Amir Herzberg
ABSTRACT
We present a new technique, which we call socket overloading, that we apply for off-path attacks on DNS. Socket overloading consists of short, low-rate, bursts of inbound packets, sent by off-path attacker to a victim host. Socket overloading exploits the priority assigned by the kernel to hardware interrupts, and enables an off-path attacker to illicit a side-channel on client hosts, which can be applied to circumvent source port and name server randomisation. Both port and name server randomisation are popular and standardised defenses, recommended in [RFC5452], against attacks by off-path adversaries. We show how to apply socket overloading for DNS cache poisoning and name server pinning against popular systems that support algorithms recommended in [RFC6056] and [RFC4097] respectively.
Our socket overloading technique may be of independent interest, and can be applied against other protocols for different attacks.
- M. Allman. Comments on selecting ephemeral ports. ACM SIGCOMM Computer Communication Review, 39(2):13--19, 2009. Google Scholar
Digital Library
- S. Antonatos, P. Akritidis, V. T. Lam, and K. G. Anagnostakis. Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure. ACM Transactions on Information and System Security, 12(2):12:1--12:15, Dec. 2008. Google ScholarDigital Library
- D. J. Bernstein. DNS Forgery. Internet publication at http://cr.yp.to/djbdns/forgery.html, November 2002.Google Scholar
- R. Beverly, R. Koga, and K. Claffy. Initial Longitudinal Analysis of IP Source Spoofing Capability on the Internet. Internet Society Article, 2013.Google Scholar
- CAIDA. Anonymized Internet Traces 2012 Dataset. http://www.caida.org/data/passive/passive_2012_dataset.xml, 2012.Google Scholar
- G. R. Corporation. DNS Nameserver Spoofability Test. https://www.grc.com/dns/dns.htm, 2012.Google Scholar
- DNS-OARC. Domain Name System Operations Analysis and Research Center. https://www.dns-oarc.net/oarc/services/porttest, 2008.Google Scholar
- O. Gudmundsson and S. D. Crocker. Observing DNSSEC Validation in the Wild. In SATIN, March 2011.Google Scholar
- R. Hay, J. Kalechstein, G. Nakibly, and S. Center. Subverting bindâĂŹs srtt algorithm derandomizing ns selection. August 2013.Google Scholar
- A. Herzberg and H. Shulman. Stealth DoS attacks on secure channels. In Proc. Symp. on Network and Distributed Systems Security (NDSS '10), San Diego, CA, Feb. 2010. Internet Society.Google Scholar
- A. Herzberg and H. Shulman. Antidotes for DNS Poisoning by Off-Path Adversaries. In International Conference on Availability, Reliability and Security (ARES), pages 262--267. IEEE, IEEE Computer Society, 2012. Google ScholarDigital Library
- A. Herzberg and H. Shulman. Security of Patched DNS. In S. Foresti, M. Yung, and F. Martinelli, editors, Computer Security - ESORICS 2012 - 17th European Symposium on Research in Computer Security, Pisa, Italy, September 10--12, 2012. Proceedings, volume 7459 of Lecture Notes in Computer Science, pages 271--288. Springer, 2012.Google Scholar
- A. Herzberg and H. Shulman. DNSSEC: Interoperability Challenges and Transition Mechanisms. In International Conference on Availability, Reliability and Security (ARES). IEEE, 2013. Google ScholarDigital Library
- A. Herzberg and H. Shulman. DNSSEC: Security and Availability Challenges. In IEEE CNS 2013. The Conference on Communications and Network Security., 2013.Google Scholar
- A. Herzberg and H. Shulman. Fragmentation Considered Poisonous: or one-domain-to-rule-them-all.org. In IEEE Conference on Communications and Network Security (CNS). IEEE, 2013.Google ScholarCross Ref
- A. Herzberg and H. Shulman. Socket Overloading for Fun and Cache-Poisoning. CoRR, 2013.Google ScholarDigital Library
- A. Herzberg and H. Shulman. Towards adoption of dnssec: Availability and security challenges. Cryptology ePrint Archive, Report 2013/254, 2013. http://eprint.iacr.org/.Google Scholar
- A. Herzberg and H. Shulman. Vulnerable Delegation of DNS Resolution. In Computer Security - ESORICS 2013 - 18th European Symposium on Research in Computer Security, September, 2013. Proceedings, Lecture Notes in Computer Science. Springer, 2013.Google Scholar
- A. Herzberg and H. Shulman. Retrofitting Security into Network Protocols: the Case of DNSSEC. IEEE Internet Computing, 2014. Accepted for publication.Google ScholarDigital Library
- A. Herzberg, H. Shulman, J. Ullrich, and E. Weippl. Cloudoscopy: Services Discovery and Topology Mapping. In Proceedings of the fifth ACM workshop on Cloud computing security workshop. ACM, 2013. Google ScholarDigital Library
- A. Hubert and R. van Mook. Measures for Making DNS More Resilient against Forged Answers. RFC 5452 (Proposed Standard), Jan. 2009.Google Scholar
- D. Kaminsky. It's the End of the Cache As We Know It. In Black Hat conference, August 2008.Google Scholar
- S. R. Kleiman. Apparatus and method for interrupt handling in a multi-threaded operating system kernel, May 7 1996. US Patent 5,515,538.Google Scholar
- A. Kuzmanovic and E. W. Knightly. Low-Rate TCP-Targeted Denial of Service Attacks: the Shrew vs. the Mice and Elephants. In SIGCOMM, pages 75--86, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
- M. Larsen and F. Gont. Recommendations for Transport-Protocol Port Randomization. RFC 6056 (Best Current Practice), Jan. 2011.Google Scholar
- M. Larson and P. Barber. Observed DNS Resolution Misbehavior. RFC 4697 (Best Current Practice), Oct. 2006.Google Scholar
- W. Lian, E. Rescorla, H. Shacham, and S. Savage. Measuring the practical impact of DNSSEC deployment. In S. King, editor, Proceedings of USENIX Security 2013. USENIX, Aug. 2013. To appear. Google ScholarDigital Library
- J. Oberheide. PDPT: Passive DNS Port Test. http://jon.oberheide.org/blog/2008/07/21/pdpt-passive-dns-port-test/, July 2008.Google Scholar
- N. Provos. DNS Testing Image. http://www.provos.org/index.php?/archives/43-DNS-Testing-Image.html, July 2008.Google Scholar
- K. Ramakrishnan. Performance considerations in designing network interfaces. Selected Areas in Communications, IEEE Journal on, 11(2):203--219, 1993. Google ScholarDigital Library
- V. Ramasubramanian and E. Sirer. Perils of transitive trust in the domain name system. In Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement, pages 35--35. USENIX Association, 2005. Google ScholarDigital Library
- K. Salah, K. El-Badawi, and F. Haidari. Performance analysis and comparison of interrupt-handling schemes in gigabit networks. Computer Communications, 30(17):3425--3441, 2007. Google ScholarDigital Library
- K. Salah and M. Hamawi. Impact of cpu-bound processes on ip forwarding of linux and windows xp. Journal of Universal Computer Science, 16(21):3299--3313, 2010.Google Scholar
- J. H. Salim, R. Olsson, and A. Kuznetsov. Beyond softnet. In Proceedings of the 5th annual Linux Showcase & Conference, volume 5, pages 18--18, 2001. Google ScholarDigital Library
- P. Vixie. DNS and BIND security issues. In Proceedings of the 5th Symposium on USENIX Security, pages 209--216, Berkeley, CA, USA, jun 1995. USENIX Association. Google ScholarDigital Library
Index Terms
- Socket overloading for fun and cache-poisoning
Recommendations
Antidotes for DNS Poisoning by Off-Path Adversaries
ARES '12: Proceedings of the 2012 Seventh International Conference on Availability, Reliability and SecurityFollowing to Kaminsky's attack (2008), cachingresolvers were patched with defenses against poisoning. So far, the main improvements were non-cryptographic and easy todeploy (requiring changes only in resolvers). Some of theseimprovements are widely ...
A Selective Re-Query Case Sensitive Encoding Scheme Against DNS Cache Poisoning Attacks
A domain name system (DNS) with a hierarchical domain name resolution scheme plays an important role in today's Internet surfing. To protect DNS against cache poisoning attacks is a key issue to achieve Internet security. A lot of defense schemes have ...
Towards Forensic Analysis of Attacks with DNSSEC
SPW '14: Proceedings of the 2014 IEEE Security and Privacy WorkshopsDNS cache poisoning is a stepping stone towards advanced (cyber) attacks, and can be used to monitor users' activities, for censorship, to distribute malware and spam, and even to subvert correctness and availability of Internet networks and services. ...
Comments