Socket Overloading for Fun and Cache-PoisoningAmir Herzberg1; Haya Shulman2

1Bar Ilan University2Technische Universität Darmstadt/EC-SPRIDE

29th Annual Computer Security Applications Conference (ACSAC 2013)

左昌國2013/12/10 Seminar @ ADLab, CSIE, NCU

Outline• Introduction• Socket Overloading• Evaluation• Port Derandomization via Socket Overloading• Socket-Overloading for Attacks on DNS• Defenses and Conclusions

2

Introduction• What is DNS

• Ref: http://www.csie.ncu.edu.tw/~hsufh/COURSES/FALL2013/14_dns.ppt

• Ref: Steve Friedl, http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

• Attacks on DNS (categorized by position of attackers)• Man-in-the-Middle

• Less than 3% of DNS resolvers enforce strict DNSSEC (cryptographic)• Off-path attacks

3

Introduction• Basic cache-poisoning (without any defense mechanism)

4

(1) query IP for“www.foo.com”

Resolver

Victim

Name Server“ns.foo.com”

(2) query IP for“www.foo.com”

(3) response “www.foo.com” == “6.6.6.7” TTL = 1 year

Attacker Server“6.6.6.6”

(4) response “6.6.6.7”

Attacker Server“6.6.6.7”

(5) access to “www.foo.com” == “6.6.6.7”

Introduction – DNS Security• Challenge-Response Defenses (to off-path attacks)

• Standardized challenges [RFC5452]• DNS transaction ID (TXID) field• Source port randomization (DJBDNS)

• Port randomization algorithms [RFC6056] (Best Current Practice)• IP address randomization

• Cryptographic Defense (DNSSEC)

5

Introduction• Attacking model

6

Introduction – Related Work• Off-Path Port Derandomization Attacks

• A. Herzberg and H. Shulman. “Security of Patched DNS”, Computer Security - ESORICS 2012

• Off-Path IP Address Derandomization Attacks• A. Herzberg and H. Shulman. “Security of Patched DNS”,

Computer Security - ESORICS 2012• O. Gudmundsson and S. D. Crocker. Observing DNSSEC

Validation in the Wild. In SATIN 2011

7

Socket Overloading• The target

• To discover the client’s (ephemeral) port in its communication to the name server

• Interrupt Driven Packet Handling• Unix and Windows use hardware interrupts for event notification

purpose (input/output on hardware)• NICs generate interrupts to notify the kernel of arrival of new

packets• These interrupts disrupt protocol processing• Under high traffic load, the socket may fill up, and subsequent

packets will be dropped

8

Socket Overloading for Port Discovery

9

Client1.2.3.6

Resolver1.2.3.4

NS5.6.7.8

Off-path Attacker6.6.6.6

s d1.2.3.6 1.2.3.4x 53A?$1.foo.org

(1) (2)

s d1.2.3.4 5.6.7.83424 53A?$1.foo.org

s d6.6.6.6 1.2.3.4x 3424AAAAAAAAAA

s d5.6.7.8 1.2.3.453 3424$1.foo.org NXD

loss (3)

Burst of Npackets

s d1.2.3.4 5.6.7.83425 53A?$1.foo.org

Timeoutretransmission

(4) s d5.6.7.8 1.2.3.453 3425$1.foo.org NXD (5)

s d1.2.3.4 1.2.3.653 x$1.foo.org NXD

(6) Report response time

Evaluation

11

Evaluation

12

Port Derandomization via Socket Overloading

• In RFC-6056• 5 algorithms to perform port randomization• Algorithm #1 and #2

• Do not vulnerable to socket overloading• Vulnerable to attacks in [12]

• Algorithm #3 – Simple Hash-Based Port Selection• Algorithm #4 – Double-Hash Port Selection• Algorithm #5 – Random-Increments Port Selection

13

Alg. #3 – Simple Hash-Based Port Selection/* Initialization at system boot time. Could be random. */ next_ephemeral = 0;

/* Ephemeral port selection function */num_ephemeral = max_ephemeral - min_ephemeral + 1; offset = F(local_IP, remote_IP, remote_port, secret_key);count = num_ephemeral;

do { port = min_ephemeral + (next_ephemeral + offset) % num_ephemeral; next_ephemeral++;

if(check_suitable_port(port)) return port;count--;

} while (count > 0);

return ERROR;

14

Port Derandomization via Socket Overloading

15

Client1.2.3.6

Resolver1.2.3.4

NS5.6.7.8

Off-path Attacker6.6.6.6

Measure response latency δ(1)

DNS RequestsrcPort : x(2) DNS Request

srcPort : y

UDP PacketdstPort : z

(3)

(4)DNS ResponsedstPort : y

DNS ResponsedstPort : x

ResponseLatency t = τ

UDP PacketdstPort : z

Burst of N UDP packets to port z

(5) Response latency t = τ

If τ > δ, then z == yElse repeat with port = z - 1

t = 0

Port Derandomization via Socket Overloading

17

Alg. #4 – Double-Hash Port Selection /* Initialization at system boot time */ for(i = 0; i < TABLE_LENGTH; i++) table[i] = random() % 65536;

/* Ephemeral port selection function */ num_ephemeral = max_ephemeral - min_ephemeral + 1; offset = F(local_IP, remote_IP, remote_port, secret_key1); index = G(local_IP, remote_IP, remote_port, secret_key2); count = num_ephemeral;

do { port = min_ephemeral + (offset + table[index]) % num_ephemeral; table[index]++;

if(check_suitable_port(port)) return port;

count--;

} while (count > 0);

return ERROR;

18

Alg. #5 – Random-Increments Port Selection /* Initialization code at system boot time. */ next_ephemeral = random() % 65536; /* Initialization value */ N = 500; /* Determines the trade-off */

/* Ephemeral port selection function */ num_ephemeral = max_ephemeral - min_ephemeral + 1;

count = num_ephemeral;

do { next_ephemeral = next_ephemeral + (random() % N) + 1; port = min_ephemeral + (next_ephemeral % num_ephemeral);

if(check_suitable_port(port)) return port;

count--; } while (count > 0);

return ERROR;

19

Alg. #5 – Random-Increments Port Selection

• Birthday Protection• Birthday attack requires multiple requests and multiple responsesno sending multiple concurrent requests for the same queries

• How to circumvent Birthday Protection?• N DNS requests

• j.foo.org where ( 0 <= j <= N)Not the same host pass the protectionThen the socket overloading attack for the correct port

20

Port Derandomization via Socket Overloading

21

Socket-Overloading for Attacks on DNS

• DNS Cache Poisoning• NS Pinning via Resolver Socket-Overloading• NS Pinning via Name Server Socket-Overloading

22

Socket-Overloading for Attacks on DNS – DNS Cache Poisoning

23

Client1.2.3.6

Resolver1.2.3.4

NS5.6.7.8

Off-path Attacker6.6.6.6

s d1.2.3.6 1.2.3.4x 53TXID 127A?$1.foo.org

(1)

s d1.2.3.4 5.6.7.853 53TXID 3544A?$1.foo.org

(2) s d5.6.7.8 1.2.3.453 53TXID 1ns.foo.org A 6.6.6.6

(3)s d5.6.7.8 1.2.3.453 53TXID 3544ns.foo.org A 6.6.6.6(4)

s d1.2.3.4 1.2.3.653 xTXID 127$1.foo.org NXD

s d5.6.7.8 1.2.3.453 53TXID 65536ns.foo.org A 6.6.6.6

216 spoofed DNSresponses for eachTXID value

s d5.6.7.8 1.2.3.453 53TXID 3544$1.foo.org NXD

Response with correct TXID is

cached

Response ignored since no matching pending request

(5)

Socket-Overloading for Attacks on DNS – DNS Cache Poisoning

24

Client1.2.3.6

ProxyResolver1.2.3.4

UpstreamResolver8.8.8.8

Off-path Attacker6.6.6.6s d

1.2.3.6 1.2.3.4x 53TXID 127A?$1.atk.com

(1)

s d1.2.3.4 8.8.8.8X>1024 53TXID Y{1,…,216}A?$1.atk.com

If correct port is hit in (4), then time-out, and retransmission

(5)

(2)

(3)s d8.8.8.8 1.2.3.453 65000TXID 1ns.atk.com A 6.6.6.6

(4)

s d8.8.8.8 1.2.3.453 65000TXID 65535ns.atk.com A 6.6.6.6

drop

Burst of N spoofedpackets to port 65000

query

response

response

Socket-Overloading for Attacks on DNS – NS Pinning via Resolver Socket-Overloading

26

Client1.2.3.6

Resolver1.2.3.4

NS5.6.7.8

Off-path Attacker6.6.6.6

s d1.2.3.6 1.2.3.45555 53A?$1.foo.org

(1)

s d1.2.3.4 5.6.7.83424 53A?$1.foo.org

(2)

s d6.6.6.6 1.2.3.4x 3424AAAAAAAAAA

s d5.6.7.8 1.2.3.453 3424$1.foo.org NXD

loss (3)

Burst of NPackets to a known port

s d1.2.3.4 5.6.7.83425 53A?$1.foo.org

Timeoutretransmission

(4)Repeat step (2)after a t secs

Socket-Overloading for Attacks on DNS – NS Pinning via NS Socket-Overloading

27

Client1.2.3.6

Resolver1.2.3.4

NS5.6.7.8

Off-path Attacker6.6.6.6

s d1.2.3.6 1.2.3.45555 53A?$1.foo.org

(2)

s d1.2.3.4 5.6.7.83424 53A?$1.foo.org

(1)

s d6.6.6.6 5.6.7.8x 53AAAAAAAAAA

Burst of NPackets

s d1.2.3.4 5.6.7.854525 53A?$1.foo.orgTimeout

retransmission

(4)

s d6.6.6.6 5.6.7.8x 53AAAAAAAAAA

loss

(3)Burst of NPacketsloss

Defense and Conclusions• Defense

• DNSSEC• Full port randomization

• Avoid per-destination sequential port allocation

• Conclusions• A new attack tool – UDP socket overloading

• Cache poisoning• NS pinning

• The results show that per-destination ports’ assignment [RFC6056] is vulnerable

28