SAD DNS cache poisoning attack
Baptiste Jonglez
baptiste at bitsofnetworks.org
Sat Nov 14 19:20:54 EST 2020
Hi,
There is a new generic cache poisoning attack for DNS: https://www.saddns.net/
It's a bit tricky, but the general idea is that an attacker can guess
the ephemeral port used by a DNS resolver make a DNS query (that's
dnsmasq in our case). The attacker then "just" has to guess the
transaction ID which is only 16 bits. So, it's not trivial to
actually exploit this problem to do cache poisoning, but it's
definitely made a lot easier.
The attack is relying on ICMP port unreachable messages being sent by
the kernel when hitting an unused UDP port. The problem is how these
messages are rate-limited by the kernel.
From a quick look, OpenWrt is vulnerable because firewall3 has a
"REJECT" firewall rule for WAN that generates ICMP unreachable
messages.
There are two solutions to fix/workaround the problem:
1) randomize ICMP rate limiting (done in upstream kernel, there are
already OpenWrt patches to update it)
2) don't send these ICMP messages on WAN for closed ports (change the
default rule to DROP instead of REJECT, at least for UDP)
Solution 1) should go in stable releases, and we can suggest how to
apply solution 2) on running systems to mitigate the issue for people
that can't upgrade.
Baptiste
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20201115/6110275d/attachment.sig>
More information about the openwrt-devel
mailing list