About ::
TODO ::
Blog ::
RSS ::
Old blog ::
Projects ::
GIT ::
Gallery ::
Notes
Sun, 10 Aug 2008
A bored russian.
Yes, that is how I was called by The Inquirer.
Magazine even put it in bold capital letters :) The rest of the article is quite wrong though (i.e. it is not what was written in my
blog).
Slashdot either got an entry, I was called hacker and then
a physicist there.
What next? It is really very fun! :)
/devel/networking/dns :: Link / Comments ()
Sat, 09 Aug 2008
Russian physicist.
That is how I was called in
New York Times
with all this hype about DNS poisoning attack.
Unfortunately I already do not remember what electron charge is
and how to describe Higgs boson even to myself. Things moved away almost 10 years
ago :)
Article says, that DJBDNS does not suffer from this attack. It does. Everyone does.
With some tweaks it can take longer than BIND, but overall problem is there.
But that's enough for this story. I'm moving to another interesting developments.
/devel/networking/dns :: Link / Comments ()
Fri, 08 Aug 2008
Successfully poisoned the latest BIND with fully randomized ports!
Exploit
required to send more than 130 thousand of requests for the fake
records like 131737-4795-15081.blah.com to be able to match port
and ID and insert poisoned entry for the poisoned_dns.blah.com.
# dig @localhost www.blah.com +norecurse ; <<>> DiG 9.5.0-P2 <<>> @localhost www.blah.com +norecurse ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6950 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.blah.com. IN A ;; AUTHORITY SECTION: www.blah.com. 73557 IN NS poisoned_dns.blah.com. ;; ADDITIONAL SECTION: poisoned_dns.blah.com. 73557 IN A 1.2.3.4 # named -v BIND 9.5.0-P2BIND used fully randomized source port range, i.e. around 64000 ports. Two attacking servers, connected to the attacked one via GigE link, were used, each one attacked 1-2 ports with full ID range. Usually attacking server is able to send about 40-50 thousands fake replies before remote server returns the correct one, so if port was matched probability of the successful poisoning is more than 60%.
Attack took about half of the day, i.e. a bit less than 10 hours.
So, if you have a GigE lan, any trojaned machine can poison your DNS during one night...
/devel/networking/dns :: Link / Comments ()
Wed, 06 Aug 2008
Additional note on DNS poisoning attack IN A entry injection.
Actually I did
inject 'IN A' entry for the poisoned_dns.blah.com into the cache.
So, to inject arbitrary 'A' entry for the attacked.domain.com into the cache,
one has to bruteforce ID (and match source port if needed) for any other subdomain of the
same level, i.e. subdomain-123.domain.com, and put into additional section
for that message a 'IN NS' record, which would point to attacked.domain.com,
and 'IN A' record with fake IP address for that 'IN NS' one,
i.e. 'IN A' record for the attacked.domain.com pointing to 1.2.3.4.
This method is a bit less flexible, than just poisoning any subdomain with NS
record, which points to the controlled DNS server, but it does not require that server
to exist, so it can route traffic directly to your site without first asking
your DNS server, where given subdomain lives.
# ping poisoned_dns.blah.com -c100 > /dev/null 2>&1 & # tcpdump -nn icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 11:27:20.422124 IP devfs1 > 1.2.3.4: ICMP echo request, id 55367, seq 5, length 64 11:27:20.422333 IP gw > devfs1: ICMP host 1.2.3.4 unreachable, length 36 11:27:21.422126 IP devfs1 > 1.2.3.4: ICMP echo request, id 55367, seq 6, length 64 11:27:21.422310 IP gw > devfs1: ICMP host 1.2.3.4 unreachable, length 36 11:27:22.422123 IP devfs1 > 1.2.3.4: ICMP echo request, id 55367, seq 7, length 64 11:27:22.422286 IP gw > devfs1: ICMP host 1.2.3.4 unreachable, length 36 11:27:23.423122 IP devfs1 > 1.2.3.4: ICMP echo request, id 55367, seq 8, length 64 11:27:23.423311 IP gw > devfs1: ICMP host 1.2.3.4 unreachable, length 36
/devel/networking/dns :: Link / Comments ()
More interesting (and complete) hack of the DNS.
I managed to inject following poisoning information:
# dig @localhost +norecurse www.blah.com any ;; ANSWER SECTION: www.blah.com. 123452 IN NS poisoned_dns.blah.com. ;; AUTHORITY SECTION: www.blah.com. 123452 IN NS poisoned_dns.blah.com. ;; ADDITIONAL SECTION: poisoned_dns.blah.com. 123452 IN A 1.2.3.4 # dig @localhost www.blah.comThe last command results in the following dump:
01:36:14.567622 IP devfs1.5301 > 1.2.3.4.53: 42416% [1au] A? www.blah.com. (41) 01:36:15.067816 IP devfs1.5301 > 1.2.3.4.53: 29011% [1au] A? www.blah.com. (41) 01:36:15.568013 IP devfs1.5301 > 1.2.3.4.53: 30586 A? www.blah.com. (30) 01:36:16.568182 IP devfs1.5301 > 1.2.3.4.53: 38101 A? www.blah.com. (30) 01:36:18.568429 IP devfs1.5301 > 1.2.3.4.53: 64596 A? www.blah.com. (30) 01:36:22.568634 IP devfs1.5301 > 1.2.3.4.53: 59943 A? www.blah.com. (30) 01:36:30.568960 IP devfs1.5301 > 1.2.3.4.53: 39614 A? www.blah.com. (30) 01:36:40.569163 IP devfs1.5301 > 1.2.3.4.53: 13769 A? www.blah.com. (30)So, effectively if I would control 1.2.3.4 machine I would be able to answer to that queries with controlled address. I was not able to inject 'A' record for any domain except one which was happend to match id in my fake responses, and it looks like 'A' records are not accepted at all (I'm far from being a DNS expert).
So, actually I consider this exploit as a completed one, which is capable of arbitrary NS record poisoning. Its performance is rather good: poisoning attack requires 1-3 (sometimes more, it heavily depends on link capacity and auth dns server performance) queries from the client to authoritative DNS server. Attacking server, connected via gigabit link, is easily capable to saturate whole DNS ID space while attacked resolver waits for reply from the remote server. Math tells me that 100 mbit connection will require about two times more requests to be sent by the client, which is still not that much.
Server side of the exploit requires root priveledges to run, since it uses raw socket to create a datagram with IP addresses used by attacked server and appropriate authoritative name server. Client connects to one or more attacking servers, sends them appropriate response message and issues a DNS request for that response to the attacked server. Poisoning servers start to flood attacked server with replies, until client sends them next reply to bomb. When client receives fake answer from poisoned DNS server, attack stops. Exploit allows you to specify name server to attack, NS query to inject and DNS name to have that NS record.
Having hard GigE performance numbers, I can say, that port randomization completely does not solve DNS poisoning attack (although makes it harder), since with such link capacity attacker only needs to guess the port, and ID space will be bruteforced before reply is received from the authoritative name server.
So far I can not test randomized-port BIND, since local Debian mirror has somehow unsigned package for it, so I will not install it right now, but will do it later and provide numbers with randomized server. I expect to be able to poison even that server, although not that fast as with constant port.
Have fun!
/devel/networking/dns :: Link / Comments ()
Tue, 05 Aug 2008
DNS cache poisoning attack succeeded for the constant port.
Hacking rox!
# dig @devfs1 3-c13a-15729.paypal.com. ; <<>> DiG 9.5.0-P2 <<>> @devfs1 3-c13a-15729.paypal.com. ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18330 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;3-c13a-15729.paypal.com. IN A ;; ANSWER SECTION: 3-c13a-15729.paypal.com. 123405 IN A 1.2.3.4 # dig 1-71b2-16080.money.paypal.com. ... ;; ANSWER SECTION: 1-71b2-16080.money.paypal.com. 123421 IN A 1.2.3.4 # dig @localhost 29-07f3-16098.test.com ... ;; ANSWER SECTION: 29-07f3-16098.test.com. 123411 IN A 1.2.3.4Although it is not a complete win yet: additional section from the poisoning packet was parsed, and entry looks like inserted into DNS server database, but subsequent request ends up with querying remote server. Probably because my fake requests do not contain authority section, so I will extend it and continue this game :)
Ugh, 4 A.M. My body, soul and what else wants to sleep will all hate me tomorrow.
/devel/networking/dns :: Link / Comments ()
Mon, 04 Aug 2008
Got back testing machines.
I was called a saboteur, although no one was able
to answer, what will happen, if the same load will
be performed by some virus or trojan.
Nevertheless I played some politic game, had some talks,
which I managed to cool down from angry to fun strain,
and eventually got access again.
I installed BIND on one of the servers, which by the coincidence
does not have port randomization fix, so it issues all requests from
the 5301 port. I fixed IP header initialization, so now attacking
servers send its fake DNS replies not with own IP address as a source
(that's likely was one of the main if not main reasons machines
were disabled), but using appropriate auth DNS server IP address.
Also found an interesting moment with DNS server traffic: resolver server's network
channel is so much loaded with small UDP fake DNS replies, that other ones
almost can not sneak in, so effectively real reply comes almost after the whole
ID range has been bruteforced. I remind that this is a GigE linked
machines, and attacking servers send about 200-300 thousands packets per second
average, dropping rate is about 30% (only about 45 thousands packets are received
from more than 65.000 being sent).
This basically means, that in this particular case probability of the successful poisoning
with port randomization is only limited by random port number, and random ID
almost does not play any role (since traffic generated by the attacking server will
eat the bandwidth and will not allow real reply to come first), so one should just
guess the port number and attack will succeed.
I will try to prove this theory tomorrow as long as confirm that my
exploit works.
/devel/networking/dns :: Link / Comments ()
Sat, 02 Aug 2008
DNS cache poisoning attack results.
Disabled account and turned off access to the servers.
And it is just because of several minutes of 200+ kpps
UDP DNS response storms from three machines to one of the corporate DNS servers
(I think there are hundreds of them, I just got access to couple).
Who the hell monitors it Saturday night at 2 A.M.? I specially selected
time when normal people sleep, drink or have a sex, but do not work and watch DNS server load.
The only problem actually is that those servers were also used for
POHMELFS
development and testing. Although I still able to work with two Xen domains
(where I actually develop and test initial implementations without various
stressing loads for all my current projects), so development will not stop.
I will pretend to be an idiot and to have viruses there. Linux kernel viruses.
And of course I will promise I will install all updates and will be careful next time.
Next time I will not attack known nameserver, but install my own.
It is all about the science and not to harm (I even poisoned non-existent domain).
Or they will get away my toys and kick my ass, but I will resist,
so there will be no interesting notes about DNS cache poisoning
attack (although not, I will be able to run one on my desktop
via loopback, it is quite fast machine) and nice benchmark graphs :)
/devel/networking/dns :: Link / Comments ()
Fri, 01 Aug 2008
DNS cache poisoning attack exploit completed.
I belive I've completed quite distributed client/server network exploit, which is capable to poison
given DNS cache either if it works with single source port or randomize it over some port range.
I already described
client-server architecture, so only short notes here.
Client broadcasts set of ports and fake queries to number of poisoning servers, and then asks attacked
name server a specially crafted query, which does not exist in the attacked domain. Poisoning servers send
lots of replies to the attacked DNS server with fake IP addresses and ports, which pretend to be address/port
from the authoritative DNS server. Each reply contains answer section for the current client query and additional
section, which contains information about attacked domain: the former is a subdomain of the latter, like
querying 'IN A' record for '123-456.www.blahblah.com' while reply contains 'IN A' data for '123-456.www.blahblah.com'
in answer sectino and 'IN A' data for 'www.blahblah.com' in additional section.
Client then checks reply (or falls on timeout), and if it does not contain given record for the query, sends next packet
to poisoning servers and appropriate request to the attacked cached domain server.
So far I did not succeed in this attack, but managed to load network (and actually the main name server) so much, that really lots of people around started to complain,
that they have troubles... This is also a result actually, but not that one which I expected, so I will postpone attack to the
late night today.
Tcpdumps show that broadcasted data is valid, but there were no actual poisoning, so probably I will install own
server and configure it to use single port. Currently attacked server has not very random
port distributinon, but still not constant. My poisoning servers (two servers connected via gige link to the same network as attacked server)
use 100% CPU each one, since they need to caclulate UDP checksum for each packet (since it has different ID and/or port number) and
use raw socket to transmit data (to specify source and destination addresses of the autoritative and attacked server). Each server is
usually capable of transmit about 30k-130k packets per second, which corresponds to 1-20 ports (and whole 64k ID range per port)
during 5 seconds timeout interval before the next request. This is not enough of course for the 100% guarantee, but I think after quite long
time attack may suceed, so I will put it in action for the next weekend or at least a night.
Bert Hubert made some math on this kind
of attack, result is not very promising for the attacker, but still probability is far from zero.
I do not promise success, but would like to know, if I'm on the right side, so attack has been started...
P.S. DNS has own tag in the blog now.
P.P.S. Distributed cache poisoning exploit (it may be completely incorrect!) source code can be found in archive. Sorry,
no usage details, but you can use '-h' command line parameter :)
/devel/networking/dns :: Link / Comments ()
Thu, 31 Jul 2008
DNS cache poisoning client/server architecture.
SO far I only implemented simple flooder of the requests,
which as number of destination ports as a parameter and two
names and addresses to put into answer and additional section
of the DNS reply. It uses UDP socket, so source address does not
belong to server, which should pretend to answer given query, so
actually this application will not work, and I need to implement
sending via packet socket and substitue source IP address with
DNS authoritative server's one.
Poison flooder also should not use only one name/address in answer section,
but insteda it should iterate with client, so appropriate request
and answer were synchronized.
So far, initial design of the client/server architecture of this
small project looks like this: depending on flags, either client
connects to multiple flood servers or vice versa, then client
sends a message to each server where specifies a port and ID ranges to attack,
attacked DNS server IP, requested query name and source address,
pretending to be an authoritative name server and additional resource
record data to put into replies (which will poison the cache).
Each server starts sending that data to the specified name server
with changed source address to the authoritative name server's one
and with ID and port changed in given range. When client finished
broadcasting request data to all flood servers, it sends a request
to the attacked DNS server with given query name to resolve. Now
flood servers race with authoritative one to provide an answer. When
client receives the answer, it checks if it looks like poisoned data
we wants to get, or real answer (which should be NX domain, since we
resolve non-existing names). In the former case we exit the process and
enjoy the result, otherwise client specifies next name to resolve and
the same starts again.
Looks interesting...
/devel/networking/dns :: Link / Comments ()
Wed, 30 Jul 2008
Simple DNS server/resolver.
Exact time to hack a DNS server is a middle of the night: 3 A.M. here
and I've just completed initial draft of the trivial DNS server, which
is only capable to receive a datagram from predefined port, parse it,
fill a reply for static "IN A" record (I think I will add a config file),
this record is placed into 'answer' and 'additional' resource record sections,
then the whole request is being sent back to the client.
That's how it looks for standard UNIX dig command:
$ dig @localhost -p 1025 www.google.com ;; Warning: query response not set ; <<>> DiG 9.4.2-P1 <<>> @localhost -p 1025 www.google.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51486 ;; flags: rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 123456 IN A 195.178.208.66 ;; ADDITIONAL SECTION: www.google.com. 123456 IN A 195.178.208.66 ;; Query time: 15 msec ;; SERVER: 127.0.0.1#1025(127.0.0.1) ;; WHEN: Wed Jul 30 02:56:23 2008 ;; MSG SIZE rcvd: 64There are several warnings, which I will fix later, but main part is section content: www.google.com obviously does not have an IP address of my blog site. TTL usually also does not equal to 123456.
Game continues, while I need some sleep...
/devel/networking/dns :: Link / Comments ()
Tue, 29 Jul 2008
Some DNS port distribution data.
Gathered today's late night, so that DNS server would
not be too much disturbed by other users.
Graphs below show some BIND (do not know version)
source port cloud and distribution for a thousand
runs. Each request issued non-existent subdomain of
controlled domain server, so I was able to capture dums
and analyze them a bit.
This graphs show source ports cloud and its distribution.
Each histogram corresponds to number of hits into 100 ports range,
start of the range is shown at X axis labels.
First, port range is randomly selected in 50k-65k range,
so one needs to guess much smaller amount of port.
Second, even in 1 thousand requests there are lots of
requests with the same port (stats show that there 149 ports,
which were used 2 and more times in above 1000 runs,
there is even single port which was used 4 times).
If we select range of 100 ports, then appropriate distribution
is shown on the graph.
Such behaviour allows to limit source port range even more.
Now, DNS IDs.
The whole range of IDs is used, and theirs distribution (each histogram
corresponds to number of IDs in the appropriate 100 ids range) is more uniform.
There were only 9 IDs used twice per 1000 runs.
But since I do not know exact load of the analyzed DNS server (and it can be
high even at 3 A.M.), I can not say if that numbers are due to port/id
selection algorithm implementation of just because load was high and there were
actually not only my 1000 requests.
To further play with DNS caches I decided to install local
DNS server first test things with it.
/devel/networking/dns :: Link / Comments ()
Sun, 27 Jul 2008
Lots of talks about DNS cache poisoning attack.
There are two types of this attack: DNS query ID guessing and
request source port guessing for servers which use randomized source
port, which should be turned on after Dan Kaminsky's
alert.
DNS ID is 16 bits only, so it could be guessed rather fat, one just need to force someone
who uses attacked DNS cache to issue appropriate requests. When request is received by
DNS resolver, it is stored there for predefined amount of time (TTL parameter provided
by higher-level DNS resolver or eventually authoritative name server). Dan found, that
attacker can actually ask not for attacked domain, but some subdomain of it
(if attacker tries to point www.microsoft.com to own IP, it can force sending DNS
requests for 1.microsoft.com, 2.microsoft.com and so on), and put data about actual
target into additional resource records attached to all datagrams. So, when it eventually
win the race, it can store (among lots of subdomains) needed pointers in the attacked DNS cache.
I've just thought that this attack will not be possible, if all queries from DNS
resolvers to higher-level resolvers and/or authoritative name servers would happen over
TCP instead of more common UDP. There is no need to issue requests from random ports anymore,
no need to parse and drop additional resource records. There will be no problems with truncation
of large messages... But to play a bit with the whole idea I'm implementing a simple DNS
query/response processor. Maybe will play a bit with local cache (ISP at office uses only 6 different
ports to send requests) poisoning, although its main goal is
IP-over-DNS tunnel.
This is kind of a real rest after VISA/hotel paperwork. I was told, that if I will be
called to embassy for the interview, chances are high VISA will be declined because of my
sence of humor :)
Update:
zbr@gavana:~/aWork/tmp/dns$ ./query -a 195.178.208.66 -i 0x1234 -q tservice.net.ru
query: 'tservice.net.ru', class: 1, type: 1, server: 195.178.208.66:53, protocol: 17, id: 1234.
Connected to 195.178.208.66:53.
id: 1234: flags: resp: 0, opcode: 0, auth: 0, trunc: 0, RD: 1, RA: 0, rcode: 8.
: question: 1, answer: 1, auth: 2, addon: 2.
: question: name: 'tservice.net.ru.', type: 1, class: 1.
: name: 'tservice.net.ru.', type: 1, class: 1, ttl: 86400, rdlen: 4, rdata: 195.178.208.66
: name: 'tservice.net.ru.', type: 2, class: 1, ttl: 86400, rdlen: 14, rdata: ns.tservice.ru.
: name: 'tservice.net.ru.', type: 2, class: 1, ttl: 86400, rdlen: 7, rdata: dns2.tservice.ru.
: name: 'ns.tservice.ru.', type: 1, class: 1, ttl: 86400, rdlen: 4, rdata: 195.178.208.66
: name: 'dns2.tservice.ru.', type: 1, class: 1, ttl: 86400, rdlen: 4, rdata: 62.141.76.164
And DNS protocol gets the first price among the ugliest crappies.Now its time to create a DNS server itself, which will get requests (above dump shows BIND session), parse them and perform appropriate actions, like sending reply with specially crafted additional resource records, either NULL one for example (can contain upto 64k of data) or TXT (length byte followed by character string, there may be multiple strings as long as total length (including length bytes itsef) is less than 64k). Or additional A resource record, which may contain information about domain to poison...
/devel/networking/dns :: Link / Comments ()