A flaw discovered in Linux allows DNS servers to be attacked and potentially redirect millions of users at once to bogus sites. Up to 38% of DNS servers could be affected, including services like OpenDNS.
You will also be interested
[EN VIDÉO] What is a cyber attack? With the development of the Internet and the cloud, cyberattacks are becoming more frequent and sophisticated. Who is behind these attacks and for what purpose? What are the methods of hackers and what are the most massive cyberattacks?
An old lagooncache poisoning DNS resurfaced more than ten years later. Presented at the ACM CCS 2021 cybersecurity conference, failure described by researchers at the University of California, it could affect up to 38% of DNS servers.
To understand, we have to go back to the initial discovery of a failure in the DNS servers in 2008. These servers contain the complete list of all domain names and theIP adress from the corresponding website. When you enter an address, your computer connects to a DNS server, usually that of your service provider, to obtain the IP address. At that time, researchers discovered that it was possible to poison the cache of DNS servers by sending them a fake update with which trusted sites, for example Google.com, then it referred to fake sites.
An attack made possible by brute force
At that time, updating the servers’ DNS cache was only protected by a 16-bit transaction ID, or 65,536 possibilities. Then it was possible to attack a server by brute force, trying all the identifiers, and thus redirect all the computers that depend on it. the fault it was solved by using a random UDP port to communicate, multiplying the possibilities by 16 bits, or roughly four billion possible combinations.
Researchers have shown that it is possible to use an ICMP message to determine the correct UDP port number.
However, a new flaw discovered in Linux question this security. It is based on error messages, called ICMP, used by DNS servers to communicate. Researchers have shown that it is possible to use an ICMP message to determine the correct UDP port number. An attack would only need to find the transaction ID by brute force, like when the original flaw was discovered in 2008.
All Linux-based DNS servers are potentially affected
The fault it affects them linux servers, or about 38% of servers according to the researchers. It works by sending a very specific error message (of the type ICMP redirection and ICMP Fragment Required). Since this is an error message, the server is not responding and theoretically it is impossible to know if it was sent to the correct port. However, on Linux, this message can change the maximum server packet size (MTU), which can then be measured with a simple ” whistle “All you have to do is repeat the operation, changing the ports until you find the correct one, that is, a maximum of 65,536 times. It is then possible to launch a direct brute force attack using the method discovered in 2008.
According to the researchers, the servers Windows and FreeBSD are not affected by this flaw. Therefore, macOS servers shouldn’t be vulnerable because they use the server stack. protocols FreeBSD Network. Researchers suggest three solutions: Use the IP_PMTUDISC_OMIT socket option to reject messages of type ICMP Fragment Required, to make the cache structure random, or simply to reject messages of type ICMP redirection, which are rarely used. According to the site Ars Technica, the Cisco company, owner of OpenDNS serveurs Cited as vulnerable by researchers, they said they have already fixed the flaw.
What to remember
- The 2008 DNS cache poisoning flaw resurfaces.
- DNS cache poisoning allows you to replace legitimate sites with fake ones.
- All DNS servers on Linux are potentially affected.
Interested in what you just read?
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.