Post on 23-Feb-2016
description
Socket Overloading for Fun and Cache-PoisoningAmir Herzberg1; Haya Shulman2
1Bar Ilan University2Technische Universität Darmstadt/EC-SPRIDE
29th Annual Computer Security Applications Conference (ACSAC 2013)
左昌國2013/12/10 Seminar @ ADLab, CSIE, NCU
Outline• Introduction• Socket Overloading• Evaluation• Port Derandomization via Socket Overloading• Socket-Overloading for Attacks on DNS• Defenses and Conclusions
2
Introduction• What is DNS
• Ref: http://www.csie.ncu.edu.tw/~hsufh/COURSES/FALL2013/14_dns.ppt
• Ref: Steve Friedl, http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
• Attacks on DNS (categorized by position of attackers)• Man-in-the-Middle
• Less than 3% of DNS resolvers enforce strict DNSSEC (cryptographic)• Off-path attacks
3
Introduction• Basic cache-poisoning (without any defense mechanism)
4
(1) query IP for“www.foo.com”
Resolver
Victim
Name Server“ns.foo.com”
(2) query IP for“www.foo.com”
(3) response “www.foo.com” == “6.6.6.7” TTL = 1 year
Attacker Server“6.6.6.6”
(4) response “6.6.6.7”
Attacker Server“6.6.6.7”
(5) access to “www.foo.com” == “6.6.6.7”
Introduction – DNS Security• Challenge-Response Defenses (to off-path attacks)
• Standardized challenges [RFC5452]• DNS transaction ID (TXID) field• Source port randomization (DJBDNS)
• Port randomization algorithms [RFC6056] (Best Current Practice)• IP address randomization
• Cryptographic Defense (DNSSEC)
5
Introduction• Attacking model
6
Introduction – Related Work• Off-Path Port Derandomization Attacks
• A. Herzberg and H. Shulman. “Security of Patched DNS”, Computer Security - ESORICS 2012
• Off-Path IP Address Derandomization Attacks• A. Herzberg and H. Shulman. “Security of Patched DNS”,
Computer Security - ESORICS 2012• O. Gudmundsson and S. D. Crocker. Observing DNSSEC
Validation in the Wild. In SATIN 2011
7
Socket Overloading• The target
• To discover the client’s (ephemeral) port in its communication to the name server
• Interrupt Driven Packet Handling• Unix and Windows use hardware interrupts for event notification
purpose (input/output on hardware)• NICs generate interrupts to notify the kernel of arrival of new
packets• These interrupts disrupt protocol processing• Under high traffic load, the socket may fill up, and subsequent
packets will be dropped
8
Socket Overloading for Port Discovery
9
Client1.2.3.6
Resolver1.2.3.4
NS5.6.7.8
Off-path Attacker6.6.6.6
s d1.2.3.6 1.2.3.4x 53A?$1.foo.org
(1) (2)
s d1.2.3.4 5.6.7.83424 53A?$1.foo.org
s d6.6.6.6 1.2.3.4x 3424AAAAAAAAAA
s d5.6.7.8 1.2.3.453 3424$1.foo.org NXD
loss (3)
Burst of Npackets
s d1.2.3.4 5.6.7.83425 53A?$1.foo.org
Timeoutretransmission
(4) s d5.6.7.8 1.2.3.453 3425$1.foo.org NXD (5)
s d1.2.3.4 1.2.3.653 x$1.foo.org NXD
(6) Report response time
Evaluation
11
Evaluation
12
Port Derandomization via Socket Overloading
• In RFC-6056• 5 algorithms to perform port randomization• Algorithm #1 and #2
• Do not vulnerable to socket overloading• Vulnerable to attacks in [12]
• Algorithm #3 – Simple Hash-Based Port Selection• Algorithm #4 – Double-Hash Port Selection• Algorithm #5 – Random-Increments Port Selection
13
Alg. #3 – Simple Hash-Based Port Selection/* Initialization at system boot time. Could be random. */ next_ephemeral = 0;
/* Ephemeral port selection function */num_ephemeral = max_ephemeral - min_ephemeral + 1; offset = F(local_IP, remote_IP, remote_port, secret_key);count = num_ephemeral;
do { port = min_ephemeral + (next_ephemeral + offset) % num_ephemeral; next_ephemeral++;
if(check_suitable_port(port)) return port;count--;
} while (count > 0);
return ERROR;
14
Port Derandomization via Socket Overloading
15
Client1.2.3.6
Resolver1.2.3.4
NS5.6.7.8
Off-path Attacker6.6.6.6
Measure response latency δ(1)
DNS RequestsrcPort : x(2) DNS Request
srcPort : y
UDP PacketdstPort : z
(3)
(4)DNS ResponsedstPort : y
DNS ResponsedstPort : x
ResponseLatency t = τ
UDP PacketdstPort : z
Burst of N UDP packets to port z
(5) Response latency t = τ
If τ > δ, then z == yElse repeat with port = z - 1
t = 0
Port Derandomization via Socket Overloading
17
Alg. #4 – Double-Hash Port Selection /* Initialization at system boot time */ for(i = 0; i < TABLE_LENGTH; i++) table[i] = random() % 65536;
/* Ephemeral port selection function */ num_ephemeral = max_ephemeral - min_ephemeral + 1; offset = F(local_IP, remote_IP, remote_port, secret_key1); index = G(local_IP, remote_IP, remote_port, secret_key2); count = num_ephemeral;
do { port = min_ephemeral + (offset + table[index]) % num_ephemeral; table[index]++;
if(check_suitable_port(port)) return port;
count--;
} while (count > 0);
return ERROR;
18
Alg. #5 – Random-Increments Port Selection /* Initialization code at system boot time. */ next_ephemeral = random() % 65536; /* Initialization value */ N = 500; /* Determines the trade-off */
/* Ephemeral port selection function */ num_ephemeral = max_ephemeral - min_ephemeral + 1;
count = num_ephemeral;
do { next_ephemeral = next_ephemeral + (random() % N) + 1; port = min_ephemeral + (next_ephemeral % num_ephemeral);
if(check_suitable_port(port)) return port;
count--; } while (count > 0);
return ERROR;
19
Alg. #5 – Random-Increments Port Selection
• Birthday Protection• Birthday attack requires multiple requests and multiple responsesno sending multiple concurrent requests for the same queries
• How to circumvent Birthday Protection?• N DNS requests
• j.foo.org where ( 0 <= j <= N)Not the same host pass the protectionThen the socket overloading attack for the correct port
20
Port Derandomization via Socket Overloading
21
Socket-Overloading for Attacks on DNS
• DNS Cache Poisoning• NS Pinning via Resolver Socket-Overloading• NS Pinning via Name Server Socket-Overloading
22
Socket-Overloading for Attacks on DNS – DNS Cache Poisoning
23
Client1.2.3.6
Resolver1.2.3.4
NS5.6.7.8
Off-path Attacker6.6.6.6
s d1.2.3.6 1.2.3.4x 53TXID 127A?$1.foo.org
(1)
s d1.2.3.4 5.6.7.853 53TXID 3544A?$1.foo.org
(2) s d5.6.7.8 1.2.3.453 53TXID 1ns.foo.org A 6.6.6.6
(3)s d5.6.7.8 1.2.3.453 53TXID 3544ns.foo.org A 6.6.6.6(4)
s d1.2.3.4 1.2.3.653 xTXID 127$1.foo.org NXD
s d5.6.7.8 1.2.3.453 53TXID 65536ns.foo.org A 6.6.6.6
216 spoofed DNSresponses for eachTXID value
s d5.6.7.8 1.2.3.453 53TXID 3544$1.foo.org NXD
Response with correct TXID is
cached
Response ignored since no matching pending request
(5)
Socket-Overloading for Attacks on DNS – DNS Cache Poisoning
24
Client1.2.3.6
ProxyResolver1.2.3.4
UpstreamResolver8.8.8.8
Off-path Attacker6.6.6.6s d
1.2.3.6 1.2.3.4x 53TXID 127A?$1.atk.com
(1)
s d1.2.3.4 8.8.8.8X>1024 53TXID Y{1,…,216}A?$1.atk.com
If correct port is hit in (4), then time-out, and retransmission
(5)
(2)
(3)s d8.8.8.8 1.2.3.453 65000TXID 1ns.atk.com A 6.6.6.6
(4)
s d8.8.8.8 1.2.3.453 65000TXID 65535ns.atk.com A 6.6.6.6
drop
Burst of N spoofedpackets to port 65000
query
response
response
Socket-Overloading for Attacks on DNS – NS Pinning via Resolver Socket-Overloading
26
Client1.2.3.6
Resolver1.2.3.4
NS5.6.7.8
Off-path Attacker6.6.6.6
s d1.2.3.6 1.2.3.45555 53A?$1.foo.org
(1)
s d1.2.3.4 5.6.7.83424 53A?$1.foo.org
(2)
s d6.6.6.6 1.2.3.4x 3424AAAAAAAAAA
s d5.6.7.8 1.2.3.453 3424$1.foo.org NXD
loss (3)
Burst of NPackets to a known port
s d1.2.3.4 5.6.7.83425 53A?$1.foo.org
Timeoutretransmission
(4)Repeat step (2)after a t secs
Socket-Overloading for Attacks on DNS – NS Pinning via NS Socket-Overloading
27
Client1.2.3.6
Resolver1.2.3.4
NS5.6.7.8
Off-path Attacker6.6.6.6
s d1.2.3.6 1.2.3.45555 53A?$1.foo.org
(2)
s d1.2.3.4 5.6.7.83424 53A?$1.foo.org
(1)
s d6.6.6.6 5.6.7.8x 53AAAAAAAAAA
Burst of NPackets
s d1.2.3.4 5.6.7.854525 53A?$1.foo.orgTimeout
retransmission
(4)
s d6.6.6.6 5.6.7.8x 53AAAAAAAAAA
loss
(3)Burst of NPacketsloss
Defense and Conclusions• Defense
• DNSSEC• Full port randomization
• Avoid per-destination sequential port allocation
• Conclusions• A new attack tool – UDP socket overloading
• Cache poisoning• NS pinning
• The results show that per-destination ports’ assignment [RFC6056] is vulnerable
28