About the DNS Cache Poison-bug warning-the black bar safety net

2008-07-31T00:00:00
ID MYHACK58:62200819875
Type myhack58
Reporter 佚名
Modified 2008-07-31T00:00:00

Description

Author: Gale

Cool cool over the weekend my spare time is generally not the Internet, and ran back a look, found on the Internet or the overwhelming of the DNS vulnerability.

Hype too much, didn't want to write this exploit. Recently it seems that all people who blog are anxious to bring this vulnerability to write on a two pen, to indicate their alignment of interest and attention.

The current exploit out of the three, the oldest is the ruby, HD MOORE of metasploit 3 of a module, then python, and finally today out of a C implementation.

In fact, I think everyone's concern should be the success rate of the problem. Cloud Shu has written many articles for analysis, and the conclusion is that this is a YY vulnerability. Because of the need to guess the real src port, you also need to guess the solution QID, is a similar race condition problem, you want to grab the real name server to reply before the Fix, so the probability it is not.

However, because the handle once, you can re-specify the nameserver, which can poison the entire domain, 比如yahoo.com so the value is still very large. The problem goes back to the success rate, even if the probability is small, as long as can be successful once on the line, with a long time to improve the success rate.

But these days to see the foreign discussion, it seems like a case than a cloud Shu to imagine the good.

First is the DD on the on the calculation of the success rate of the method.

Assume the following symbols are used:

I: Number distinct IDs available (maximum 6 5 5 3 6)

P: Number of ports used (maximum around 6 4 0 0 0, but often 1)

N: Number of authoritative nameservers for a domain (averages around 2.5)

F: Number of 'fake' packets sent by the attacker

R: Number of packets sent per second by the attacker

W: Window of opportunity, in seconds. Bounded by the response time of the authoritative servers (often 0.1 s)

D: Average number of identical outstanding questions of a resolver (typically 1, see Section 5)

A: Number of attempts, one for each window of opportunity

The probability of spoofing a resolver is equal to amount of fake packets that arrive within the window of opportunity, divided by the size of the problem space.

When the resolver has 'D' multiple identical outstanding questions, each fake packet has a proportionally higher chance of matching any of these questions. This assumption only holds for small values of 'D'.

In symbols, if the probability of being spoofed is denoted as P_s:

P_s = DF/NP*I

It is more useful to reason not in terms of aggregate packets but to convert to packet rate, which can easily be converted to bandwidth if needed.

If the Window of opportunity length is 'W' and the attacker can send 'R' packets per second, the number of fake packets 'F' that are candidates to be accepted is:

F= R * W ---> P_s = DRW/NPI

To calculate the combined chance of at least one success, the following formula holds:

P_cs = 1 - (1 - P_s)^A = 1 - (1 - DRW/NPI)^A

When common numbers (as listed above) for D, W, N, P and I are inserted, this formula reduces t

P_cs = 1 - (1-R/1 6 3 8 4 0 0)^A

The different between this attack and the one described in the original study (http://www.faqs.org/ftp/internet-drafts/draft-hubert-dns-anti-spoofing-00.txt) is in the number A.

In the original study, A = T/TTL, where T is the time taken to successful poison target resolvers, and TTL is the number of seconds when the target hostname expires. In other words, each time we fail to poison, we must have to wait for TTL second before trying again.

In this case, A = N, which is the number of queries we send to target resolvers. This is because we don't have to wait any second even if we fail to poison in all previous attempts. Remember the CNAME trick above?

So all you must do now is to increase R and A. Suppose for each query, you send F = 3 0 fake responses to target resolvers in W = 0.1, hence your bandwidth should be R = F/W = 3 0 0 packet/s. If A = 4 0 0 0, then you stand a 5 1% chance to be sucessful! It's that easy.

If you use Metasploit, you can use the following formula to calculate your probability:

P_cs = 1 - (1 - xids/2^1 6)^A

where xids is the number of fake responses you want to send for each query. Remember to consider your bandwidth capacity when choosing xids. If you choose the default value, i.e. xids=1 0, then you can expect to poison successful after A>4 0 0 0.

One final note: this attack is not a birthday attack. because we only have one opening query to guess its QID.

Then is a C language version of the exploit's author says his success rate is also high, the basic in 8 0 seconds can get

So I rewrote the attack in C and was about to publish it when I noticed that Druid and HDM just released their metasploit module. I have not had the time to compare the 2 but in case anybody is interested, here it is:

$ . minsky-attack the q. q. q. q r. r. r. r a. a. a. a 1 2 3 4 pwned example.com. 1.1.1.1 8 1 9 2 1 6

This should cause a pwned.example.com A record resolving to 1.1.1.1 to appear in r. r. r. r's cache. The chance of successfully poisoning the resolver with this example (8 1 9 2 attempts and 1 of 6 replies/attempt) is 8 6% (1-(1-16/6 5 5 3 6)**8 1 9 2). This example also requires a bandwidth of about 2.6 Mbit/s (1 6 replies/attempt * ~2 0 0 bytes/reply * 1 0 0 attempts c * 8 bits/byte) and takes about 8 0 secs to complete (8 1 9 2 attempts / 1 0 0 attempts c).

Things could clearly be optimized, eg. by using label compression in the DNS packets (oh and don't comment on the quality of the code - it was rushed :P), but I am very interested to see how Kaminsky got it down to "1 0 secs on a fast Internet link" (does he mean 1 0+ Mbit/s, or is he using other more advanced tricks ?)

-marc

This vulnerability is due to watching too many people, so I always just engage YY styles do not meet, so there is no interest in research. But I think whatever Dan did a new method to quickly guess QID, we should not be premature to draw a conclusion, the rigorous attitude is the study of knowledge.