Security News > 2021 > November > New Side Channel Attacks Re-Enable Serious DNS Cache Poisoning Attacks

Researchers have demonstrated yet another variant of the SAD DNS cache poisoning attack that leaves about 38% of the domain name resolvers vulnerable, enabling attackers to redirect traffic originally destined to legitimate websites to a server under their control.

From Kaminsky Attack to SAD DNS. DNS cache poisoning, also called DNS spoofing, is a technique in which corrupt data is introduced into a DNS resolver's cache, so that DNS queries return an incorrect response for a trusted domain and users are directed to malicious websites.

SAD DNS aka Side channel AttackeD DNS, disclosed by the same group of researchers in November 2020, relies on ICMP "Port unreachable" message as a means to infer which ephemeral port is used.

While prior methods, counting SAD DNS, employ UDP probes to determine whether a UDP port is open or closed, the newly discovered DNS cache poisoning attack directly explores a side channel during the process of handling ICMP error messages - i.e., ICMP frag needed or ICMP redirect packets - that by design do not elicit a response, using it as a yardstick to achieve the same goal.

"The central idea of the attack is to use the limited number of total slots in the global exception cache, a 2048-bucket hash table, to discern if an update has occurred following a batch of ICMP probes. The side channel is also different from SAD DNS in that it arises when processing incoming ICMP messages and it"leverages the space resource limit while SAD DNS' side channel leverages the time resource limit.

"Unfortunately, DNS was designed without security in mind and is subject to a variety of serious attacks, one of which is the well-known DNS cache poisoning attack. Over the decades of evolution, it has proven extraordinarily challenging to retrofit strong security features into it."

News URL

https://thehackernews.com/2021/11/new-side-channel-attacks-re-enable.html