A group of Researchers from Tsinghua University and the University of California at Riverside have developed a new type of attack which allows the substitution of false data in the DNS server cache, which can be used to spoof the IP address of an arbitrary domain and redirect calls to the domain to the attacker's server.
The attack bypasses added protection to DNS servers to block the classic DNS cache poisoning method proposed in 2008 by Dan Kaminsky.
The Kaminsky method manipulates the negligible size of the DNS query id field, which is only 16 bit. To find the correct identifier needed to spoof the hostname, just send about 7.000 requests and simulate about 140.000 bogus responses.
The attack boils down to sending a large number of fake IP-bound packets to the DNS resolver with different DNS transaction ids. To prevent the first response from being cached, a slightly modified domain name is specified in each bogus response.
To protect against this type of attack, DNS server manufacturers implemented a random distribution of network port numbers from which the resolution requests are sent, which compensated for the insufficiently large identifier size (to send a fictitious response, in addition to selecting a 16-bit identifier, it was necessary to select one of 64 thousand ports, which increased the number of options for selection to 2 ^ 32).
El ataque SAD DNS dramatically simplifies port identification by taking advantage of filtered activity on network ports. The problem manifests itself in all operating systems (Linux, Windows, macOS and FreeBSD) and when using different DNS servers (BIND, Unbound, dnsmasq).
It is claimed that 34% of all open solvers are attacked, as well as 12 of the top 14 tested DNS services, including 8.8.8.8 (Google), 9.9.9.9 (Quad9), and 1.1.1.1 (CloudFlare) services, as well as 4 out of 6 tested routers from reputable vendors.
The problem is due to the peculiarity of ICMP response packet formation, which allows you to determine access to active network ports and not used over UDP. This feature allows you to very quickly scan open UDP ports and effectively bypass protection based on a random selection of source network ports, reducing the number of brute force options to 2 ^ 16 + 2 ^ 16 instead of 2 ^ 32.
The source of the problem is the mechanism to limit the intensity of the shipment number of ICMP packets on the network stack, which uses a predictable counter value, from which forward throttling begins. This counter is common for all traffic, including fake traffic from the attacker and real traffic. By default, on Linux, ICMP responses are limited to 1000 packets per second. For each request that reaches a closed network port, the network stack increments the counter by 1 and sends an ICMP packet with data from the unreachable port.
So if you send 1000 packets to different network ports, all of which are closed, the server will restrict the sending of ICMP responses for one second and the attacker can be sure that there are no open ports among the 1000 searched ports. If a packet is sent to an open port, the server will not return an ICMP response and it will not change the counter value, that is, after 1000 packets are sent, the response rate limit will not be reached.
Since the fake packets are carried out from a fake IP, the attacker cannot receive ICMP responses, but thanks to the total counter, after every 1000 fake packets, he can send a request to a non-existent port from a real IP and evaluate the arrival of the answer; if the answer came, then in one of the 1000 packages. Every second, an attacker can send 1000 bogus packets to different ports and quickly determine which block the open port is in, then narrow down the selection and determine a specific port.
The Linux kernel solves the problem with a patch that randomizes the parameters to limit the intensity of sending ICMP packets, which introduces noise and minimizes data leakage through side channels.
Source: https://www.saddns.net/