A flaw in Linux could jeopardize the Internet!

A vulnerability discovered in Linux makes it possible to attack DNS servers and potentially redirect millions of users to fake sites at once. Up to 38% of DNS servers could be affected, including services such as OpenDNS.

You will also be interested

[EN VIDÉO] What is a cyberattack?
With the development of the Internet and the cloud, cyberattacks are becoming more frequent and sophisticated. Who is behind these attacks and for what purpose? What are the methods of hackers and what are the most massive cyberattacks?

An old defectcache poisoning DNS resurfaced more than ten years later. Presented at the ACM CCS 2021 Cybersecurity Conference, the fault described by researchers at the University of California could affect up to 38% of servers DNS.

To understand this, we need to go back to the initial discovery of a server failure DNS in 2008. These servers contain the complete list of all of them domain names and the IP address of the corresponding website. When you enter an address, your computer connects to a DNS server, usually your ISP’s, to obtain the IP address. Researchers then discovered that it was possible to poison the cache of DNS servers by sending them a fake update through which trusted sites, e.g. Google.com, then redirects to fake sites.

An attack made possible by brute force

At that time, the server DNS cache update was only protected by a 16-bit transaction identifier or 65,536 possibilities. It was then possible to attack a server by brute force, testing all identifiers, and thus redirect all computers that depend on it. He guilt it was solved using a random UDP port to communicate, multiplying the possibilities by 16 bits, or about four billion possible combinations.

Researchers have shown that it is possible to use an ICMP message to determine the correct UDP port number

However, a new defect was discovered linux questions this security. It is based on error messages, called ICMP, used by DNS servers to communicate. Researchers have shown that it is possible to use an ICMP message to determine the correct UDP port number. Then an attack should only make the transaction identifier quite brute force, as when the original defect was discovered in 2008.

All Linux-based DNS servers are potentially affected

He guilt affects the linux servers, or about 38% of servers according to researchers. It works by sending a very specific error message (of type ICMP Redirection i Requires ICMP frag). Because this is an error message, the server does not respond, and in theory it is impossible to know if it was sent to the correct port. However, in linuxthis message can change the maximum packet size (MTU) of the server, which can be measured with a simple ” ping Therefore, it is enough to repeat the change of port operation until the correct one is discovered, ie a maximum of 65,536 times. It is then possible to launch a direct brute force attack using the method discovered in 2008. .

According to researchers, the servers Windows and FreeBSD are not affected by this defect. Therefore, macOS servers should not be vulnerable, as they use the FreeBSD network protocol stack. Researchers suggest three solutions: use the IP_PMTUDISC_OMIT socket option to reject such messages Requires ICMP fragto randomize the cache structure, or simply to reject type messages ICMP Redirection, which are rarely used. According to the web Ars-Techniquethe Cisco company, which owns the OpenDNS servers cited as vulnerable by investigators, he said he had already fixed the defect.

What you have to remember

  • The 2008 DNS cache poisoning defect reappears.
  • DNS cache poisoning allows you to replace legitimate sites with fake ones.
  • All Linux DNS servers are potentially affected.

Are you interested in what you just read?

Leave a Comment