1. The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan
  2. Kaminsky will announce at Black Hat.
  3. 1.
  5. Pretend for the moment that you know only the basic function of DNS —
  6. that it translates WWW.VICTIM.COM into 1.2.3.4. The code that does
  7. this is called a resolver. Each time the resolver contacts the DNS to
  8. translate names to addresses, it creates a packet called a query. The
  9. exchange of packets is called a transaction. Since the number of
  10. packets flying about on the internet requires scientific notation to
  11. express, you can imagine there has to be some way of not mixing them
  12. up.
  14. Bob goes to to a deli, to get a sandwich. Bob walks up to the counter,
  15. takes a pointy ticket from a round red dispenser. The ticket has a
  16. number on it. This will be Bob's unique identifier for his sandwich
  17. acquisition transaction. Note that the number will probably be used
  18. twice — once when he is called to the counter to place his order and
  19. again when he's called back to get his sandwich. If you're wondering,
  20. Bob likes ham on rye with no onions.
  22. If you've got this, you have the concept of transaction IDs, which are
  23. numbers assigned to keep different transactions in order.
  24. Conveniently, the first sixteen bits of a DNS packet is just such a
  25. unique identifier. It's called a query id (QID). And with the
  26. efficiency of the deli, the QID is used for multiple transactions.
  27. 2.
  29. Until very recently, there were two basic classes of DNS
  30. vulnerabilities. One of them involves mucking about with the QID in
  31. DNS packets and the other requires you to know the Deep Magic.
  33. First, QIDs.
  35. Bob's a resolver and Alice is a content DNS server. Bob asks Alice for
  36. the address of WWW.VICTIM.COM. The answer is 1.2.3.4. Mallory would
  37. like the answer to be 6.6.6.0.
  39. It is a (now not) secret shame of mine that for a great deal of my
  40. career, creating and sending packets was, to me, Deep Magic. Then it
  41. became part of my job, and I learned that it is surprisingly trivial.
  42. So put aside the idea that forging IP packets is the hard part of
  43. poisoning DNS. If I'm Mallory and I'm attacking Bob, how can he
  44. distinguish my packets from Alice's? Because I can't see the QID in
  45. his request, and the QID in my response won't match. The QID is the
  46. only thing protecting the DNS from Mallory (me).
  48. QID attacks began in the olden days, when BIND simply incremented the
  49. QID with every query response. If you can remember 1995, here's a
  50. workable DNS attack. Think fast: 9372 + 1. Did you get 9372, or even
  51. miss and get 9373? You win, Alice loses. Mallory sends a constant
  52. stream of DNS responses for WWW.VICTIM.COM. All are quietly discarded
  53. —- until Mallory gets Bob to query for WWW.VICTIM.COM. If Mallory's
  54. response gets to your computer before the legitimate response arrives
  55. from your ISP's name server, you will be redirected where Mallory
  56. tells you you're going.
  58. Obvious fix: you want the QID be randomly generated. Now Alice and
  59. Mallory are in a race. Alice sees Bob's request and knows the QID.
  60. Mallory has to guess it. The first one to land a packet with the
  61. correct QID wins. Randomized QIDs give Alice a big advantage in this
  62. race.
  64. But there's a bunch more problems here:
  66.    *
  68.      If you convince Bob to ask Alice the same question 1000 times
  69. all at once, and Bob uses a different QID for each packet, you made
  70. the race 1000 times easier for Mallory to win.
  71.    *
  73.      If Bob uses a crappy random number generator, Mallory can get
  74. Bob to ask for names she controls, like WWW.EVIL.COM, and watch how
  75. the QIDs bounce around; eventually, she'll break the RNG and be able
  76. to predict its outputs.
  77.    *
  79.      16 bits just isn't big enough to provide real security at the
  80. traffic rates we deal with in 2008.
  82. Your computer's resolver is probably a stub. Which means it won't
  83. really save the response. You don't want it to. The stub asks a real
  84. DNS server, probably run by your ISP. That server doesn't know
  85. everything. It can't, and shouldn't, because the whole idea of DNS is
  86. to compensate for the organic and shifting nature of internet naming
  87. and addressing. Frequently, that server has to go ask another, and so
  88. on. The cool kids call this "recursion".
  90. Responses carry another value, too, called a time to live (TTL). This
  91. number tells your name server how long to cache the answer. Why?
  92. Because they deal with zillions of queries. Whoever wins the race
  93. between Alice and Mallory, their answer gets cached. All subsequent
  94. responses will be dropped. All future requests for that same data,
  95. within the TTL, come from that answer. This is good for whoever wins
  96. the race. If Alice wins, it means Mallory can't poison the cache for
  97. that name. If Mallory wins, the next 10,000 or so people that ask that
  98. cache where WWW.VICTIM.COM is go to 6.6.6.0.
  99. 3.
  101. Then there's that other set of DNS vulnerabilities. These require you
  102. to pay attention in class. They haven't really been talked about since
  103. 1997. And they're hard to find, because you have to understand how DNS
  104. works. In other words, you have to be completely crazy. Lazlo
  105. Hollyfeld crazy. I'm speaking of course of RRset poisoning.
  107. DNS has a complicated architecture. Not only that, but not all name
  108. servers run the same code. So not all of them implement DNS in exactly
  109. the same way. And not only that, but not all name servers are
  110. configured properly.
  112. I just described a QID attack that poisons the name server's cache.
  113. This attack requires speed, agility and luck, because if the "real"
  114. answer happens to arrive before your spoofed one, you're locked out.
  115. Fortunately for those of you that have a time machine, some versions
  116. of DNS provide you with another way to poison the name server's cache
  117. anyway. To explain it, I will have to explain more about the format of
  118. a DNS packet.
  120. DNS packets are variable in length and consist of a header, some flags
  121. and resource records (RRs). RRs are where the goods ride around. There
  122. are up to three sets of RRs in a DNS packet, along with the original
  123. query. These are:
  125.    *
  127.      Answer RR's, which contain the answer to whatever question you
  128. asked (such as the A record that says WWW.VICTIM.COM is 1.2.3.4)
  129.    *
  131.      Authority RR's, which tell resolvers which name servers to refer
  132. to to get the complete answer for a question
  133.    *
  135.      Additional RR's, sometimes called "glue", which contain any
  136. additional information needed to make the response effective.
  138. A word about the Additional RR's. Think about an NS record, like the
  139. one that COM's name server uses to tell us that, to find out where
  140. WWW.VICTIM.COM is, you have to ask NS1.VICTIM.COM. That's good to
  141. know, but it's not going to help you unless you know where to find
  142. NS1.VICTIM.COM. Names are not addresses. This is a chicken and egg
  143. problem. The answer is, you provide both the NS record pointing
  144. VICTIM.COM to NS1.VICTIM.COM, and the A record pointing NS1.VICTIM.COM
  145. to 1.2.3.1.
  147. Now, let's party like it's 1995.
  149. Download the source code for a DNS implementation and hack it up such
  150. that every time it sends out a response, it also sends out a little
  151. bit of evil — an extra Additional RR with bad information. Then let's
  152. set up an evil server with it, and register it as EVIL.COM. Now get a
  153. bunch of web pages up with IMG tags pointing to names hosted at that
  154. server.
  156. Bob innocently loads up a page with the malicious tags which coerces
  157. his browser resolve that name. Bob asks Alice to resolve that name.
  158. Here comes recursion: eventually the query arrives at our evil server.
  159. Which sends back a response with an unexpected (evil) Additional RR.
  161. If Alice's cache honors the unexpected record, it's 1995 —- buy CSCO!
  162. —- and you just poisoned their cache. Worse, it will replace the
  163. "real" data already in the cache with the fake data. You asked where
  164. WWW.EVIL.COM was (or rather, the image tags did). But Alice also
  165. "found out" where WWW.VICTIM.COM was: 6.6.6.0. Every resolver that
  166. points to that name server will now gladly forward you to the website
  167. of the beast.
  168. 4.
  170. It's not 1995. It's 2008. There are fixes for the attacks I have described.
  171. Fix 1:
  173. The QID race is fixed with random IDs, and by using a strong random
  174. number generator and being careful with the state you keep for
  175. queries. 16 bit query IDs are still too short, which fills us with
  176. dread. There are hacks to get around this. For instance, DJBDNS
  177. randomizes the source port on requests as well, and thus won't honor
  178. responses unless they come from someone who guesses the ~16 bit source
  179. port. This brings us close to 32 bits, which is much harder to guess.
  180. Fix 2:
  182. The RR set poisoning attack is fixed by bailiwick checking, which is a
  183. quirky way of saying that resolvers simply remember that if they're
  184. asking where WWW.VICTIM.COM is, they're not interested in caching a
  185. new address for WWW.GOOGLE.COM in the same transaction.
  187. Remember how these fixes work. They're very important.
  189. And so we arrive at the present day.
  190. 5.
  192. Let's try again to convince Bob that WWW.VICTIM.COM is 6.6.6.0.
  194. This time though, instead of getting Bob to look up WWW.VICTIM.COM and
  195. then beating Alice in the race, or getting Bob to look up WWW.EVIL.COM
  196. and slipping strychnine into his ham sandwich, we're going to be
  197. clever (sneaky).
  199. Get Bob to look up AAAAA.VICTIM.COM. Race Alice. Alice's answer is
  200. NXDOMAIN, because there's no such name as AAAAA.VICTIM.COM. Mallory
  201. has an answer. We'll come back to it. Alice has an advantage in the
  202. race, and so she likely beats Mallory. NXDOMAIN for AAAAA.VICTIM.COM.
  204. Alice's advantage is not insurmountable. Mallory repeats with
  205. AAAAB.VICTIM.COM. Then AAAAC.VICTIM.COM. And so on. Sometime, perhaps
  206. around CXOPQ.VICTIM.COM, Mallory wins! Bob believes CXOPQ.VICTIM.COM
  207. is 6.6.6.0!
  209. Poisoning CXOPQ.VICTIM.COM is not super valuable to Mallory. But
  210. Mallory has another trick up her sleeve. Because her response didn't
  211. just say CXOPQ.VICTIM.COM was 6.6.6.0. It also contained Additional
  212. RRs pointing WWW.VICTIM.COM to 6.6.6.0. Those records are
  213. in-bailiwick: Bob is in fact interested in VICTIM.COM for this query.
  214. Mallory has combined attack #1 with attack #2, defeating fix #1 and
  215. fix #2. Mallory can conduct this attack in less than 10 seconds on a
  216. fast Internet link.