Multiple Vendor DNS Response Flooding Denial Of Service (CVE-2004–0789) | Clint Josy
The Domain Name System (DNS) is the phonebook of the Internet. Humans access information online through domain names, like nytimes.com or espn.com, and through Web browsers, people interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load Internet resources.
Each device connected to the Internet has a unique IP address which other machines use to find the device. DNS servers eliminate the need for humans to memorize IP addresses such as 192.168.1.1 (in IPv4), or more multiple newer alphanumeric IP addresses such as 2400:cb00:2048:1::c629:d7a2 (in IPv6).
The process of DNS resolution involves converting a hostname (such as www.example.com) into a computer-friendly IP address (such as 192.168.1.1). An IP address is given to each device on the Internet, and that address is necessary to find the appropriate Internet device — like a street address is used to find a particular home. When a user wants to load a webpage, a translation must occur between what a user types into their web browser (example.com) and the machine-friendly address necessary to locate the example.com webpage.
To understand the process behind the DNS resolution, it’s essential to learn about the different hardware components a DNS query must pass between. For the web browser, the DNS lookup occurs “ behind the scenes” and requires no interaction from the user’s computer apart from the initial request.
The four DNS servers involved in starting a webpage
- DNS Recursor
- Root nameserver
- TLD nameserver
- Authoritative nameserver
A DNS attack is an exploit in which an attacker takes advantage of vulnerabilities in the domain name system (DNS).
Types of DNS Attacks
- Distributed Reflection DoS Attack (Dr. Dos Attack) — Combines reflection and amplification. Attackers send spoofed large crafted queries to open recursive servers.
- Cache poisoning — the attacker, corrupts a DNS server by replacing a legitimate IP address in the server’s cache with that of another, rogue address to redirect traffic to a malicious website, collect information or initiate another attack. Cache poisoning may be referred to as DNS poisoning.
- TCP SYN Floods — This attack uses the 3-way handshake to begin a TCP connection. The attacker sends spoofed SYN packets with the source IP address of bogus destinations, and then the server sends SYN-ACK to the false destinations. It never receives an acknowledgment back from these destinations, and this leads to exhausted memory on the server. Thus, prevents the server from responding to new connections from legitimate users.
- DNS Tunnelling — It uses DNS as a covert communication channel to bypass the firewall. The attacker tunnels protocols like SHH, TCP or web within DNS, which allows the easy pass of stolen data or tunnel IP traffic without detection. The tunnel so created is used for the full remote control channel for a compromised internal host. Compromised channel issues possibility for data exfiltration through the tube.
- DNS Hijacking — The attacker modifies the DNS record settings (most often the domain registrar) to point to a rogue DNS Server or domain. When a user tries to access a legitimate website, say “www.example.com,” they get redirected to a bogus site controlled by the hackers that look like a real one. The leads to the theft of credentials, credit card numbers, etc.
- Basic NXDOMAIN Attack — The attacker sends a flood of queries to DNS server to resolve a non-existent domain/domain name, the recursive server then tries to locate the non-existing domain by carrying out multiple domain name queries and does not find it. In the process, the cache is filled up with NXDOMAIN results, which leads to slower DNS server response time for legitimate requests.
- Phantom Domain Attack — “Phantom” domains are set up as part of the attack, and the DNS server tries to resolve multiple areas that are phantom domains. These phantom domains may not send responses or will be slow, hence consuming the server resources while it waits for answers, eventually leading to degraded performance or failure and too many outstanding queries.
- Random subdomain attack — This attack makes the infected clients create queries by prepending randomly generated subdomain strings to the victim’s domain. Example: xyzqwe.yahoo.com, where each client only sends a small volume of questions, so that it will be hard to detect. When multiple infected clients send such requests, responses may never come back from these non-existing subdomains, the server waits for answers outstanding query limit exhausted. At last, the target domain’s auth server experiences DDoS attack.
- Domain lock-up attack — Resolvers and domains are setups to establish TCP based connections with DNS resolvers. When the DNS server requests a response, these domains send junk or random packets to keep them engaged. This effectively locks up the DNS server resources. Hence the DNS resolver establishing these connections with the misbehaving domains exhaust its resources.
- Bot based attacks from CPE devices — Random subdomain attacks that use botnets to target all traffic to one site or domain, results in compromised devices like CPE switches, routers that are supplied by ISPs or customers. This leads in victim domain experiencing DDoS attack, DNS resolver resources to exhaust, SSL proxy login credential theft makes the victim launch point for attacks against customer PCs.
- Fast-flux DNS — the attacker swaps DNS records in and out with extreme frequency to redirect DNS requests and avoid detection.
- DNS Flood is a type of Denial-of-Service attack. It is the process whereby the traffic on a network resource or machine is stopped for some time. The offender sends a significant number of requests to the support or engine so that it might become unavailable to those who might try to reach it. During a DNS flood, the host that connects to the Internet is disrupted due to an overload of traffic. It can be referred to as a disruption that causes the work of the resource or machine to halt by not allowing the traffic to land on it.
This attack is mainly made by hackers to benefit from the attacked resource or machine. DoS attacks have been perpetrated for many reasons, including blackmailing website owners and knocking out websites, including high-profile sites such as large bank websites.
Multiple implementations of the DNS protocol, including (1) Poslib 1.0.2–1 and earlier as used by Posadis, (2) Axis Network products before firmware 3.13, and (3) Men & Mice Suite 2.2x before 2.2.3 and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (CPU and network bandwidth consumption) by triggering a communications loop via (a) DNS query packets with localhost as a spoofed source address, or (b) a response packet that triggers a response packet.
An attacker who thoroughly exploited this vulnerability could affect the service to crash making the service unavailable for the intended users unless it is manually restarted.
The remote DNS server is vulnerable to a denial of service attack because it replies to DNS responses. An attacker could exploit this vulnerability by spoofing a DNS packet so that it appears to come from 127.0.0.1 and make the remote DNS server enter into an infinite loop, therefore denying service to legitimate users.
Details on CVE-2004–0789
Victim Machine : Windows XP SP3 (with Posadis 0.60.1)
Victim’s IP : 192.168.1.133
Attacking Machine : Kali Linux 2017.3
Attacker’s IP : 192.168.1.136
The nmap scan shows the DNS service running on port 53.
The above image ends a simple DNS packet with query “www.google.com” to the vulnerable server. The request and response are shown in the below screenshots, monitored using Wireshark. The DNS server replies with the same response “www.google.com”.
This exploit code uses the same DNS server to send recursive random queries and hence making the service to crash.
Command to execute the code
# python exploit.py