. Alexander and J. R. Crandall. 2015. Off-path round trip time measurement via TCP/IP side channels. In 2015 IEEE Conference on Computer Communications (INFOCOM) .

[4]

Geoffrey Alexander, Antonio M. Espinoza, and Jedidiah R. Crandall. 2019. Detecting TCP/IP Connections via IPID Hash Collisions. In PoPETS .

[5]

Fatemah Alharbi, Jie Chang, Yuchen Zhou, Feng Qian, Zhiyun Qian, and Nael Abu-Ghazaleh. 2019. Collaborative Client-Side DNS Cache Poisoning Attack. In IEEE INFOCOM 2019-IEEE Conference on Computer Communications. IEEE, 1153--1161.

[6]

D. Atkins and R. Austein. 2004. RFC 3833: Threat Analysis of the Domain Name System (DNS). Technical Report. https://tools.ietf.org/html/rfc3833

[7]

F. Baker. 1995. Requirements for IP Version 4 Routers. Technical Report. https://tools.ietf.org/html/rfc1812

[8]

Adib Behjat. 2011. DNS Forwarders. https://www.isc.org/blogs/dns-forwarders/.

[9]

Markus Brandt, Tianxiang Dai, Amit Klein, Haya Shulman, and Michael Waidner. 2018. Domain validation

[10]

for MitM-resilient PKI. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2060--2076.

[11]

R. Bush and R. Austein. 2017. RFC 8210: The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1. Technical Report. https://tools.ietf.org/html/rfc8210

[12]

Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth V. Krishnamurthy, and Lisa M. Marvel. 2016. Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. In Proceedings of the 25th USENIX Conference on Security Symposium (Austin, TX, USA) (SEC'16). USENIX Association, USA, 209--225.

[13]

Yue Cao, Zhongjie Wang, Zhiyun Qian, Chengyu Song, Srikanth V. Krishnamurthy, and Paul Yu. 2019. Principled Unearthing of TCP Side Channel Vulnerabilities. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS '19). Association for Computing Machinery, New York, NY, USA, 211--224. https://doi.org/10.1145/3319535.3354250

Digital Library

[14]

Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, and Christo Wilson. 2017. A Longitudinal, End-to-End View of the DNSSEC Ecosystem. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 1307--1322. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/chung

[15]

CloudFlare. [n.d.]. Shield Your DNS Infrastructure From DDoS Attacks With Cloudflare's DNS Firewall. https://www.cloudflare.com/dns/dns-firewall/.

[16]

European Commision. 2014. Quality of Broadband Services in the EU. http://ec.europa.eu/newsroom/dae/document.cfm?action=display&doc_id=10816 .

[17]

Cloudflare community. 2018a. Case randomization recently disabled? https://community.cloudflare.com/t/case-randomization-recently-disabled/61376 .

[18]

Cloudflare community. 2018b. Incorrect resolution for my domain. https://community.cloudflare.com/t/incorrect-resolution-for-my-domain/17966 .

[19]

Internet Systems Consortium. 2020. BIND 9. https://www.isc.org/bind/.

[20]

David Dagon, Manos Antonakakis, Paul Vixie, Tatuya Jinmei, and Wenke Lee. 2008. Increased DNS Forgery Resistance through 0x20-Bit Encoding: Security via Leet Queries. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS '08).

Digital Library

[21]

Casey Deccio, Derek Argueta, and Jonathan Demke. 2019. A Quantitative Study of the Deployment of DNS Rate Limiting. In 2019 International Conference on Computing, Networking and Communications (ICNC). IEEE, 442--447.

[22]

Google Public DNS. 2019. Introduction: DNS security threats and mitigations. https://developers.google.com/speed/public-dns/docs/security .

[23]

Eric Dumazet. 2014. icmp: add a global rate limitation. https://github.com/torvalds/linux/commit/4cdf507d54525842dfd9f6313fdafba039084046 .

[24]

Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. 2015. A Search Engine Backed by Internet-Wide Scanning. In 22nd ACM Conference on Computer and Communications Security .

[25]

L. Eggert, G. Fairhurst, and G. Shepherd. 2017. RFC 8085: UDP Usage Guidelines. Technical Report. https://tools.ietf.org/html/rfc8085

[26]

R Elz and R Bush. 1997. RFC 2181: Clarifications to the DNS specification. https://tools.ietf.org/html/rfc2181 .

[27]

Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall. 2010. Idle Port Scanning and Non-Interference Analysis of Network Protocol Stacks Using Model Checking. In Proceedings of the 19th USENIX Conference on Security (Washington, DC) (USENIX Security'10). USENIX Association, USA, 17.

[28]

FCC. 2018. Eighth Measuring Broadband America Fixed Broadband Report. https://www.fcc.gov/reports-research/reports/measuring-broadband-america/measuring-fixed-broadband-eighth-report .

[29]

Suzanne Goldlust, Cathy Almond, and Mark Andrews. 2017. DNS Cookies in BIND 9. https://kb.isc.org/docs/aa-01387 .

[30]

Amir Herzberg and Haya Shulman. 2011. Unilateral antidotes to DNS poisoning. In International Conference on Security and Privacy in Communication Systems. Springer, 319--336.

[31]

Amir Herzberg and Haya Shulman. 2012. Security of Patched DNS. In ESORICS 2012, Sara Foresti, Moti Yung, and Fabio Martinelli (Eds.).

[32]

Amir Herzberg and Haya Shulman. 2013a. Fragmentation considered poisonous, or: One-domain-to-rule-them-all. org. In 2013 IEEE Conference on Communications and Network Security (CNS). IEEE, 224--232.

[33]

Amir Herzberg and Haya Shulman. 2013b. Socket Overloading for Fun and Cache-Poisoning. In Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC '13).

Digital Library

[34]

R. Hinden and S. Deering. 2006. IP Version 6 Addressing Architecture. Technical Report. https://tools.ietf.org/html/rfc4291

[35]

P. Hoffman, A. Sullivan, and K. Fujiwara. 2019. RFC 8499: DNS Terminology. Technical Report. https://tools.ietf.org/html/rfc8499

[36]

A. Hubert and R. van Mook. 2009. RFC 5452: Measures for Making DNS More Resilient against Forged Answers. Technical Report. https://tools.ietf.org/html/rfc5452

[37]

Geoff Huston. 2019. The state of DNSSEC validation. https://blog.apnic.net/2019/03/14/the-state-of-dnssec-validation/.

[38]

Ed. J. Iyengar, Ed. andM. Thomson. 2020. QUIC: A UDP-Based Multiplexed and Secure Transport. Technical Report. https://tools.ietf.org/html/draft-ietf-quic-transport-27

[39]

A. J. Kalafut, C. A. Shue, and M. Gupta. 2011. Touring DNS Open Houses for Trends and Configurations. IEEE/ACM Transactions on Networking, Vol. 19, 6 (2011), 1666--1675.

Digital Library

[40]

Dan Kaminsky. 2008. Black ops 2008: It's the end of the cache as we know it. Black Hat USA (2008).

[41]

Simon Kelley. 2020. Dnsmasq - network services for small networks. http://www.thekelleys.org.uk/dnsmasq/doc.html .

[42]

Amit Klein, Haya Shulman, and Michael Waidner. 2017. Internet-wide study of DNS cache injections. In IEEE INFOCOM 2017-IEEE Conference on Computer Communications. IEEE, 1--9.

[43]

Jeffrey Knockel and Jedidiah R. Crandall. 2014. Counting Packets Sent Between Arbitrary Internet Hosts. In 4th USENIX Workshop on Free and Open Communications on the Internet (FOCI 14). USENIX Association, San Diego, CA. https://www.usenix.org/conference/foci14/workshop-program/presentation/knockel

[44]

NLnet Labs. 2020. Unbound DNS Resolver. https://nlnetlabs.nl/projects/unbound/about/.

[45]

Cricket Liu. 2015. A new kind of DDoS threat: The 'Nonsense Name' attack. https://www.networkworld.com/article/2875970/a-new-kind-of-ddos-threat-the-nonsense-name-attack.html .

[46]

lkm. 2007. Blind TCP/IP Hijacking is Still Alive. http://phrack.org/issues/64/13.html .

[47]

Chaoyi Lu, Baojun Liu, Zhou Li, Shuang Hao, Haixin Duan, Mingming Zhang, Chunying Leng, Ying Liu, Zaifeng Zhang, and Jianping Wu. 2019. An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?. In Proceedings of the Internet Measurement Conference (Amsterdam, Netherlands) (IMC '19). Association for Computing Machinery, New York, NY, USA, 22--35. https://doi.org/10.1145/3355369.3355580

Digital Library

[48]

Matthew Luckie, Robert Beverly, Ryan Koga, Ken Keys, Joshua A. Kroll, and k claffy. 2019. Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS '19). Association for Computing Machinery, New York, NY, USA, 465--480. https://doi.org/10.1145/3319535.3354232

Digital Library

[49]

Ed. M. Bishop. 2020. Hypertext Transfer Protocol Version 3 (HTTP/3). Technical Report. https://datatracker.ietf.org/doc/draft-ietf-quic-http/

[50]

Moritz Müller, Giovane C. M. Moura, Ricardo de O. Schmidt, and John Heidemann. 2017. Recursives in the Wild: Engineering Authoritative DNS Servers. In Proceedings of the 2017 Internet Measurement Conference (London, United Kingdom) (IMC '17). Association for Computing Machinery, New York, NY, USA, 489--495. https://doi.org/10.1145/3131365.3131366

Digital Library

[51]

Zhiyun Qian and Z Morley Mao. 2012. Off-path TCP sequence number inference attack-how firewall middleboxes reduce security. In 2012 IEEE Symposium on Security and Privacy. IEEE, 347--361.

Digital Library

[52]

Alan Quach, Zhongjie Wang, and Zhiyun Qian. 2017. Investigation of the 2016 Linux TCP Stack Vulnerability at Scale. SIGMETRICS Perform. Eval. Rev. (2017).

[53]

Vicky Ris, Suzanne Goldlust, and Alan Clegg. 2020. BIND Best Practices - Authoritative. https://kb.isc.org/docs/bind-best-practices-authoritative .

[54]

Paul Schmitt, Anne Edmundson, Allison Mankin, and Nick Feamster. 2019. Oblivious DNS: Practical Privacy for DNS Queries. In PoPETS .

[55]

Kyle Schomp, Tom Callahan, Michael Rabinovich, and Mark Allman. 2013. On measuring the client-side DNS infrastructure. In Proceedings of the 2013 conference on Internet measurement conference. ACM, 77--90.

Digital Library

[56]

Kyle Schomp, Tom Callahan, Michael Rabinovich, and Mark Allman. 2014. DNS Record Injectino Vulnerabilities in Home Routers. http://www.icir.org/mallman/talks/schomp-dns-security-nanog61.pdf . Nanog 61.

[57]

Sergio De Simone. [n.d.]. The Status of HTTP/3. https://www.infoq.com/news/2020/01/http-3-status//.

[58]

US-Cert. 2019. Alert (TA13-088A) - DNS Amplification Attacks. https://www.us-cert.gov/ncas/alerts/TA13-088A .

[59]

Paul Vixie. 2019. On the Time Value of Security Features in DNS. http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/.

[60]

Paul Vixie and Vernon Schryver. 2012. DNS Response Rate Limiting (DNS RRL). https://ftp.isc.org/isc/pubs/tn/isc-tn-2012--1.txt .

[61]

Xiaofeng Zheng, Chaoyi Lu, Jian Peng, Qiushi Yang, Dongjie Zhou, Baojun Liu, Keyu Man, Shuang Hao, Haixin Duan, and Zhiyun Qian. 2020. Poison Over Troubled Forwarders: A Cache Poisoning Attack Targeting DNS Forwarding Devices. In 29th USENIX Security Symposium (USENIX Security 20) . USENIX Association, 577--593. https://www.usenix.org/conference/usenixsecurity20/presentation/zheng

Cited By

Li XXu WLiu BZhang MLi ZZhang JChang DZheng XWang CChen JDuan HLi Q(2024)TuDoor Attack: Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed Packets2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00172(4459-4477)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00172
Gu YYing LChai HPu YDuan HGao X(2024)More Haste, Less Speed: Cache Related Security Threats in Continuous Integration Services2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00138(1179-1197)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00138
Khaloopour LSu YRaskob FMeuser TBless RJanzen LAbedi KAndjelkovic MChaari HChakraborty PKreutzer MHollick MStrufe TFranchi NJamali V(2024)Resilience-by-Design in 6G Networks: Literature Review and Novel Enabling ConceptsIEEE Access10.1109/ACCESS.2024.348027512(155666-155695)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3480275
Show More Cited By

Index Terms

DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels
1. Networks
  1. Network protocols
    1. Cross-layer protocols

Recommendations

DNS Cache Poisoning Attack: Resurrections with Side Channels
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

DNS is one of the fundamental and ancient protocols on the Internet that supports many network applications and services. Unfortunately, DNS was designed without security in mind and is subject to a variety of serious attacks, one of which is the well-...
Recovering and Protecting against DNS Cache Poisoning Attacks
ICM '11: Proceedings of the 2011 International Conference of Information Technology, Computer Engineering and Management Sciences - Volume 02

DNSSEC can provide a strong countermeasure to DNS Cache Poisoning Attacks, however, DNSSEC can't be actually deployed in a short time, it is still impossible to avoid poisoning attacks thoroughly, a majority of DNS servers are still hreatened from the ...
Collaborative Client-Side DNS Cache Poisoning Attack
IEEE INFOCOM 2019 - IEEE Conference on Computer Communications
DNS poisoning attacks inject malicious entries into the DNS resolution system, allowing an attacker to redirect clients to malicious servers. These attacks typically target a DNS resolver allowing attackers to poison a DNS entry for all machines that use ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

October 2020

2180 pages

ISBN:9781450370899

DOI:10.1145/3372297

General Chairs:
Jay Ligatti
University of South Florida, USA
,
Xinming Ou
University of South Florida, USA
,
Program Chairs:
Jonathan Katz
University of Maryland, USA
,
Giovanni Vigna
University of California-Santa Barbara, USA

Copyright © 2020 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Best Paper

Author Tags

Qualifiers

Research-article

Conference

CCS '20

Sponsor:

SIGSAC

CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security

November 9 - 13, 2020

Virtual Event, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

38
Total Citations
View Citations
19,886
Total Downloads

Downloads (Last 12 months)2,336
Downloads (Last 6 weeks)350

Reflects downloads up to 27 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li XXu WLiu BZhang MLi ZZhang JChang DZheng XWang CChen JDuan HLi Q(2024)TuDoor Attack: Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed Packets2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00172(4459-4477)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00172
Gu YYing LChai HPu YDuan HGao X(2024)More Haste, Less Speed: Cache Related Security Threats in Continuous Integration Services2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00138(1179-1197)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00138
Khaloopour LSu YRaskob FMeuser TBless RJanzen LAbedi KAndjelkovic MChaari HChakraborty PKreutzer MHollick MStrufe TFranchi NJamali V(2024)Resilience-by-Design in 6G Networks: Literature Review and Novel Enabling ConceptsIEEE Access10.1109/ACCESS.2024.348027512(155666-155695)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3480275
Shafi MLashkari AMohanty H(2024)Unveiling malicious DNS behavior profiling and generating benchmark dataset through application layer traffic analysisComputers and Electrical Engineering10.1016/j.compeleceng.2024.109436118(109436)Online publication date: Sep-2024
https://doi.org/10.1016/j.compeleceng.2024.109436
Fu YLee XWei JLi YPeng B(2024)Securing the internet’s backbone: A blockchain-based and incentive-driven architecture for DNS cache poisoning defenseComputer Networks10.1016/j.comnet.2024.110777254(110777)Online publication date: Dec-2024
https://doi.org/10.1016/j.comnet.2024.110777
Gierlings MBrinkmann MSchwenk JCalandrino JTroncoso C(2023)Isolated and exhaustedProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620631(7037-7054)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620631
Kwon JSong JHur JPerrig ACalandrino JTroncoso C(2023)Did the shark eat the watchdog in the NTP pool? deceiving the NTP pool's monitoring systemProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620581(6151-6166)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620581
Hilton ADeccio CDavis JCalandrino JTroncoso C(2023)Fourteen years in the lifeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620415(3171-3186)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620415
Zhang FLiu BAlowaisheq EChen JLu CSong LMa YLiu YDuan HYang MMeng WJensen CCremers CKirda E(2023)Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS ServersProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616647(296-310)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616647
Fu YWei JLi YPeng BLi X(2023)TI-DNS: A Trusted and Incentive DNS Resolution Architecture based on Blockchain2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00055(265-274)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00055
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents