Log in

No account? Create an account
DNS bug leaks by matasano - 豬頭'blog — LiveJournal [entries|archive|friends|userinfo]

[ website | 豬頭基 ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

[Links:| o0o blog myspace deviantart PromoDJ KTK project ]

DNS bug leaks by matasano [Jul. 22nd, 2008|09:15 am]
Matasano security leaked out the bug and then tried to get the cat back into the bag.. pretty funny! :)
Anyway, here's the copy of their post, I am eager to experiment with some actual code now ;-)
Originally was posted at www.matasano.com/log/1103/reliable-dns-forgery-in-2008-kaminskys-discovery/

Reliable DNS Forgery in 2008: Kaminsky’s Discovery
from Matasano Chargen by ecopeland

The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat.

Pretend for the moment that you know only the basic function of DNS — that it translates WWW.VICTIM.COM into The code that does this is called a resolver. Each time the resolver contacts the DNS to translate names to addresses, it creates a packet called a query. The exchange of packets is called a transaction. Since the number of packets flying about on the internet requires scientific notation to express, you can imagine there has to be some way of not mixing them up.

Bob goes to to a deli, to get a sandwich. Bob walks up to the counter, takes a pointy ticket from a round red dispenser. The ticket has a number on it. This will be Bob’s unique identifier for his sandwich acquisition transaction. Note that the number will probably be used twice — once when he is called to the counter to place his order and again when he’s called back to get his sandwich. If you’re wondering, Bob likes ham on rye with no onions.

If you’ve got this, you have the concept of transaction IDs, which are numbers assigned to keep different transactions in order. Conveniently, the first sixteen bits of a DNS packet is just such a unique identifier. It’s called a query id (QID). And with the efficiency of the deli, the QID is used for multiple transactions.

Until very recently, there were two basic classes of DNS vulnerabilities. One of them involves mucking about with the QID in DNS packets and the other requires you to know the Deep Magic.

First, QIDs.

Bob’s a resolver and Alice is a content DNS server. Bob asks Alice for the address of WWW.VICTIM.COM. The answer is Mallory would like the answer to be

It is a (now not) secret shame of mine that for a great deal of my career, creating and sending packets was, to me, Deep Magic. Then it became part of my job, and I learned that it is surprisingly trivial. So put aside the idea that forging IP packets is the hard part of poisoning DNS. If I’m Mallory and I’m attacking Bob, how can he distinguish my packets from Alice’s? Because I can’t see the QID in his request, and the QID in my response won’t match. The QID is the only thing protecting the DNS from Mallory (me).

QID attacks began in the olden days, when BIND simply incremented the QID with every query response. If you can remember 1995, here’s a workable DNS attack. Think fast: 9372 + 1. Did you get 9372, or even miss and get 9373? You win, Alice loses. Mallory sends a constant stream of DNS responses for WWW.VICTIM.COM. All are quietly discarded —- until Mallory gets Bob to query for WWW.VICTIM.COM. If Mallory’s response gets to your computer before the legitimate response arrives from your ISP’s name server, you will be redirected where Mallory tells you you’re going.

Obvious fix: you want the QID be randomly generated. Now Alice and Mallory are in a race. Alice sees Bob’s request and knows the QID. Mallory has to guess it. The first one to land a packet with the correct QID wins. Randomized QIDs give Alice a big advantage in this race.

But there’s a bunch more problems here:


If you convince Bob to ask Alice the same question 1000 times all at once, and Bob uses a different QID for each packet, you made the race 1000 times easier for Mallory to win.

If Bob uses a crappy random number generator, Mallory can get Bob to ask for names she controls, like WWW.EVIL.COM, and watch how the QIDs bounce around; eventually, she’ll break the RNG and be able to predict its outputs.

16 bits just isn’t big enough to provide real security at the traffic rates we deal with in 2008.

Your computer’s resolver is probably a stub. Which means it won’t really save the response. You don’t want it to. The stub asks a real DNS server, probably run by your ISP. That server doesn’t know everything. It can’t, and shouldn’t, because the whole idea of DNS is to compensate for the organic and shifting nature of internet naming and addressing. Frequently, that server has to go ask another, and so on. The cool kids call this “recursion”.

Responses carry another value, too, called a time to live (TTL). This number tells your name server how long to cache the answer. Why? Because they deal with zillions of queries. Whoever wins the race between Alice and Mallory, their answer gets cached. All subsequent responses will be dropped. All future requests for that same data, within the TTL, come from that answer. This is good for whoever wins the race. If Alice wins, it means Mallory can’t poison the cache for that name. If Mallory wins, the next 10,000 or so people that ask that cache where WWW.VICTIM.COM is go to

Then there’s that other set of DNS vulnerabilities. These require you to pay attention in class. They haven’t really been talked about since 1997. And they’re hard to find, because you have to understand how DNS works. In other words, you have to be completely crazy. Lazlo Hollyfeld crazy. I’m speaking of course of RRset poisoning.

DNS has a complicated architecture. Not only that, but not all name servers run the same code. So not all of them implement DNS in exactly the same way. And not only that, but not all name servers are configured properly.

I just described a QID attack that poisons the name server’s cache. This attack requires speed, agility and luck, because if the “real” answer happens to arrive before your spoofed one, you’re locked out. Fortunately for those of you that have a time machine, some versions of DNS provide you with another way to poison the name server’s cache anyway. To explain it, I will have to explain more about the format of a DNS packet.

DNS packets are variable in length and consist of a header, some flags and resource records (RRs). RRs are where the goods ride around. There are up to three sets of RRs in a DNS packet, along with the original query. These are:


Answer RR’s, which contain the answer to whatever question you asked (such as the A record that says WWW.VICTIM.COM is

Authority RR’s, which tell resolvers which name servers to refer to to get the complete answer for a question

Additional RR’s, sometimes called “glue”, which contain any additional information needed to make the response effective.

A word about the Additional RR’s. Think about an NS record, like the one that COM’s name server uses to tell us that, to find out where WWW.VICTIM.COM is, you have to ask NS1.VICTIM.COM. That’s good to know, but it’s not going to help you unless you know where to find NS1.VICTIM.COM. Names are not addresses. This is a chicken and egg problem. The answer is, you provide both the NS record pointing VICTIM.COM to NS1.VICTIM.COM, and the A record pointing NS1.VICTIM.COM to

Now, let’s party like it’s 1995.

Download the source code for a DNS implementation and hack it up such that every time it sends out a response, it also sends out a little bit of evil — an extra Additional RR with bad information. Then let’s set up an evil server with it, and register it as EVIL.COM. Now get a bunch of web pages up with IMG tags pointing to names hosted at that server.

Bob innocently loads up a page with the malicious tags which coerces his browser resolve that name. Bob asks Alice to resolve that name. Here comes recursion: eventually the query arrives at our evil server. Which sends back a response with an unexpected (evil) Additional RR.

If Alice’s cache honors the unexpected record, it’s 1995 —- buy CSCO! —- and you just poisoned their cache. Worse, it will replace the “real” data already in the cache with the fake data. You asked where WWW.EVIL.COM was (or rather, the image tags did). But Alice also “found out” where WWW.VICTIM.COM was: Every resolver that points to that name server will now gladly forward you to the website of the beast.

It’s not 1995. It’s 2008. There are fixes for the attacks I have described.
Fix 1:

The QID race is fixed with random IDs, and by using a strong random number generator and being careful with the state you keep for queries. 16 bit query IDs are still too short, which fills us with dread. There are hacks to get around this. For instance, DJBDNS randomizes the source port on requests as well, and thus won’t honor responses unless they come from someone who guesses the ~16 bit source port. This brings us close to 32 bits, which is much harder to guess.
Fix 2:

The RR set poisoning attack is fixed by bailiwick checking, which is a quirky way of saying that resolvers simply remember that if they’re asking where WWW.VICTIM.COM is, they’re not interested in caching a new address for WWW.GOOGLE.COM in the same transaction.

Remember how these fixes work. They’re very important.

And so we arrive at the present day.

Let’s try again to convince Bob that WWW.VICTIM.COM is

This time though, instead of getting Bob to look up WWW.VICTIM.COM and then beating Alice in the race, or getting Bob to look up WWW.EVIL.COM and slipping strychnine into his ham sandwich, we’re going to be clever (sneaky).

Get Bob to look up AAAAA.VICTIM.COM. Race Alice. Alice’s answer is NXDOMAIN, because there’s no such name as AAAAA.VICTIM.COM. Mallory has an answer. We’ll come back to it. Alice has an advantage in the race, and so she likely beats Mallory. NXDOMAIN for AAAAA.VICTIM.COM.

Alice’s advantage is not insurmountable. Mallory repeats with AAAAB.VICTIM.COM. Then AAAAC.VICTIM.COM. And so on. Sometime, perhaps around CXOPQ.VICTIM.COM, Mallory wins! Bob believes CXOPQ.VICTIM.COM is!

Poisoning CXOPQ.VICTIM.COM is not super valuable to Mallory. But Mallory has another trick up her sleeve. Because her response didn’t just say CXOPQ.VICTIM.COM was It also contained Additional RRs pointing WWW.VICTIM.COM to Those records are in-bailiwick: Bob is in fact interested in VICTIM.COM for this query. Mallory has combined attack #1 with attack #2, defeating fix #1 and fix #2. Mallory can conduct this attack in less than 10 seconds on a fast Internet link.


From: (Anonymous)
2008-07-23 10:41 pm (UTC)
In the final paragraph, how is 'www.victim.com' in bailiwick given a request for 'cxopq.victim.com'? The domain 'www' was not sought, so why should such an irrelevant answer be heeded?
(Reply) (Thread)
From: (Anonymous)
2008-07-24 02:32 am (UTC)
Because the malicious answer for cxopq.victim.com could return a CNAME for www.victim.com and the server will honor the additional A record that comes along with it. Or it could say that www.victim.com is the authoritative NS for cxopq.victim.com and return the A record for www.victim.com alongside. I haven't read any source but I believe that both of these types of responses would pass the test.
(Reply) (Parent) (Thread)
From: (Anonymous)
2008-07-24 05:33 am (UTC)

All have been fixed in non-stupid resolvers

In PowerDNS, for example, source port is randomized, QID uses cryptographic strength RNG, and other changes to meet the problems outlined here:
(Reply) (Thread)
[User Picture]From: beezari
2008-07-24 11:29 am (UTC)

Re: All have been fixed in non-stupid resolvers

Right. However typical resolvers you find in the internet (i.e. bind) source port would be dependent on your underlying kernel implementation (which means - sequential usually).

to answer the question how -> in the response to abcdq.victim.com you can also include statement that ns.victim.com (which is also ns server for wwww.victim.com) lives at IP address of your will. The resolver will memorize this data with TTL period of time, so all subsequent requests to *.victim.com would be sent to your ns. This is one scenario.

scenario #2 would be to tell it the ip for www.victim.com directly which may not work if there're any logical checks.
(Reply) (Parent) (Thread) (Expand)
From: (Anonymous)
2008-07-24 09:44 pm (UTC)

teaching an old dog new tricks

CERT calculated the number of guesses required to guess a QID in the special case of forcing a resolver to generate multiple simultaneous recursive queries (amplification) for a given RR back in 2003 (http://www.kb.cert.org/vuls/id/457875). The table in this advisory is still apropos, since we can still force the victim's resolver to query the same domain often enough and you'd end up with similar magnitude numbers.

In 1997 (http://www.cert.org/advisories/CA-1997-22.html), BIND 4 was using sequential TIDs. Now we have "randomized" TIDs, except that the problem is now more along the lines of the openssl-faulty-entropy scale.
(Reply) (Thread)
From: (Anonymous)
2008-07-25 06:22 am (UTC)

Re: teaching an old dog new tricks

What if I just disable DNS Client? I block a lot of junk with a host file that is 1gb. My pc bogs down if I enable DNS Client.

Please note, I know nothing of computers other than how to format and remove some viruses.
(Reply) (Parent) (Thread) (Expand)
[User Picture]From: suslikesturtles
2008-07-25 01:38 pm (UTC)
*waves shyly* Flew by via Wired. Love your way of explaining. It's so rare that someone uses a language a n00b like me understands. Thanks for this!
(Reply) (Thread)
(Deleted comment)
[User Picture]From: jmadd84
2008-07-25 03:43 pm (UTC)
Greetings from Fark
(Reply) (Thread)
From: barressbegir
2009-02-18 07:56 pm (UTC)
long live .
(Reply) (Parent) (Thread)
From: (Anonymous)
2008-07-25 04:27 pm (UTC)

Thanks for the DNS in plain english!

I rather liked the explanations you used in this article, and I know more about DNS then I did 10 minutes ago thanks to you.
(Reply) (Thread)
From: (Anonymous)
2008-07-29 01:48 am (UTC)

Doesn't this assume IP address spoofing

Correct me if I am wrong here but doesn't this whole attack assume you can spoof the Source IP of the response packet? Does the DNS process use the IP stack such that is checks that the response is actually coming back from the Destination specified in the source packet?

ISP's are now using Reverse path checking to make sure their BPG peers and customers are not sending packets from IP addresses they do not own. I understand that this can be beat because not every ISP actually validates the packets that there customers send. But between the Large AS's I would expect them to check.

(Reply) (Thread)
From: (Anonymous)
2008-08-05 01:31 am (UTC)

Re: Doesn't this assume IP address spoofing

That's what i would like to know... does all this require an attacker to spoof the Source IP of the DNS server used by the victim?

Also, i recently read somewhere (wish i could remember where) that around 25% of ISP's are not blocking spoofed source IP from their users. I assume that is probably a whole lot of little ISP's, but still.
(Reply) (Parent) (Thread) (Expand)
From: (Anonymous)
2008-07-29 02:41 am (UTC)

This is a good and helpful explanation

I found this to be a clear and helpful explanation of the problem. Thank you, and may the information superhighway rise to meet you.
(Reply) (Thread)
From: dqkuyroub
2009-05-18 11:03 am (UTC)

Re: This is a good and helpful explanation

Thanks for a great post. That was definitely what I was searched in past two days.

(Reply) (Parent) (Thread)
[User Picture]From: wildernesscat
2008-08-11 01:00 pm (UTC)
Thanks for the repost!

BTW - I don't know what the Matasano site is all about. Care to provide some more info? Trying to access it yields an error.
(Reply) (Thread)
From: (Anonymous)
2008-08-28 01:55 pm (UTC)

IP spoofing and source routing

This does require IP spoofing, and possibly source routing :-). May be tricky.
(Reply) (Parent) (Thread)
From: (Anonymous)
2010-09-04 04:14 am (UTC)

web traffic

Why not 24 Autohits Traffic Exchange Auto Manual surf - Paid to surf (http://24autohits.com/)
(Reply) (Thread)
From: (Anonymous)
2010-10-13 03:28 am (UTC)

golf equipment

golf equipment (http://www.golfshopping18.com)
Ultrasound (http://www.szbondway.com)
car dvd player (http://www.buyaccomodation.com)
car mp3 player (http://www.buyaccomodation.com)
gps navigator (http://www.buyaccomodation.com)
TaylorMade Burner Superfast Driver (http://www.thisbuy.com)
(Reply) (Thread)
From: (Anonymous)
2011-02-15 05:51 am (UTC)


"these analytics web-sites which you always hear about seriously do not know what they're carrying out, i mean, consider this web page as an example, probably not even bringing in as a lot of views as his stats say, get a better stat service or something"
(Reply) (Parent) (Thread)
From: (Anonymous)
2011-02-16 08:32 am (UTC)
Questo è stato un bel articolo da leggere, grazie per la condivisione di essa.
(Reply) (Thread)
From: (Anonymous)
2011-02-25 08:08 am (UTC)
Mi chiedo ora se si può parlare di statistiche del tuo sito - volume di ricerca, ecc, sto cercando di siti che possono acquistare attraverso adspace - fatemi sapere se si può parlare di prezzi e quant'altro. Cheers mate si sta facendo un ottimo lavoro comunque.
(Reply) (Thread)