SADDNS2.0 is a tool for launching the DNS cache poisoning attack. It infers the ephemeral port number and brute forces the TxID by exploiting Forwarding Information Base(FIB) Next Hop Exception(FNHE) cache as a side channel.
This is a different side channel cache poisoning attack derived from SADDNS. Most code usage may remain the same.
- Scan ephemeral ports opened by the resolver.
- Brute force TxID.
The side channel leverages the hash table storing fnhe entry as a shared resource (between the spoofed and non-spoofed IPs), which controls whether an IP packet should be fragmented or not. This gives the off-path attacker the ability to identify whether previous spoofed ICMP fragment needed packets were accepted or not, which further indicates whether the guessed port is correct or not.
The following figure shows the detail of inferring ephemeral ports.
- Compared with SADDNS, SADDNS2.0 uses embedded UDP packet to scan open port and therefore no IP spoofing is needed during the scanning phase.
- IP spoofing is still required for injecting rogue responses.
DNS Cache Poisoning Attack: Resurrections with Side Channels
Keyu Man, Xin'an Zhou, Zhiyun Qian
In Proceedings of ACM Conference on Computer and Communications Security (CCS`21), November 15-19, 2021, Virtual Event, Republic of Korea.
- An IP-spoofing-capable host (preferably Linux. Windows is ok but suffers from low performance.).
- A domain (attacker-controlled name server)
- Other things needed to make clear:
- The resolver to poison (victim resolver)
- The domain to poison (victim domain)
- The victim domain's record will be poisoned on the victim resolver.
- Determine the attack type (e.g., public or private port, fragment needed or redirect packet as the payload).
- Guess the seed/key of FNHE hsah table if private port is used.
- Flood query traffic to mute the name server of the victim domain (see SADDNS repo for flooding scripts).
- Run attack program to guess the port number and TxID automatically.
-
Compile
go build ucr.edu/SADDNS2.0
(requiresgopacket
andlibpcap
) -
Seed guessing (only required when probing private ports)
See the paper for details.
GuessSeed.go
provides methods to send out seed guessing packets.guessSeed4.c
implements hash guessing functions to guess the seed. -
Start flooding
./dns_query.sh &
(requireshping3
)Please see the comment in the file for usage.
-
Start attacking (flooding is still in progress)
sudo ./saddns [args]
Run
./saddns -h
for usage.
Please submit them by opening a new issue.