Tuesday, 31 May 2016

Re: ANN: DNS resolver changes in yakkety

On Tue, May 31, 2016 at 11:33:43PM +0200, Martin Pitt wrote:
> Martin Pitt [2016-05-31 22:45 +0200]:
> > Can you please give a sketch how to look up the source port that the
> > resolver uses? That'd be a good piece of information for the upstream
> > bug report too, as it's not at all obvious.
> Look up, and also how to forge it -- as creating a RAW_SOCKET requires
> root privileges, so I suppose it can be done with a normal UDP socket
> somehow?

You can forge the source port very easily by just calling bind() with
the wanted source port.

The difficulty is with forging the source address. You can use any IP
which the machine already has, but you can't typically use anything

That's why such attacks usually involve a second computer (or container
or VM) on which you have root access and which is attached to the same
subnet as the first. It doesn't need to be in the path (so no MITM),
just to be closed to the target and have a route to it.

As you have root access to that second computer, you can write a tiny
bit of code that runs on it and will send any raw packet that you need.

So if I was to perform such an attack, I'd have a tiny service on my
laptop which listens on a port for a string containing the IP address of
the DNS server to impersonate and its port.

Then I'd have another piece of software on the machine I want to poison
which does the DNS query for the record I want to poison, immediately
looks up the source port and DNS server IP which was used and send those
to my laptop. My laptop then immediately replaces those two in a
pre-generated PCAP containing 32768 UDP packets (one for each of the
transaction IDs) and dumps the generated pcap onto the wire.

This entirely avoids having to go through the whole kernel stack to
generate a real UDP connection. You just dump all 32768 packets into the
network card in one shot.

Then even if it takes a while for the target to process them all, you
are almost guaranteed to have them all ahead of the real reply in the
queue and so have a pretty good chance to indeed poison the cache.

> Thanks!
> Martin

Stéphane Graber
Ubuntu developer