An award winning security paper published this week explains a newly discovered vulnerability called SAD DNS which leaves many websites vulnerable to man-in-the-middle and impersonation attacks.
DNS is the system that converts friendly website addresses (www.secureteam.co.uk) into the numeric IP addresses used by TCP/IP. SAD DNS is a flaw discovered in the DNS protocol which can be exploited to poison a DNS server so that it responds with an IP address chosen by the attacker – causing legitimate web traffic to be redirected to a server controlled by the attacker without the user realising.
The researchers estimate that a third of the open resolver DNS servers on the internet are vulnerable to this attack – including Google’s 220.127.116.11. The SAD DNS attack works by abusing ICMP requests as a side channel attack.
DNS is not very secure – it relies on randomness to prevent forged DNS traffic from poisoning DNS servers. The entropy comes from the combination of using a random port number and a random 16 bit transaction ID which must be quoted in the response to each DNS lookup request. This gives an unguessable entropy of over 4 billion combinations.
By flooding the DNS server with ICMP ping requests it is possible to deduce which port is open awaiting the response to a DNS query and then inject a fake a response – reducing the entropy down to a much more crackable 64k possibilities. Cloudflare has published a detailed explanation of how SAD DNS works on their security blog.
Most popular operating systems, including current releases of Linux, Windows Server, MacOS and FreeBSD are vulnerable – so the researchers have removed their proof of concept code from GitHub until patches are available.
In the meantime, it may be possible to configure your IDS to detect the flood of ICMP requests and flood of DNS requests with mismatched Transaction ID which are an indicator of a SAD DNS attack.