[dns-operations] new DNS forwarder vulnerability
mallman at icir.org
Fri Mar 14 13:45:25 UTC 2014
Just a quick note to let folks know about a new vulnerability we have
found in some low-rent DNS forwarders---which we have been calling the
The finding is that when the vulnerable open resolvers receive a DNS
response they just look at the query string in the response to see if
they have a request for the given string outstanding. If they do, they
accept the result. I.e., there is no validating of the source IP, port
numbers or DNS transaction ID in the response. Dumb. This makes
poisoning the caches of these boxes trivial (i.e., send a request for
www.facebook.com and then immediately send an answer).
A few notes ...
- We have found 7--9% of the open resolver population---or 2-3 million
boxes---to be vulnerable to this cache poisoning attack. (The
variance is from different runs of our experiments.)
- We have not been able to nail this vulnerability down to a single
box or manufacturer. To the contrary our efforts at identifying the
boxes indicates it crosses such boundaries. (However, these boxes
do seem to be largely situated in residential settings.)
- We presented these results at PAM earlier this week. Our paper,
slides, etc. with details of the attack (and results about
previously known DNS attacks) are available here:
- We did give CERT a heads up about this before the paper appeared and
they kibitzed the information around to various manufacturers of
this sort of gear.
My mental model is that this sort of gear is upgraded when it goes
kaput. So, vigilance I guess.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 194 bytes
Desc: not available
More information about the dns-operations