Cross Layer Attacks and How to Use Them (for DNS Cache Poisoning, Device Tracking and More)

Klein, Amit

doi:10.48550/arxiv.2012.07432

Cited by 4 publications

(6 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this attacker model, we assume an off-path attacker without any additional capabilities. As demonstrated in a recent study, this attacker can implement a cache poisoning attack on Linux-based DNS revolvers [25]). This attack exploits a vulnerability within the pseudorandom number generator (PRNG) of the Linux operating system (as well as Android) to overcome source port randomization.…”

Section: Off-path Attacker (Op)mentioning

confidence: 98%

“…Based on a previous threat analysis of the DNS [10] and recently published DNS cache poisoning attacks [20,25,29], we consider three type of attackers that can acquire the abovementioned capabilities: a man-in-the-middle attacker, an off-path attacker with IP spoofing capability that controls an adjacent machine, and an off-path attacker without any additional capabilities.…”

Section: Threat Modelmentioning

confidence: 99%

See 1 more Smart Citation

On The Vulnerability of Anti-Malware Solutions to DNS Attacks

Nadler¹,

Bitton²,

Brodt³

et al. 2021

Preprint

View full text Add to dashboard Cite

Anti-malware agents typically communicate with their remote services to share information about suspicious files. These remote services use their up-to-date information and global context (view) to help classify the files and instruct their agents to take a predetermined action (e.g., delete or quarantine). In this study, we provide a security analysis of a specific form of communication between antimalware agents and their services, which takes place entirely over the insecure DNS protocol. These services, which we denote DNS anti-malware list (DNSAML) services, affect the classification of files scanned by anti-malware agents, therefore potentially putting their consumers at risk due to known integrity and confidentiality flaws of the DNS protocol.By analyzing a large-scale DNS traffic dataset made available to the authors by a well-known CDN provider, we identify antimalware solutions that seem to make use of DNSAML services. We found that these solutions, deployed on almost three million machines worldwide, exchange hundreds of millions of DNS requests daily. These requests are carrying sensitive file scan information, oftentimes -as we demonstrate -without any additional safeguards to compensate for the insecurities of the DNS protocol. As a result, these anti-malware solutions that use DNSAML are made vulnerable to DNS attacks. For instance, an attacker capable of tampering with DNS queries, gains the ability to alter the classification of scanned files, without presence on the scanning machine.We showcase three attacks applicable to at least three antimalware solutions that could result in the disclosure of sensitive information and improper behavior of the anti-malware agent, such as ignoring detected threats. Finally, we propose and review a set of countermeasures for anti-malware solution providers to prevent the attacks stemming from the use of DNSAML services.

show abstract

Section: Off-path Attacker (Op)mentioning

confidence: 98%

Section: Threat Modelmentioning

confidence: 99%

On The Vulnerability of Anti-Malware Solutions to DNS Attacks

Nadler¹,

Bitton²,

Brodt³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…[57] showed how to use ICMP errors to infer the UDP source ports selected by DNS resolvers. Recently [52] showed how to use side channels to predict the ports due to vulnerable PRNG in Linux kernel. In 2013 [38] provided the first feasibility result for launching cache poisoning by exploiting IPv4 fragmentation.…”

Section: History Of Dns Cache Poisoningmentioning

confidence: 99%

“…For the evaluations in this work we selected three generic cache poisoning methodologies developed in [21,38,57], which are not specific to implementation or setup and do not result due to bugs in randomness generation, such as [52]. We perform Internet-wide measurements of these methodologies testing experimentally DNS cache poisoning against DNS resolution platforms.…”

Section: History Of Dns Cache Poisoningmentioning

confidence: 99%

From IP to transport and beyond: cross-layer attacks against applications

Dai,

Jeitner,

Shulman

et al. 2022

Preprint

View full text Add to dashboard Cite

We perform the first analysis of methodologies for launching DNS cache poisoning: manipulation at the IP layer, hijack of the interdomain routing and probing open ports via side channels. We evaluate these methodologies against DNS resolvers in the Internet and compare them with respect to effectiveness, applicability and stealth. Our study shows that DNS cache poisoning is a practical and pervasive threat.We then demonstrate cross-layer attacks that leverage DNS cache poisoning for attacking popular systems, ranging from security mechanisms, such as RPKI, to applications, such as VoIP. In addition to more traditional adversarial goals, most notably impersonation and Denial of Service, we show for the first time that DNS cache poisoning can even enable adversaries to bypass cryptographic defences: we demonstrate how DNS cache poisoning can facilitate BGP prefix hijacking of networks protected with RPKI even when all the other networks apply route origin validation to filter invalid BGP announcements. Our study shows that DNS plays a much more central role in the Internet security than previously assumed.We recommend mitigations for securing the applications and for preventing cache poisoning. CCS CONCEPTS• Security and privacy → Network security.

show abstract

“…A followup work demonstrated effectiveness of such cache poisoning attacks also against stub resolvers [2]. Side channels were also used to predict the ports due to vulnerable PRNG in Linux kernel [23], these are however difficult to apply in practice. [26] developed a method to leverage ICMP errors to infer the UDP source ports selected by DNS resolvers.…”

Section: Dns Cache Poisoning Chroniclementioning

confidence: 99%

Poster: The Unintended Consequences of Algorithm Agility in DNSSEC

Heftrig¹,

Seifert²,

Shulman³

et al. 2022

Preprint

View full text Add to dashboard Cite

Cryptographic algorithm agility is an important property for DNSSEC: it allows easy deployment of new algorithms if the existing ones are no longer secure. Significant operational and research efforts are dedicated to pushing the deployment of new algorithms in DNSSEC forward. Recent research shows that DNSSEC is gradually achieving algorithm agility: most DNSSEC supporting resolvers can validate a number of different algorithms and domains are increasingly signed with cryptographically strong ciphers.In this work we show for the first time that the cryptographic agility in DNSSEC, although critical for making DNS secure with strong cryptography, also introduces a severe vulnerability. We find that under certain conditions, when new algorithms are listed in signed DNS responses, the resolvers do not validate DNSSEC. As a result, domains that deploy new ciphers, risk exposing the validating resolvers to cache poisoning attacks.We use this to develop DNSSEC-downgrade attacks and show that in some situations these attacks can be launched even by offpath adversaries. We experimentally and ethically evaluate our attacks against popular DNS resolver implementations, public DNS providers, and DNS services used by web clients worldwide. We validate the success of DNSSEC-downgrade attacks by poisoning the resolvers: we inject fake records, in signed domains, into the caches of validating resolvers. We find that major DNS providers, such as Google Public DNS and Cloudflare, as well as 70% of DNS resolvers used by web clients are vulnerable to our attacks.We trace the factors that led to this situation and provide recommendations.

show abstract

Cross Layer Attacks and How to Use Them (for DNS Cache Poisoning, Device Tracking and More)

Cited by 4 publications

References 0 publications

On The Vulnerability of Anti-Malware Solutions to DNS Attacks

On The Vulnerability of Anti-Malware Solutions to DNS Attacks

From IP to transport and beyond: cross-layer attacks against applications

Poster: The Unintended Consequences of Algorithm Agility in DNSSEC

Contact Info

Product

Resources

About