COMMAND
DNS
SYSTEMS AFFECTED
Win NT 4.0 (server)
PROBLEM
An attacker can send a query to a DNS server asking for the IP
address (for example, of www.microsoft.com.) The DNS server sends
a recursive query on behalf of the client at which point the
attacker floods the DNS server with responses indicating the IP
address (for example, for www.microsoft.com it may return
127.0.0.1,) or any other incorrect response as desired by the
attacker. The DNS server caches this result and subsequent
queries for this site return the incorrect IP address. The cached
entry can be set to live for an arbitrarily long time in the
cache and is not purged until the DNS server is reset.
The Domain Name System (DNS) is used to resolve names with IP
addresses and a DNS query can be sent to any DNS server. If the
server does not have the authoritative answer to the query, it
can ask other DNS servers in the DNS tree for the answer. This is
called a recursive query. The result of a recursive query is
cached by the originating DNS server to improve performance. A
DNS server may have many outstanding recursive queries at any one
moment in time and each outstanding query is identified by a
query ID.
Microsoft Windows NT (and many other) DNS servers use a
predictable sequence of query IDs when resolving recursive
queries. If an attacker can determine the current sequence
number, they can determine future sequence numbers. Knowledge of
future sequence numbers helps an attacker flood a DNS server with
spoofed responses to recursive queries. This makes a "cache
pollution" attack easier to accomplish.
Attack (by SNI) goes like this:
. HOST.ATTACKER.COM is the attacking host.
. DNS.ATTACKER.COM is ATTACKER.COM's nameserver, we presume
that this is the only name server for ATTACKER.COM to
simplify the description.
. DNS.TARGET.COM is the target nameserver which runs BIND.
What we will attempt to do is add an A (address) resource
record on DNS.TARGET.COM that will resolve WWW.SPOOFED.COM
to 127.0.0.1. We are sure that WWW.SPOOFED.COM is not
cached in DNS.TARGET.COM's DNS cache.
. DNS.SPOOFED.COM is the nameserver for SPOOFED.COM's
domain. We have determined this before the attack begins.
Once again we just presume its the only one in order to
simplify this description.
The Attack
~~~~~~~~~~
A. First a query is sent to DNS.TARGET.COM asking for the
address of UNKNOWN.ATTACKER.COM. Our query has the
recursion desired bit set, meaning that if the nameserver
we are querying has recursion enabled, it will query
another nameserver with our query (assuming it does not
have the information cached).
B. DNS.TARGET.COM will first determine who serves the
ATTACKER.COM domain, then it will build a query packet
and send it to DNS.ATTACKER.COM.
C. We sniff DNS.ATTACKER.COM's local network and retrieve
the query packet sent by DNS.TARGET.COM to
DNS.ATTACKER.COM. We can then determine the query ID
(qid0) used by DNS.TARGET.COM. Chances are that the next
queries generated by DNS.TARGET.COM will have query IDs
that will fall in the range [qid0,qid0+N] where N is
dependent on the amount of queries DNS.TARGET.COM is
generating in the period of time on which the attack
takes place. N is usually <= 10 for most cases.
D. Once we have determined what the next query ID generated
will be, we send a query to DNS.TARGET.COM asking for
WWW.SPOOFED.COM's address.
E. Then we start sending spoofed DNS replies from
DNS.SPOOFED.COM, telling DNS.TARGET.COM that
WWW.SPOOFED.COM is '127.0.0.1'.
F. If we guessed the query ID used by DNS.TARGET.COM in its
recursed query and our response is received first, our
response will be taken as valid and the address will be
cached. Subsequent responses will be discarded as
duplicates. We can always send many (N*M) spoofed
packets with different IDs in the range (qid0,qid0+N] so
we will be sure that at least one of them will hit
DNS.TARGET.COM and have the 'right' ID. M is a factor
dependent of the amount of UDP packets we expect to lose
on their way to DNS.TARGET.COM.
This attack depends on a few things to succeed:
1. The attacker has complete control of DNS.ATTACKER.COM's
network, he can both spoof and sniff DNS packets there. In
particular, he can sniff DNS packets sent to DNS.ATTACKER.COM.
2. Spoofed DNS responses sent from the attacker to DNS.TARGET.COM
must be received before the legit response from
DNS.SPOOFED.COM. This is very easy to achieve. In testing we
have not yet encountered a situation where we could not get
our packets to the nameserver first.
3. The name server on DNS.TARGET.COM supports recursion and
caches responses. This is common practice. It should be
noted that most nameservers allow recursion (unless
specifically denied by configuration options). Root name
servers, however, do not allow recursion.
If DNS.TARGET.COM caches negative responses as well (NCACHE), a
denial of service attack can be performed, in this case, spoofed
responses sent by the attacker will tell DNS.TARGET.COM that
WWW.SPOOFED.COM does not exist (and be authorative on this).
The existence of several nameservers for the domains does not
alter the basic outline of this attack. The attacker would only
need to send DNS responses with source addresses of each of
SPOOFED.COM's nameservers. (N*M*I responses, where I is the
number of nameservers).
SOLUTION
The Microsoft DNS Server has been modified to use random query
IDs. Random query IDs reduce the effectiveness of this cache
pollution attack. Obtain the following fix, or wait for the next
Windows NT service pack. This hotfix has been posted to the
following Internet location:
ftp://ftp.microsoft.com/
following path:
bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/dns-fix