In 2020, researchers from the University of California and Tsinghua University found a new method to execute DNS cache poisoning attacks. Unfortunately, Linux, a very reliable OS, was the object of the DNS cache poisoning attack.
What is DNS cache poisoning?
A DNS cache poisoning (DNS spoofing) is a cyberattack that pollutes the cache on DNS resolver servers. This can cause the user to be redirected to the attacker’s server instead of the right one.
How was DNS cache poisoning prevented?
Dan Kaminsky, a security expert, found the bug in 2008 and managed to prevent DNS cache poisoning attacks through the implementation of source port randomization.
Think of a device that lookups up a domain’s IP address. To do this, it adds a unique number called “transaction ID” in the request it sends to the DNS server. Then, the server answers with the IP address of the requested domain, but the device only will take the answer as true if it has the original “transaction ID”. This is a measure to prevent the possibility of a DNS server delivering the user a spoofed IP address to redirect her or him to a dangerous destination.
Kaminsky saw that there were only 65,536 possible transaction IDs. So a criminal could send forged DNS answers using IDs from 0 to 65,535 and simultaneously prevent the first answer from being cached. This way, the criminal could send its malicious IP address using the total of possible transaction IDs. After time, he or she will guess the right transaction ID of a DNS request and simultaneously provide its malicious server IP via DNS answer or response.
Then, source port randomization came as a solution because even if the criminal guessed the transaction ID defined by the user’s device to send the DNS request, he or she would not know where to send the DNS answer. Consider that the device makes the DNS lookup from a randomized port (each with 65,536 values) rather than from a fixed one (previously, port 53). That reduced by billions the chances for criminals to succeed.
But how is this related to Linux?
What is SAD DNS?
SAD DNS or Side-channel AttackeD DNS is the latest criminal method (2020) that brought back the cache poisoning threat. Researchers at the University of California and Tsinghua University discovered that now, criminals take advantage of a side-channel attack to deduce the source port number of the DNS client. Once the source port is exposed, executing cache poisoning attacks in the terms explained by Kaminsky (ID guessing) years ago is possible again.
Linux, the object of the DNS cache poisoning attack
The way Linux kernel handles ICMP requests opened a new chance for criminals to guess the source port. The rate limiter built into Linux defaults to 1,000 per second, the number of incoming requests, mostly to save bandwidth. It has a counter to track the requests. Every request obtained by a closed port on a Linux-based server will decrease by one counter and generate an “unreachable” server’s answer.
When the valid open port takes the request, the counter does not decrease. This gives criminals a chance to flood a DNS resolver with 1,000 spoofed packets directed to random ports every second.
So, is there a solution to SAD Linux?
Yes, and it was already added to the kernel, and it is a randomized rate limiter. Not 1000 that was default before. The solution works for Linux Kernel 5.10, and it could be back-ported.