DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record...
Transcript of DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record...
![Page 1: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/1.jpg)
DNS Record Injection Vulnerabilities in Home Routers
Kyle Schomp†, Tom Callahan†, Michael Rabinovich†, Mark Allman†‡
†Case Western Reserve University‡International Computer Science Institute
1
![Page 2: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/2.jpg)
Attacks targeting DNS resolvers
• Various attempts to poison DNS resolver caches• Bailiwick violations
• Kaminsky vulnerability
• Tempting targets because they handle a large number of clients• One successful attack → many victims
• Mitigations for these problems• Bailiwick rules nearly universally applied
• Transaction ID randomization, ephemeral port randomization, 0x20 encoding• 16% of resolvers use static ephemeral port – Kaminsky vulnerable
2
![Page 3: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/3.jpg)
Open resolvers: a (still) growing problem
• openresolverproject.org indicates there are 27 million open resolvers on the Internet!
• Researchers found just 15 million open resolvers in 2008
• Almost doubling in last 6 years• (Recent downturn)
• But what are open resolvers?
3
Leonard, Derek, and Dmitri Loguinov. "Demystifying service discovery: implementing an internet-wide scanner." Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. ACM, 2010.
![Page 4: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/4.jpg)
Many open resolvers are home routers
• Many open resolvers have names from the Alexa top 1,000 in cache
• Used low-end embedded device in residential location
4
The evidence % of Open Resolvers
RomPager embedded web server on port 80 24%
Basic HTTP auth realm header (``3068 DSL-2641R'') 24%
BPL listed by Spamhaus 51%
BPL listed by ISP 17%
DNS response from wrong port (self-NATing) 48%
Total 78%From a sample of 1 million open resolvers
![Page 5: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/5.jpg)
Home routers as simple DNS forwarders
• Accept a request from a device
5
Device
www.google.com ?
Resolver
Home Router
![Page 6: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/6.jpg)
Home routers as simple DNS forwarders
• Accept a request from a device
• Forward the request to an upstream resolver
5
Device
www.google.com ? www.google.com ?
Resolver
Home Router
![Page 7: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/7.jpg)
Home routers as simple DNS forwarders
• Accept a request from a device
• Forward the request to an upstream resolver
• Cache the response
5
Device
www.google.com ? www.google.com ?
www.google.com = G
CACHE:www.google.com = G
Resolver
Home Router
![Page 8: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/8.jpg)
Home routers as simple DNS forwarders
• Accept a request from a device
• Forward the request to an upstream resolver
• Cache the response
• Return the response to the device
5
Device
www.google.com ? www.google.com ?
www.google.com = G www.google.com = G
CACHE:www.google.com = G
Resolver
Home Router
![Page 9: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/9.jpg)
What could go wrong?
• …besides home routers acting as open resolvers – not a good thing
• Serious vulnerabilities have previously been discovered in resolvers operated by major DNS providers
• Might home routers have DNS vulnerabilities as well?
6
![Page 10: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/10.jpg)
Preplay vulnerability
• Many home routers simply do not validate DNS responses• Responses accepted from any source IP address / port
• Ephemeral port number not validated
• Transaction ID either unmodified in forwarding or not validated
• No guessing involved in the attacks at all!
• In open resolver samples, 7-9% have this vulnerability• Estimate 2-3 million boxes on the Internet are vulnerable
7
Schomp, Kyle, and Tom Callahan, and Michael Rabinovich, and Mark Allman. “Assessing DNS vulnerability to record injection." PAM 2014.
![Page 11: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/11.jpg)
• Attacker sends request for domain name to poison
Example preplay attack
8
Attacker
www.victim.com ?
Device
Home Router
![Page 12: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/12.jpg)
• Attacker sends request for domain name to poison• Attacker immediately sends a response binding to A
• (before response from shared resolver)
Example preplay attack
8
Attacker
www.victim.com ?
www.victim.com = A
Device
Home Router
![Page 13: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/13.jpg)
• Attacker sends request for domain name to poison• Attacker immediately sends a response binding to A
• (before response from shared resolver)
• The home router inserts the binding into its cache
Example preplay attack
8
Attacker
www.victim.com ?
www.victim.com = A
CACHE:www.victim.com = A Device
Home Router
![Page 14: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/14.jpg)
• Attacker sends request for domain name to poison• Attacker immediately sends a response binding to A
• (before response from shared resolver)
• The home router inserts the binding into its cache• Client device subsequently requests domain name
Example preplay attack
8
Attacker
www.victim.com ? www.victim.com ?
www.victim.com = A
CACHE:www.victim.com = A Device
Home Router
![Page 15: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/15.jpg)
• Attacker sends request for domain name to poison• Attacker immediately sends a response binding to A
• (before response from shared resolver)
• The home router inserts the binding into its cache• Client device subsequently requests domain name• Receives poison
Example preplay attack
8
Attacker
www.victim.com ? www.victim.com ?
www.victim.com = A
CACHE:www.victim.com = A Device
Home Router
www.victim.com = A
![Page 16: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/16.jpg)
But there’s more…
• Preplay vulnerability doesn’t require any guessing
• Another 7-10% of home routers are only protected by a variable port number
• Guessing the correct port number from [0,65535] is hard
• But the selected port number may not be random
9
![Page 17: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/17.jpg)
Why poison home router caches?
Attack on major DNS resolver
• Complex attack
• Affects potentially thousands
• Detectable via IDS
• Poison whole domains
Attack on home router
• Trivial to launch
• Single household affected
• No one’s watching
• Poison single query string
10
![Page 18: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/18.jpg)
Home routers putting us at risk
• Record injection not the only reason home routers are dangerous
• Reflection / DNS amplification attacks because they are open
• Indirect attacks on closed portions of the resolver infrastructure
11Attacker
x.com ?
Home router
Closed ISP Resolver
![Page 19: DNS Record Injection Vulnerabilities in Customer-premises … · 2018. 7. 27. · DNS Record Injection Vulnerabilities in Home Routers Kyle Schomp†, Tom Callahan†, Michael Rabinovich†,](https://reader033.fdocuments.us/reader033/viewer/2022053023/60543739b1c402698c3d9457/html5/thumbnails/19.jpg)
What can we do about this?
• Home router software doesn’t get updated• Wait a few years for hardware update
• Future models could have an automatic update feature
• Vendors can push security updates
• UDP/53 blocking to residential IP address ranges• Nearly all home routers only accept DNS requests on port 53
• Blocking would be effective
• *Some* use port 53 as the ephemeral port• Care must be taken not to block their legitimate traffic
• Make exceptions for popular public DNS resolvers (i.e., 8.8.8.8)
• Might block other legitimate client traffic
12