SlideShare a Scribd company logo

Tomas Hlavacek - IP fragmentation attack on DNS

DefconRussia
DefconRussia
1 of 26
Download to read offline
IP fragmentation attack on DNS Original work by Amir Herzberg & Haya Shulman Tomas Hlavacek • tomas.hlavacek@nic.cz • ZeroNights 0x03, 7.11.2013
IP fragmentation attack ● ● Amir Herzberg & Haya Shulman paper Fragmentation Considered Poisonous Two existing PoC: ● ● ● Tomáš Hlaváček & Ondřej Mikle, CZ.NIC Labs Brian Dickson, VeriSign Labs Relatively low technical complexity but a lot of preconditions
The new attack vector: Fragments ● Attack on UDP ● Exploits IP fragmentation & reassembly ● Off-path modification of packets ● Relies on 16-bit IP ID number in IP headers ● IP ID generation by counter helps ● Fights IP reassembly cache limits
IP fragmentation attack on DNS ● ● ● ● Cache-poisoning attack on resolvers Reduces entropy from 32 bits (source port + DNS ID) to 16 bits (IP ID) … because UDP header and beginning of DNS data stays in the 1st fragment Attacker modifies the 2nd fragment (authority and additional sections)
IP frag attack on DNS types ● Two types so far: ● ● 1) Convincing authoritative server to fragment replies for real domain by spoofed ICMPs 2) Registering specially forged zone which generates responses over 1500 B
st Triggering fragmentation – 1 type ● ● ● ● ICMP destination unreachable, frag. needed but DF bit set (type=3, code=4) Spoofing of ICMP (BCP38 is not a problem, firewalls are) Linux accepts signaled MTU into routing cache for 10 mins Linux minimum MTU = 552 B
st 1 type big picture
st 1 type big picture
st 1 type big picture
st 1 type big picture
st 1 type big picture
st 1 type big picture
st 1 type big picture
Effects of ICMP spoofing root@authoritative_server:/# ip route show cache ... 77.243.16.81 from 195.226.217.5 via 217.31.48.17 dev eth0 cache ipid 0xe8a1 Caching resolver IP 62.109.128.22 from 195.226.217.5 via 217.31.48.17 dev eth0 cache expires 576sec ipid 0x6ef3 mtu 552 rtt 4ms rttvar 4ms cwnd 10 63.249.32.21 from 195.226.217.5 via 217.31.48.17 dev eth0 cache ipid 0xa256
Response of the authoritative server ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaa aa.ad.example.cz. IN A ;; AUTHORITY SECTION: ad.example.cz. 360 IN NS ad-ns1.example.cz. ad.example.cz. 360 IN NS ad-ns2.example.cz. ad.example.cz. 360 IN NSEC ad-ns1.example.cz. NS ... ;; ADDITIONAL SECTION: ad-ns1.example.cz. 360 IN A 217.31.49.71 ad-ns1.example.cz. 360 IN RRSIG A 5 3 360 … ad-ns2.example.cz. 360 IN A ad-ns2.example.cz. 360 IN RRSIG A 5 3 360 ... 217.31.49.70 1st and 2nd fragment border
Response in the resolver log ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaa aa.ad.example.cz. IN A ;; AUTHORITY SECTION: ad.example.cz. 360 IN NS ad-ns1.example.cz. ad.example.cz. 360 IN NS ad-ns2.example.cz. ad.example.cz. 360 IN NSEC ad-ns1.example.cz. NS ... ;; ADDITIONAL SECTION: ad-ns1.example.cz. 360 IN A 217.31.49.71 ad-ns1.example.cz. 360 IN RRSIG A 5 3 360 … ad-ns2.example.cz. 360 IN A ad-ns2.example.cz. 360 IN RRSIG A 5 3 360 ... 1st and 2nd fragment border 62.109.128.20 UDP checksum fixup
Technical challenges in PoC ● ICMP packet forgery (easy) ● Selecting vulnerable zone (medium) ● Forging fragments, fixing UDP checksums (hard) ● Inserting into network (depends on local admin's paranoia) ● IP reassembly queue size = 64 @ Linux (needs further work) ● RR-set order randomization (annoyance) ● Label compression (not a problem) ● Fragment arrival order (potentially breaks the attack)
Forged packet acceptance ● ● Bailiwick rules Generally low level of trust in RR from additional section ● Gradually stronger rules in BIND since ~2003 ● Unknown (most likely strict) rules in Unbound
PoC & tricks ● This (1st type) attack worked in lab! ● IP ID known to attacker ● No firewalls, no conntrack ● Non-default IP reassembly queue settings ● 1 out of 3 trials succeeded (due to RR-set randomization and timing)
nd 2 type attack ● Forge zone with specific NS RRs: ● ● ● Add target NS (and glue) to poison Forge zone to produce long referral responses (N x ~250 B NS RR) Register the domain at the lowest possible level (2nd level zone)
Malicious zone in ccTLD ;poisonovacizona.cz. IN NS ;; AUTHORITY SECTION: poisonovacizona.cz. 18000 IN NS eaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. kaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. qaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. poisonovacizona.cz. ... poisonovacizona.cz. 18000 IN NS ns2.ignum.cz. ;; ADDITIONAL SECTION: ns2.ignum.cz. 18000 IN A 217.31.48.201 eaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. kaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. qaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. poisonovacizona.cz. 18000 IN ... ;; MSG SIZE rcvd: 1949 A 217.31.48.1
Attack through the malicious zone ● The zone produces fragmented referral replies ● The zone is perfectly valid ● … even though it contains weird NS RR ● ● It contains target NS RR of a high-profile authoritative server Glue for the target NS is exposed in the 2 nd fragment
Defenses ● DNSSEC now! ● Workarounds ● ● 1st type: Ignore ICMP type=3, code=4 2nd type: limit response size & set EDNS0 buffer size to your MTU value (on both sides – authoritative as well as recursive)
Demo session ● Two computers – victim and attacker ● Real zone & name servers ● IP-ID known to attacker ● Minor hacks in iptables on victim to guarantee quick success
Demo session explained ● Generate spoofed ICMP ● Inject spoofed ICMP into network ● Query the server and capture response ● Modify DNS response ● Fixup response UDP checksum & change MAC ● Inject forged response & re-run the query
Thank You Tomas Hlavacek • tomas.hlavacek@nic.cz • ZeroNights 0x03, 7.11.2013

Recommended

Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanningamiable_indian
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
How to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linuxHow to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linuxKirill Shipulin
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossPavel Odintsov
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS DefenseJames Dickenson
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting enginen|u - The Open Security Community
 

Recommended

Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanningamiable_indian
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
How to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linuxHow to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linuxKirill Shipulin
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossPavel Odintsov
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS DefenseJames Dickenson
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting enginen|u - The Open Security Community
 
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OpenvSwitch
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
2 netcat enum-pub
2 netcat enum-pub2 netcat enum-pub
2 netcat enum-pubCassio Ramos
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptorsn|u - The Open Security Community
 
LF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress SchedulingLF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress SchedulingLF_OpenvSwitch
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
Nmap
NmapNmap
NmapNishaYadav177
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modemCyber Security Alliance
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simplePavel Odintsov
 
Os detection with arp
Os detection with arpOs detection with arp
Os detection with arpDavid Clark
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.LF_OpenvSwitch
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OpenvSwitch
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput
 
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...DefconRussia
 
Alex Eden - Не доверяй и проверяй
Alex Eden - Не доверяй и проверяйAlex Eden - Не доверяй и проверяй
Alex Eden - Не доверяй и проверяйUISGCON
 

More Related Content

What's hot

LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OpenvSwitch
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
LF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress SchedulingLF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress SchedulingLF_OpenvSwitch
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simplePavel Odintsov
 
Os detection with arp
Os detection with arpOs detection with arp
Os detection with arpDavid Clark
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.LF_OpenvSwitch
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OpenvSwitch
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput
 

What's hot (20)

LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
 
2 netcat enum-pub
2 netcat enum-pub2 netcat enum-pub
2 netcat enum-pub
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
 
LF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress SchedulingLF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress Scheduling
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
 
Nmap
NmapNmap
Nmap
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
 
Os detection with arp
Os detection with arpOs detection with arp
Os detection with arp
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.
LF_OVS_17_OVS-DPDK: Embracing your NUMA nodes.
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and Gotchas
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
 

Viewers also liked

Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...DefconRussia
 
Alex Eden - Не доверяй и проверяй
Alex Eden - Не доверяй и проверяйAlex Eden - Не доверяй и проверяй
Alex Eden - Не доверяй и проверяйUISGCON
 
Nedospasov photonic emission analysis
Nedospasov photonic emission analysisNedospasov photonic emission analysis
Nedospasov photonic emission analysisDefconRussia
 
Anton Alexanenkov - Tor and Botnet C&C
Anton Alexanenkov - Tor and Botnet C&C Anton Alexanenkov - Tor and Botnet C&C
Anton Alexanenkov - Tor and Botnet C&C DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 

Viewers also liked (6)

Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
Adrian Furtuna - Practical exploitation of rounding vulnerabilities in intern...
 
Alex Eden - Не доверяй и проверяй
Alex Eden - Не доверяй и проверяйAlex Eden - Не доверяй и проверяй
Alex Eden - Не доверяй и проверяй
 
Nedospasov photonic emission analysis
Nedospasov photonic emission analysisNedospasov photonic emission analysis
Nedospasov photonic emission analysis
 
Anton Alexanenkov - Tor and Botnet C&C
Anton Alexanenkov - Tor and Botnet C&C Anton Alexanenkov - Tor and Botnet C&C
Anton Alexanenkov - Tor and Botnet C&C
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 

Similar to Tomas Hlavacek - IP fragmentation attack on DNS

DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresPavel Odintsov
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
Exploiting First Hop Protocols to Own the Network - Paul Coggin
Exploiting First Hop Protocols to Own the Network - Paul CogginExploiting First Hop Protocols to Own the Network - Paul Coggin
Exploiting First Hop Protocols to Own the Network - Paul CogginEC-Council
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocolsAbdessamad TEMMAR
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus networkAalap Tripathy
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)iman darabi
 
IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44Jisc
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesDon Anto
 
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Jiunn-Jer Sun
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 
Basic Understanding about TCP/IP Addressing system
Basic Understanding about TCP/IP Addressing systemBasic Understanding about TCP/IP Addressing system
Basic Understanding about TCP/IP Addressing systemBharathKumarRaju DasaraRaju
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
 

Similar to Tomas Hlavacek - IP fragmentation attack on DNS (20)

DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP Infrastructures
 
Cyber-security
Cyber-securityCyber-security
Cyber-security
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
 
Exploiting First Hop Protocols to Own the Network - Paul Coggin
Exploiting First Hop Protocols to Own the Network - Paul CogginExploiting First Hop Protocols to Own the Network - Paul Coggin
Exploiting First Hop Protocols to Own the Network - Paul Coggin
 
Tech f42
Tech f42Tech f42
Tech f42
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus network
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)
 
IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & Securities
 
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
 
Network and DNS Vulnerabilities
Network and DNS VulnerabilitiesNetwork and DNS Vulnerabilities
Network and DNS Vulnerabilities
 
IPAddressing .pptx
IPAddressing .pptxIPAddressing .pptx
IPAddressing .pptx
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
 
Basic Understanding about TCP/IP Addressing system
Basic Understanding about TCP/IP Addressing systemBasic Understanding about TCP/IP Addressing system
Basic Understanding about TCP/IP Addressing system
 
Day 17.1 nat pat (2)
Day 17.1 nat pat (2)Day 17.1 nat pat (2)
Day 17.1 nat pat (2)
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 

More from DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
 
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...DefconRussia
 
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...DefconRussia
 

More from DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
 
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
 

Tomas Hlavacek - IP fragmentation attack on DNS

  • 1. IP fragmentation attack on DNS Original work by Amir Herzberg & Haya Shulman Tomas Hlavacek • tomas.hlavacek@nic.cz • ZeroNights 0x03, 7.11.2013
  • 2. IP fragmentation attack ● ● Amir Herzberg & Haya Shulman paper Fragmentation Considered Poisonous Two existing PoC: ● ● ● Tomáš Hlaváček & Ondřej Mikle, CZ.NIC Labs Brian Dickson, VeriSign Labs Relatively low technical complexity but a lot of preconditions
  • 3. The new attack vector: Fragments ● Attack on UDP ● Exploits IP fragmentation & reassembly ● Off-path modification of packets ● Relies on 16-bit IP ID number in IP headers ● IP ID generation by counter helps ● Fights IP reassembly cache limits
  • 4. IP fragmentation attack on DNS ● ● ● ● Cache-poisoning attack on resolvers Reduces entropy from 32 bits (source port + DNS ID) to 16 bits (IP ID) … because UDP header and beginning of DNS data stays in the 1st fragment Attacker modifies the 2nd fragment (authority and additional sections)
  • 5. IP frag attack on DNS types ● Two types so far: ● ● 1) Convincing authoritative server to fragment replies for real domain by spoofed ICMPs 2) Registering specially forged zone which generates responses over 1500 B
  • 6. st Triggering fragmentation – 1 type ● ● ● ● ICMP destination unreachable, frag. needed but DF bit set (type=3, code=4) Spoofing of ICMP (BCP38 is not a problem, firewalls are) Linux accepts signaled MTU into routing cache for 10 mins Linux minimum MTU = 552 B
  • 7. st 1 type big picture
  • 8. st 1 type big picture
  • 9. st 1 type big picture
  • 10. st 1 type big picture
  • 11. st 1 type big picture
  • 12. st 1 type big picture
  • 13. st 1 type big picture
  • 14. Effects of ICMP spoofing root@authoritative_server:/# ip route show cache ... 77.243.16.81 from 195.226.217.5 via 217.31.48.17 dev eth0 cache ipid 0xe8a1 Caching resolver IP 62.109.128.22 from 195.226.217.5 via 217.31.48.17 dev eth0 cache expires 576sec ipid 0x6ef3 mtu 552 rtt 4ms rttvar 4ms cwnd 10 63.249.32.21 from 195.226.217.5 via 217.31.48.17 dev eth0 cache ipid 0xa256
  • 15. Response of the authoritative server ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaa aa.ad.example.cz. IN A ;; AUTHORITY SECTION: ad.example.cz. 360 IN NS ad-ns1.example.cz. ad.example.cz. 360 IN NS ad-ns2.example.cz. ad.example.cz. 360 IN NSEC ad-ns1.example.cz. NS ... ;; ADDITIONAL SECTION: ad-ns1.example.cz. 360 IN A 217.31.49.71 ad-ns1.example.cz. 360 IN RRSIG A 5 3 360 … ad-ns2.example.cz. 360 IN A ad-ns2.example.cz. 360 IN RRSIG A 5 3 360 ... 217.31.49.70 1st and 2nd fragment border
  • 16. Response in the resolver log ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaa aa.ad.example.cz. IN A ;; AUTHORITY SECTION: ad.example.cz. 360 IN NS ad-ns1.example.cz. ad.example.cz. 360 IN NS ad-ns2.example.cz. ad.example.cz. 360 IN NSEC ad-ns1.example.cz. NS ... ;; ADDITIONAL SECTION: ad-ns1.example.cz. 360 IN A 217.31.49.71 ad-ns1.example.cz. 360 IN RRSIG A 5 3 360 … ad-ns2.example.cz. 360 IN A ad-ns2.example.cz. 360 IN RRSIG A 5 3 360 ... 1st and 2nd fragment border 62.109.128.20 UDP checksum fixup
  • 17. Technical challenges in PoC ● ICMP packet forgery (easy) ● Selecting vulnerable zone (medium) ● Forging fragments, fixing UDP checksums (hard) ● Inserting into network (depends on local admin's paranoia) ● IP reassembly queue size = 64 @ Linux (needs further work) ● RR-set order randomization (annoyance) ● Label compression (not a problem) ● Fragment arrival order (potentially breaks the attack)
  • 18. Forged packet acceptance ● ● Bailiwick rules Generally low level of trust in RR from additional section ● Gradually stronger rules in BIND since ~2003 ● Unknown (most likely strict) rules in Unbound
  • 19. PoC & tricks ● This (1st type) attack worked in lab! ● IP ID known to attacker ● No firewalls, no conntrack ● Non-default IP reassembly queue settings ● 1 out of 3 trials succeeded (due to RR-set randomization and timing)
  • 20. nd 2 type attack ● Forge zone with specific NS RRs: ● ● ● Add target NS (and glue) to poison Forge zone to produce long referral responses (N x ~250 B NS RR) Register the domain at the lowest possible level (2nd level zone)
  • 21. Malicious zone in ccTLD ;poisonovacizona.cz. IN NS ;; AUTHORITY SECTION: poisonovacizona.cz. 18000 IN NS eaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. kaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. qaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. poisonovacizona.cz. ... poisonovacizona.cz. 18000 IN NS ns2.ignum.cz. ;; ADDITIONAL SECTION: ns2.ignum.cz. 18000 IN A 217.31.48.201 eaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. kaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. qaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. poisonovacizona.cz. 18000 IN ... ;; MSG SIZE rcvd: 1949 A 217.31.48.1
  • 22. Attack through the malicious zone ● The zone produces fragmented referral replies ● The zone is perfectly valid ● … even though it contains weird NS RR ● ● It contains target NS RR of a high-profile authoritative server Glue for the target NS is exposed in the 2 nd fragment
  • 23. Defenses ● DNSSEC now! ● Workarounds ● ● 1st type: Ignore ICMP type=3, code=4 2nd type: limit response size & set EDNS0 buffer size to your MTU value (on both sides – authoritative as well as recursive)
  • 24. Demo session ● Two computers – victim and attacker ● Real zone & name servers ● IP-ID known to attacker ● Minor hacks in iptables on victim to guarantee quick success
  • 25. Demo session explained ● Generate spoofed ICMP ● Inject spoofed ICMP into network ● Query the server and capture response ● Modify DNS response ● Fixup response UDP checksum & change MAC ● Inject forged response & re-run the query
  • 26. Thank You Tomas Hlavacek • tomas.hlavacek@nic.cz • ZeroNights 0x03, 7.11.2013