DNS cache poisoning vulnerability initially uncovered in 2008 still lives on, with the potential to cripple the internet as we know it.
Unsophisticated DNS spoofing attacks merely rely on tricking or redirecting a user to visit a remarkably similar-looking domain, such as gma1l.com or bankofamerica2.com. Eagle-eyed and security-conscious individuals will easily spot these spoofing attempts for what they are and avoid them.
However, this particular DNS vulnerability allows attackers to send victims to maliciously spoofed addresses that look exactly like their legitimate counterparts. Potential targets will literally see “gmail.com” or “bankofamerica.com.”
Recently, cybercriminals hijacked DNS servers of a popular crypto exchange, sowing chaos among its clientele.
Test the real-world effectiveness of your security controls while achieving compliance and protecting your brand. Cyberwarfare expert, NATO offensive Top Security Clearance and ex-NSA are main members of our core team. Our ethical hackers will find weaknesses in your infrastructure, exploit them, and report their findings.
Now, it has been revealed that as many as 38% of live domain name lookup servers on the internet are vulnerable to this type of attack.
Domain name lookup servers are the entities responsible for translating domain names into internet protocol addresses. As such, they are an indispensable cog in the multifaceted machine that is the modern internet, enabling users to resolve domain names into exact addresses and navigate to the intended domains.
In a DNS poisoning attack, an attacker messes with the databases of a DNS lookup server to replace the addresses of popular websites with that of malicious servers. Without making any error or committing any oversight on their part, an internet user can type in the correct address only to be rerouted to a malicious website or web portal.
Large-scale exploitation of this kind of flaw can wreak havoc on the internet.
To make matters worse, this vulnerability is not new. It was revealed and demonstrated publicly by an internet security researcher, Dan Kaminsky, back in 2008.
At the time, Kaminsky had this to say, “It is a fundamental issue affecting the design. Because the system is behaving exactly like it is supposed to behave, the same bug will show up in vendor after vendor after vendor. This one bug affected not just Microsoft … not just Cisco, but everyone.”
The initial flaw resulted from the limitation of DNS systems of only having 16 bits available for the transaction ID, which meant there were only 65,536 possible transaction IDs. This made it relatively easy for attackers to use brute-force methods to obtain a valid transaction ID and carry out their DNS poisoning attack.
In the wake of this initial disclosure, many software makers and network-hardware vendors stepped up to address this integral flaw. Security patches were quickly released for various Microsoft clients as well as Berkeley Internet Name Domain (BIND).
For most, this involved ditching port 53 as the default port and randomly picking one of the 16 available UDP ports. This made using the same exploit computationally infeasible with the extra degree of randomness, raising the number of possible combinations by several orders of magnitude to roughly 130 million.
However, last year researchers at the University of California at Riverside uncovered a “side-channel” in newer DNS systems that allowed them to bypass these security measures and once again resolve the transaction ID. This was promptly fixed by vendors until further research carried out in 2021 uncovered even more of these “side-channels.”
You can find the complete research paper here.
While the main culprit has been identified as Linux servers, several popular DNS resolving systems and vendors have been discovered to contain some of these vulnerabilities.
“The side channels affect not only Linux but also a wide range of DNS software running on top of it, including BIND, Unbound, and dnsmasq. We also find about 38% of open resolvers (by frontend IPs) and 14% (by backend IPs) are vulnerable, including the popular DNS services such as OpenDNS and Quad9.” Specifically, these attacks abuse the ICMP (Internet Control Message Protocol).
A number of workarounds and quick fixes have also been recommended to address this issue as we wait for official security patches and fixes from various software and hardware vendors.
Kaminsky (finally) reveals gaping hole in internet
DNS Cache Poisoning Attack: Resurrections with Side Channels
Linux has a serious security problem that once again enables DNS cache poisoning