A vulnerability discovered in Linux makes it possible to attack DNS servers and potentially redirect millions of users to fake sites at once. Up to 38% of DNS servers could be affected, including services such as OpenDNS.
An old defectDNS resurfaced more than ten years later. Presented at the ACM CCS 2021 Cybersecurity Conference, described by researchers at the University of California could affect up to 38% of DNS.
To understand this, we need to go back to the initial discovery of a server failurein 2008. These servers contain the complete list of all of them and the IP address of the corresponding website. When you enter an address, your computer connects to a DNS server, usually your ISP’s, to obtain the IP address. Researchers then discovered that it was possible to poison the cache of DNS servers by sending them a fake update through which trusted sites, e.g. .com, then redirects to fake sites.
An attack made possible by brute force
At that time, the server DNS cache update was only protected by a 16-bit transaction identifier or 65,536 possibilities. It was then possible to attack a server by brute force, testing all identifiers, and thus redirect all computers that depend on it. Heit was solved using a random UDP port to communicate, multiplying the possibilities by 16 bits, or about four billion possible combinations.
Researchers have shown that it is possible to use an ICMP message to determine the correct UDP port number
However, a new defect was discoveredquestions this security. It is based on error messages, called ICMP, used by DNS servers to communicate. Researchers have shown that it is possible to use an ICMP message to determine the correct UDP port number. Then an attack should only make the transaction identifier quite brute force, as when the original defect was discovered in 2008.
All Linux-based DNS servers are potentially affected
Heaffects the , or about 38% of servers according to researchers. It works by sending a very specific error message (of type ICMP Redirection i Requires ICMP frag). Because this is an error message, the server does not respond, and in theory it is impossible to know if it was sent to the correct port. However, in this message can change the maximum packet size (MTU) of the server, which can be measured with a simple ” Therefore, it is enough to repeat the change of port operation until the correct one is discovered, ie a maximum of 65,536 times. It is then possible to launch a direct brute force attack using the method discovered in 2008. .
According to researchers, the serversand FreeBSD are not affected by this defect. Therefore, macOS servers should not be vulnerable, as they use the FreeBSD network protocol stack. Researchers suggest three solutions: use the IP_PMTUDISC_OMIT socket option to reject such messages Requires ICMP fragto randomize the cache structure, or simply to reject type messages ICMP Redirection, which are rarely used. According to the web the Cisco company, which owns the cited as vulnerable by investigators, he said he had already fixed the defect.
What you have to remember
- The 2008 DNS cache poisoning defect reappears.
- DNS cache poisoning allows you to replace legitimate sites with fake ones.
- All Linux DNS servers are potentially affected.