Abstract
Internet systems and networks have a long history of attacks by off-path adversaries. An off-path adversary cannot see the traffic exchanged by the legitimate end points, and in the course of an attack it attempts to impersonate some victim by injecting spoofed packets into the communication flow. Such attacks subvert the correctness and availability of Internet services and, among others, were applied for DNS cache poisoning, TCP injections, reflection DDoS attacks.
A significant research effort is aimed at hardening client systems against off-path attacks by designing challenge-response defences, whereby random challenges are sent with the request and the responses are validated to echo the corresponding values.
In this work we study the security of a standard and widely deployed challenge-response defence port randomisation, and show that off-path attackers can efficiently and stealthily learn the ports selected by end systems.
We show how to apply our techniques for DNS cache poisoning. We tested our attacks against standard and patched operating systems and popular DNS resolvers software. Our results motivate speeding up adoption of cryptographic defences for DNS.
Chapter PDF
Similar content being viewed by others
References
Paulo, S.L.M., Barreto, S.D., Galbraith, C.O.: hEigeartaigh, and Michael Scott. Efficient pairing computation on supersingular abelian varieties. IACR Cryptology ePrint Archive, 375 (2004)
Beverly, R., Koga, R., Claffy, K.: Initial Longitudinal Analysis of IP Source Spoofing Capability on the Internet. Internet Society Article (July 2013)
Corporation, G.R.: DNS Nameserver Spoofability Test (2012), https://www.grc.com/dns/dns.htm
DNS-OARC: Domain Name System Operations Analysis and Research Center (2008), https://www.dns-oarc.net/oarc/services/porttest
Provos, N.: DNS Testing Image (July 2008), http://www.provos.org/index.php?/archives/43-DNS-Testing-Image.html
Gudmundsson, O., Crocker, S.D.: Observing DNSSEC Validation in the Wild. In: SATIN (March 2011)
Lian, W., Rescorla, E., Shacham, H., Savage, S.: Measuring the practical impact of dnssec deployment. In: Proceedings of USENIX Security (2013)
Neira, P.: Patchset of Netfilter Updates (2013), http://patchwork.ozlabs.org/patch/307041/
Herzberg, A., Shulman, H.: Fragmentation Considered Poisonous: or one-domain-to-rule-them-all.org. In: The Conference on Communications and Network Security, CNS 2013. IEEE (2013)
Herzberg, A., Shulman, H.: Security of Patched DNS. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 271–288. Springer, Heidelberg (2012)
Herzberg, A., Shulman, H.: Vulnerable Delegation of DNS Resolution. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 219–236. Springer, Heidelberg (2013)
Gilad, Y., Herzberg, A., Shulman, H.: Off-Path Hacking: The Illusion of Challenge-Response Authentication. IEEE Security & Privacy (2014)
Herzberg, A., Shulman, H.: Socket Overloading for Fun and Cache Poisoning. In: ACM Annual Computer Security Applications Conference (ACM ACSAC) (December 2013)
Kernel.org: Linux Kernel Documentation (2011), http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
Alexa: The web information company, http://www.alexa.com/
Wessels, D., Fomenkov, M.: Wow, thats a lot of packets. In: Proceedings of Passive and Active Measurement Workshop, PAM (2003)
Gont, F.: Security Implications of Predictable Fragment Identification Values. Internet-Draft of the IETF IPv6 maintenance Working Group (6man) (March 2012) (expires September 30, 2012)
Larsen, M., Gont, F.: Recommendations for Transport-Protocol Port Randomization. RFC 6056 (Best Current Practice) (January 2011)
Allman, M.: Comments on selecting ephemeral ports. ACM SIGCOMM Computer Communication Review 39(2), 13–19 (2009)
Herzberg, A., Shulman, H.: Unilateral antidotes to DNS poisoning. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds.) SecureComm 2011. LNICST, vol. 96, pp. 319–336. Springer, Heidelberg (2012)
Herzberg, A., Shulman, H.: Dnssec: Security and availability challenges. In: 2013 IEEE Conference on Communications and Network Security (CNS), pp. 365–366. IEEE (2013)
Herzberg, A., Shulman, H.: Retrofitting Security into Network Protocols: The Case of DNSSEC. IEEE Internet Computing 18(1), 66–71 (2014)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Shulman, H., Waidner, M. (2014). Fragmentation Considered Leaking: Port Inference for DNS Poisoning. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds) Applied Cryptography and Network Security. ACNS 2014. Lecture Notes in Computer Science, vol 8479. Springer, Cham. https://doi.org/10.1007/978-3-319-07536-5_31
Download citation
DOI: https://doi.org/10.1007/978-3-319-07536-5_31
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07535-8
Online ISBN: 978-3-319-07536-5
eBook Packages: Computer ScienceComputer Science (R0)