blob: 32885c3814838de2f4b3a0174b87e3e85c9d5522 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
# SADDNS2.0: DNS Cache Poisoning Attack: Resurrections with Side Channels
## Introduction
**SADDNS2.0** is a tool for launching the **DNS cache poisoning attack**. It infers the ephemeral port number and brute forces the TxID by exploiting ***F**orwarding Information Base(FIB) **N**ext **H**op **E**xception(FNHE)* cache as a side channel.
This is a different side channel cache poisoning attack derived from [SADDNS](https://github.com/seclab-ucr/SADDNS). Most code usage may remain the same.
## How it works
1. Scan ephemeral ports opened by the resolver.
2. Brute force TxID.
The side channel leverages the hash table storing fnhe entry as a shared resource (between the **spoofed** and non-spoofed IPs), which controls whether an IP packet should be fragmented or not. This gives the off-path attacker the ability to identify whether previous **spoofed** ICMP fragment needed packets were accepted or not, which further indicates whether the guessed port is correct or not.
The following figure shows the detail of inferring ephemeral ports.
### Why spoofed IP is still necessary?
- Compared with [SADDNS](https://github.com/seclab-ucr/SADDNS), SADDNS2.0 uses embedded UDP packet to scan open port and therefore no IP spoofing is needed during the scanning phase.
- IP spoofing is still required for injecting rogue responses.
## Additional resources
### Website
[**SADDNS**](https://www.saddns.net)
## How to run
### Requirements
- An IP-spoofing-capable host (preferably Linux. Windows is ok but suffers from low performance.).
- A domain (attacker-controlled name server)
- Other things needed to make clear:
- The resolver to poison (victim resolver)
- The domain to poison (victim domain)
- *The **victim domain**'s record will be poisoned on the **victim resolver**.*
### Overview
- Determine the attack type (e.g., public or private port, fragment needed or redirect packet as the payload).
- Guess the seed/key of FNHE hsah table if private port is used.
- Flood query traffic to mute the name server of the victim domain (see [SADDNS](https://github.com/seclab-ucr/SADDNS) repo for flooding scripts).
- Run attack program to guess the port number and TxID automatically.
### Steps
1. Compile
```go build ucr.edu/SADDNS2.0```(requires ```gopacket``` and ```libpcap```)
2. Seed guessing (only required when probing private ports)
See the paper for details. ```GuessSeed.go``` provides methods to send out seed guessing packets. ```guessSeed4.c``` implements hash guessing functions to guess the seed.
4. Start flooding
```./dns_query.sh &```(requires ```hping3```)
Please see the comment in the file for usage.
5. Start attacking (flooding is still in progress)
```sudo ./saddns [args]```
Run ```./saddns -h``` for usage.
## Questions and issues
Please submit them by opening a new issue.
|
