"First-try" DNS Cache Poisoning on IPv4 and IPv6

Presented at Wild West Hackin' Fest 2019, Oct. 25, 2019, 11 a.m. (50 minutes).

DNS fragmentation attacks are a more recent series of attacks that take advantage of the consistent composition of fragmented DNS responses by sending a crafted (malicious) second fragment to be reassembled with a legitimate first fragment at the IP layer. Even if DNSSEC is fully implemented, an attacker can still poison unsigned "glue" records. These types of attacks are difficult, and have really only been considered remotely feasible over IPv4. Most nameservers use "per-destination" IP-layer ID (IPID) counters, and the IPID in the IPv6 Fragment Extension Header cannot be easily guessed blindly, as the number of bits in the field has been comparatively doubled to 32 bits (making blind-guessing even in ideal conditions take an average 34 million iterations). Unfortunately, as part of optimizations made to Linux. The IPID counter is no longer truly "per-destination" and the IPID for a given destination can be inferred consistently enough to facilitate an attack. This allows DNS poisoning on IPv4 and IPv6 with equal consistency and precision, and makes poisoning on the first attempt "thousands" of times easier. This talk will cover how this attack is carried out, how consistent it really can be, and mitigations that can be put in place by operators of both DNS nameservers and resolvers to limit its effectiveness.

Presenters:

  • Travis Palmer
    Travis (Travco) Palmer is a Security Research Engineer at Cisco. Travis is a certified OSCP and OSCE who has been getting paid to either fix or break something for over seven years. He is a fan (and sometimes-contributor) of a number of simulator/sandbox video games, and keeper of too many unfinished hardware projects. <https://www.linkedin.com/in/travco1> Twitter: @Travco1

Links:

Similar Presentations: