SlideShare a Scribd company logo

Tomas Hlavacek - IP fragmentation attack on DNS

DefconRussia
DefconRussia

This document summarizes an IP fragmentation attack on DNS resolvers. It exploits IP fragmentation and reassembly to reduce the entropy for cache poisoning from 32 bits to 16 bits. There are two types of attacks - one triggers fragmentation through spoofed ICMP messages, while the other registers a specially crafted zone to generate oversized responses. The attacks allow modifying DNS response fragments off-path to poison caches. Defenses include DNSSEC and workaround like ignoring certain ICMP and limiting response sizes.

1 of 26
Download to read offline
IP fragmentation attack on DNS Original work by Amir Herzberg & Haya Shulman Tomas Hlavacek • tomas.hlavacek@nic.cz • ZeroNights 0x03, 7.11.2013
IP fragmentation attack ● ● Amir Herzberg & Haya Shulman paper Fragmentation Considered Poisonous Two existing PoC: ● ● ● Tomáš Hlaváček & Ondřej Mikle, CZ.NIC Labs Brian Dickson, VeriSign Labs Relatively low technical complexity but a lot of preconditions
The new attack vector: Fragments ● Attack on UDP ● Exploits IP fragmentation & reassembly ● Off-path modification of packets ● Relies on 16-bit IP ID number in IP headers ● IP ID generation by counter helps ● Fights IP reassembly cache limits
IP fragmentation attack on DNS ● ● ● ● Cache-poisoning attack on resolvers Reduces entropy from 32 bits (source port + DNS ID) to 16 bits (IP ID) … because UDP header and beginning of DNS data stays in the 1st fragment Attacker modifies the 2nd fragment (authority and additional sections)
IP frag attack on DNS types ● Two types so far: ● ● 1) Convincing authoritative server to fragment replies for real domain by spoofed ICMPs 2) Registering specially forged zone which generates responses over 1500 B
st Triggering fragmentation – 1 type ● ● ● ● ICMP destination unreachable, frag. needed but DF bit set (type=3, code=4) Spoofing of ICMP (BCP38 is not a problem, firewalls are) Linux accepts signaled MTU into routing cache for 10 mins Linux minimum MTU = 552 B
st 1 type big picture
st 1 type big picture
st 1 type big picture
st 1 type big picture
st 1 type big picture
st 1 type big picture
st 1 type big picture
Effects of ICMP spoofing root@authoritative_server:/# ip route show cache ... 77.243.16.81 from 195.226.217.5 via 217.31.48.17 dev eth0 cache ipid 0xe8a1 Caching resolver IP 62.109.128.22 from 195.226.217.5 via 217.31.48.17 dev eth0 cache expires 576sec ipid 0x6ef3 mtu 552 rtt 4ms rttvar 4ms cwnd 10 63.249.32.21 from 195.226.217.5 via 217.31.48.17 dev eth0 cache ipid 0xa256
Response of the authoritative server ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaa aa.ad.example.cz. IN A ;; AUTHORITY SECTION: ad.example.cz. 360 IN NS ad-ns1.example.cz. ad.example.cz. 360 IN NS ad-ns2.example.cz. ad.example.cz. 360 IN NSEC ad-ns1.example.cz. NS ... ;; ADDITIONAL SECTION: ad-ns1.example.cz. 360 IN A 217.31.49.71 ad-ns1.example.cz. 360 IN RRSIG A 5 3 360 … ad-ns2.example.cz. 360 IN A ad-ns2.example.cz. 360 IN RRSIG A 5 3 360 ... 217.31.49.70 1st and 2nd fragment border
Response in the resolver log ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaa aa.ad.example.cz. IN A ;; AUTHORITY SECTION: ad.example.cz. 360 IN NS ad-ns1.example.cz. ad.example.cz. 360 IN NS ad-ns2.example.cz. ad.example.cz. 360 IN NSEC ad-ns1.example.cz. NS ... ;; ADDITIONAL SECTION: ad-ns1.example.cz. 360 IN A 217.31.49.71 ad-ns1.example.cz. 360 IN RRSIG A 5 3 360 … ad-ns2.example.cz. 360 IN A ad-ns2.example.cz. 360 IN RRSIG A 5 3 360 ... 1st and 2nd fragment border 62.109.128.20 UDP checksum fixup
Technical challenges in PoC ● ICMP packet forgery (easy) ● Selecting vulnerable zone (medium) ● Forging fragments, fixing UDP checksums (hard) ● Inserting into network (depends on local admin's paranoia) ● IP reassembly queue size = 64 @ Linux (needs further work) ● RR-set order randomization (annoyance) ● Label compression (not a problem) ● Fragment arrival order (potentially breaks the attack)
Forged packet acceptance ● ● Bailiwick rules Generally low level of trust in RR from additional section ● Gradually stronger rules in BIND since ~2003 ● Unknown (most likely strict) rules in Unbound
PoC & tricks ● This (1st type) attack worked in lab! ● IP ID known to attacker ● No firewalls, no conntrack ● Non-default IP reassembly queue settings ● 1 out of 3 trials succeeded (due to RR-set randomization and timing)
nd 2 type attack ● Forge zone with specific NS RRs: ● ● ● Add target NS (and glue) to poison Forge zone to produce long referral responses (N x ~250 B NS RR) Register the domain at the lowest possible level (2nd level zone)
Malicious zone in ccTLD ;poisonovacizona.cz. IN NS ;; AUTHORITY SECTION: poisonovacizona.cz. 18000 IN NS eaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. kaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. qaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. poisonovacizona.cz. ... poisonovacizona.cz. 18000 IN NS ns2.ignum.cz. ;; ADDITIONAL SECTION: ns2.ignum.cz. 18000 IN A 217.31.48.201 eaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. kaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. qaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. poisonovacizona.cz. 18000 IN ... ;; MSG SIZE rcvd: 1949 A 217.31.48.1
Attack through the malicious zone ● The zone produces fragmented referral replies ● The zone is perfectly valid ● … even though it contains weird NS RR ● ● It contains target NS RR of a high-profile authoritative server Glue for the target NS is exposed in the 2 nd fragment
Defenses ● DNSSEC now! ● Workarounds ● ● 1st type: Ignore ICMP type=3, code=4 2nd type: limit response size & set EDNS0 buffer size to your MTU value (on both sides – authoritative as well as recursive)
Demo session ● Two computers – victim and attacker ● Real zone & name servers ● IP-ID known to attacker ● Minor hacks in iptables on victim to guarantee quick success
Demo session explained ● Generate spoofed ICMP ● Inject spoofed ICMP into network ● Query the server and capture response ● Modify DNS response ● Fixup response UDP checksum & change MAC ● Inject forged response & re-run the query
Thank You Tomas Hlavacek • tomas.hlavacek@nic.cz • ZeroNights 0x03, 7.11.2013
Ad

Recommended

Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
amiable_indian
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
Cassio Ramos
 
How to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linuxHow to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linux
Kirill Shipulin
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_voss
Pavel Odintsov
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
James Dickenson
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
n|u - The Open Security Community
 
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OpenvSwitch
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
Himani Singh
 
2 netcat enum-pub
2 netcat enum-pub2 netcat enum-pub
2 netcat enum-pub
Cassio Ramos
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
Mohammed Akbar Shariff
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Bishop Fox
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Cyber Security Alliance
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
n|u - The Open Security Community
 
LF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress SchedulingLF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress Scheduling
LF_OpenvSwitch
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
Pavel Odintsov
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
Varun Kakumani
 
Nmap
NmapNmap
Nmap
NishaYadav177
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
Cyber Security Alliance
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
Pavel Odintsov
 
Os detection with arp
Os detection with arpOs detection with arp
Os detection with arp
David Clark
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Redspin, Inc.
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Pavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
Pavel Odintsov
 
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.
LF_OpenvSwitch
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OpenvSwitch
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Ravi Rajput
 
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
DefconRussia
 
Alex Eden - Не доверяй и проверяй
Alex Eden - Не доверяй и проверяйAlex Eden - Не доверяй и проверяй
Alex Eden - Не доверяй и проверяй
UISGCON
 
Ad

More Related Content

What's hot (20)

LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OpenvSwitch
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
Himani Singh
 
2 netcat enum-pub
2 netcat enum-pub2 netcat enum-pub
2 netcat enum-pub
Cassio Ramos
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
Mohammed Akbar Shariff
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Bishop Fox
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Cyber Security Alliance
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
n|u - The Open Security Community
 
LF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress SchedulingLF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress Scheduling
LF_OpenvSwitch
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
Pavel Odintsov
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
Varun Kakumani
 
Nmap
NmapNmap
Nmap
NishaYadav177
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
Cyber Security Alliance
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
Pavel Odintsov
 
Os detection with arp
Os detection with arpOs detection with arp
Os detection with arp
David Clark
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Redspin, Inc.
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Pavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
Pavel Odintsov
 
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.
LF_OpenvSwitch
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OpenvSwitch
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Ravi Rajput
 
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OpenvSwitch
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
Himani Singh
 
2 netcat enum-pub
2 netcat enum-pub2 netcat enum-pub
2 netcat enum-pub
Cassio Ramos
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
Mohammed Akbar Shariff
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Bishop Fox
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Cyber Security Alliance
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
n|u - The Open Security Community
 
LF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress SchedulingLF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress Scheduling
LF_OpenvSwitch
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
Pavel Odintsov
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
Varun Kakumani
 
Nmap
NmapNmap
Nmap
NishaYadav177
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
Cyber Security Alliance
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
Pavel Odintsov
 
Os detection with arp
Os detection with arpOs detection with arp
Os detection with arp
David Clark
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Redspin, Inc.
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Pavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
Pavel Odintsov
 
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.
LF_OpenvSwitch
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OpenvSwitch
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Ravi Rajput
 

Viewers also liked (6)

Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
DefconRussia
 
Alex Eden - Не доверяй и проверяй
Alex Eden - Не доверяй и проверяйAlex Eden - Не доверяй и проверяй
Alex Eden - Не доверяй и проверяй
UISGCON
 
Nedospasov photonic emission analysis
Nedospasov photonic emission analysisNedospasov photonic emission analysis
Nedospasov photonic emission analysis
DefconRussia
 
Anton Alexanenkov - Tor and Botnet C&C
Anton Alexanenkov - Tor and Botnet C&C Anton Alexanenkov - Tor and Botnet C&C
Anton Alexanenkov - Tor and Botnet C&C
DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
 
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
DefconRussia
 
Alex Eden - Не доверяй и проверяй
Alex Eden - Не доверяй и проверяйAlex Eden - Не доверяй и проверяй
Alex Eden - Не доверяй и проверяй
UISGCON
 
Nedospasov photonic emission analysis
Nedospasov photonic emission analysisNedospasov photonic emission analysis
Nedospasov photonic emission analysis
DefconRussia
 
Anton Alexanenkov - Tor and Botnet C&C
Anton Alexanenkov - Tor and Botnet C&C Anton Alexanenkov - Tor and Botnet C&C
Anton Alexanenkov - Tor and Botnet C&C
DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
 
Ad

Similar to Tomas Hlavacek - IP fragmentation attack on DNS (20)

DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP Infrastructures
Pavel Odintsov
 
Cyber-security
Cyber-securityCyber-security
Cyber-security
Qasim Zaidi
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
idsecconf
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Digicomp Academy AG
 
Exploiting First Hop Protocols to Own the Network - Paul Coggin
Exploiting First Hop Protocols to Own the Network - Paul CogginExploiting First Hop Protocols to Own the Network - Paul Coggin
Exploiting First Hop Protocols to Own the Network - Paul Coggin
EC-Council
 
Tech f42
Tech f42Tech f42
Tech f42
SelectedPresentations
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
guestd05b31
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
Abdessamad TEMMAR
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus network
Aalap Tripathy
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)
iman darabi
 
IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44
Jisc
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & Securities
Don Anto
 
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Jiunn-Jer Sun
 
Network and DNS Vulnerabilities
Network and DNS VulnerabilitiesNetwork and DNS Vulnerabilities
Network and DNS Vulnerabilities
n|u - The Open Security Community
 
IPAddressing .pptx
IPAddressing .pptxIPAddressing .pptx
IPAddressing .pptx
karthikvcyber
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
vanhoefm
 
Basic Understanding about TCP/IP Addressing system
Basic Understanding about TCP/IP Addressing systemBasic Understanding about TCP/IP Addressing system
Basic Understanding about TCP/IP Addressing system
BharathKumarRaju DasaraRaju
 
IPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security ConsiderationsIPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security Considerations
APNIC
 
IPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security ConsiderationsIPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security Considerations
Bangladesh Network Operators Group
 
Day 17.1 nat pat (2)
Day 17.1 nat pat (2)Day 17.1 nat pat (2)
Day 17.1 nat pat (2)
CYBERINTELLIGENTS
 
DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP Infrastructures
Pavel Odintsov
 
Cyber-security
Cyber-securityCyber-security
Cyber-security
Qasim Zaidi
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
idsecconf
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Digicomp Academy AG
 
Exploiting First Hop Protocols to Own the Network - Paul Coggin
Exploiting First Hop Protocols to Own the Network - Paul CogginExploiting First Hop Protocols to Own the Network - Paul Coggin
Exploiting First Hop Protocols to Own the Network - Paul Coggin
EC-Council
 
Tech f42
Tech f42Tech f42
Tech f42
SelectedPresentations
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
guestd05b31
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
Abdessamad TEMMAR
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus network
Aalap Tripathy
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)
iman darabi
 
IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44
Jisc
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & Securities
Don Anto
 
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Jiunn-Jer Sun
 
Network and DNS Vulnerabilities
Network and DNS VulnerabilitiesNetwork and DNS Vulnerabilities
Network and DNS Vulnerabilities
n|u - The Open Security Community
 
IPAddressing .pptx
IPAddressing .pptxIPAddressing .pptx
IPAddressing .pptx
karthikvcyber
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
vanhoefm
 
Basic Understanding about TCP/IP Addressing system
Basic Understanding about TCP/IP Addressing systemBasic Understanding about TCP/IP Addressing system
Basic Understanding about TCP/IP Addressing system
BharathKumarRaju DasaraRaju
 
IPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security ConsiderationsIPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security Considerations
APNIC
 
IPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security ConsiderationsIPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security Considerations
Bangladesh Network Operators Group
 
Day 17.1 nat pat (2)
Day 17.1 nat pat (2)Day 17.1 nat pat (2)
Day 17.1 nat pat (2)
CYBERINTELLIGENTS
 
Ad

More from DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
DefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
DefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
DefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
DefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
DefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
DefconRussia
 
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
DefconRussia
 
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
DefconRussia
 
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
DefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
DefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
DefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
DefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
DefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
DefconRussia
 
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
DefconRussia
 
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
DefconRussia
 

Tomas Hlavacek - IP fragmentation attack on DNS

  • 1. IP fragmentation attack on DNS Original work by Amir Herzberg & Haya Shulman Tomas Hlavacek • [email protected] • ZeroNights 0x03, 7.11.2013
  • 2. IP fragmentation attack ● ● Amir Herzberg & Haya Shulman paper Fragmentation Considered Poisonous Two existing PoC: ● ● ● Tomáš Hlaváček & Ondřej Mikle, CZ.NIC Labs Brian Dickson, VeriSign Labs Relatively low technical complexity but a lot of preconditions
  • 3. The new attack vector: Fragments ● Attack on UDP ● Exploits IP fragmentation & reassembly ● Off-path modification of packets ● Relies on 16-bit IP ID number in IP headers ● IP ID generation by counter helps ● Fights IP reassembly cache limits
  • 4. IP fragmentation attack on DNS ● ● ● ● Cache-poisoning attack on resolvers Reduces entropy from 32 bits (source port + DNS ID) to 16 bits (IP ID) … because UDP header and beginning of DNS data stays in the 1st fragment Attacker modifies the 2nd fragment (authority and additional sections)
  • 5. IP frag attack on DNS types ● Two types so far: ● ● 1) Convincing authoritative server to fragment replies for real domain by spoofed ICMPs 2) Registering specially forged zone which generates responses over 1500 B
  • 6. st Triggering fragmentation – 1 type ● ● ● ● ICMP destination unreachable, frag. needed but DF bit set (type=3, code=4) Spoofing of ICMP (BCP38 is not a problem, firewalls are) Linux accepts signaled MTU into routing cache for 10 mins Linux minimum MTU = 552 B
  • 7. st 1 type big picture
  • 8. st 1 type big picture
  • 9. st 1 type big picture
  • 10. st 1 type big picture
  • 11. st 1 type big picture
  • 12. st 1 type big picture
  • 13. st 1 type big picture
  • 14. Effects of ICMP spoofing root@authoritative_server:/# ip route show cache ... 77.243.16.81 from 195.226.217.5 via 217.31.48.17 dev eth0 cache ipid 0xe8a1 Caching resolver IP 62.109.128.22 from 195.226.217.5 via 217.31.48.17 dev eth0 cache expires 576sec ipid 0x6ef3 mtu 552 rtt 4ms rttvar 4ms cwnd 10 63.249.32.21 from 195.226.217.5 via 217.31.48.17 dev eth0 cache ipid 0xa256
  • 15. Response of the authoritative server ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaa aa.ad.example.cz. IN A ;; AUTHORITY SECTION: ad.example.cz. 360 IN NS ad-ns1.example.cz. ad.example.cz. 360 IN NS ad-ns2.example.cz. ad.example.cz. 360 IN NSEC ad-ns1.example.cz. NS ... ;; ADDITIONAL SECTION: ad-ns1.example.cz. 360 IN A 217.31.49.71 ad-ns1.example.cz. 360 IN RRSIG A 5 3 360 … ad-ns2.example.cz. 360 IN A ad-ns2.example.cz. 360 IN RRSIG A 5 3 360 ... 217.31.49.70 1st and 2nd fragment border
  • 16. Response in the resolver log ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaa aa.ad.example.cz. IN A ;; AUTHORITY SECTION: ad.example.cz. 360 IN NS ad-ns1.example.cz. ad.example.cz. 360 IN NS ad-ns2.example.cz. ad.example.cz. 360 IN NSEC ad-ns1.example.cz. NS ... ;; ADDITIONAL SECTION: ad-ns1.example.cz. 360 IN A 217.31.49.71 ad-ns1.example.cz. 360 IN RRSIG A 5 3 360 … ad-ns2.example.cz. 360 IN A ad-ns2.example.cz. 360 IN RRSIG A 5 3 360 ... 1st and 2nd fragment border 62.109.128.20 UDP checksum fixup
  • 17. Technical challenges in PoC ● ICMP packet forgery (easy) ● Selecting vulnerable zone (medium) ● Forging fragments, fixing UDP checksums (hard) ● Inserting into network (depends on local admin's paranoia) ● IP reassembly queue size = 64 @ Linux (needs further work) ● RR-set order randomization (annoyance) ● Label compression (not a problem) ● Fragment arrival order (potentially breaks the attack)
  • 18. Forged packet acceptance ● ● Bailiwick rules Generally low level of trust in RR from additional section ● Gradually stronger rules in BIND since ~2003 ● Unknown (most likely strict) rules in Unbound
  • 19. PoC & tricks ● This (1st type) attack worked in lab! ● IP ID known to attacker ● No firewalls, no conntrack ● Non-default IP reassembly queue settings ● 1 out of 3 trials succeeded (due to RR-set randomization and timing)
  • 20. nd 2 type attack ● Forge zone with specific NS RRs: ● ● ● Add target NS (and glue) to poison Forge zone to produce long referral responses (N x ~250 B NS RR) Register the domain at the lowest possible level (2nd level zone)
  • 21. Malicious zone in ccTLD ;poisonovacizona.cz. IN NS ;; AUTHORITY SECTION: poisonovacizona.cz. 18000 IN NS eaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. kaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. qaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. poisonovacizona.cz. ... poisonovacizona.cz. 18000 IN NS ns2.ignum.cz. ;; ADDITIONAL SECTION: ns2.ignum.cz. 18000 IN A 217.31.48.201 eaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. kaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. qaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. poisonovacizona.cz. 18000 IN ... ;; MSG SIZE rcvd: 1949 A 217.31.48.1
  • 22. Attack through the malicious zone ● The zone produces fragmented referral replies ● The zone is perfectly valid ● … even though it contains weird NS RR ● ● It contains target NS RR of a high-profile authoritative server Glue for the target NS is exposed in the 2 nd fragment
  • 23. Defenses ● DNSSEC now! ● Workarounds ● ● 1st type: Ignore ICMP type=3, code=4 2nd type: limit response size & set EDNS0 buffer size to your MTU value (on both sides – authoritative as well as recursive)
  • 24. Demo session ● Two computers – victim and attacker ● Real zone & name servers ● IP-ID known to attacker ● Minor hacks in iptables on victim to guarantee quick success
  • 25. Demo session explained ● Generate spoofed ICMP ● Inject spoofed ICMP into network ● Query the server and capture response ● Modify DNS response ● Fixup response UDP checksum & change MAC ● Inject forged response & re-run the query
  • 26. Thank You Tomas Hlavacek [email protected] • ZeroNights 0x03, 7.11.2013