3

Tenable Nessus states that if there is a DNS Server Recursive Query Cache Poisoning Weakness the host allows recursive queries via UDP, then the host can be used to 'bounce' Denial of Service attacks against another network or system.

What is a bounce DoS attack and what is the importance of UDP in it?

user80761
  • 31
  • 1
  • 3

2 Answers2

1

Basically, the DNS Cache poisoning (also known as DNS spoofing) consists in:

An attacker attempts to insert a fake address record for an Internet domain into the DNS. If the server accepts the fake record, the cache is poisoned and subsequent requests for the address of the domain are answered with the address of a server controlled by the attacker. For as long as the fake entry is cached by the server (entries usually have a time to live (TTL) of a couple of hours) subscriber's browsers or email servers will automatically go to the address provided by the compromised DNS server.

Here is a link explaining it.

The more important the dns server that has been compromised, the greater number of requests will be received and the users of other DNS servers that use it as a forwarder will also be affected. That's the "bounce" you are talking about.

And to answer to your question how important is UDP?. Is as simple as UDP is the protocol used for DNS requests. TCP is only used for zone transfers. So every request is travelling as UDP. And as you know (I guess), UDP packets work in a similar way to TCP but they throw all the error-checking stuff out. All the back-and-forth communication and deliverability guarantees slow things down, so UDP usually is better to perform DoS because is faster.

Here is another interesting article. On this, it's explained very well how to use a DNS server to be part of a DDoS (Distributed Denial of Service) attack.

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
  • Is it the case that TCP is *only* used for zone transfers, or is it perhaps the case that TCP, while generally not, may be configured for use for transmission of general requests and responses by caching resolvers? I've only partially implemented a caching resolver, so I'm no expert, but as far as I recall in the past I saw nothing excluding that possibility. The only difference, as far as I could tell, is that there's a few extra fields such as checksum in the datagram interface. – autistic Nov 17 '17 at 04:21
  • tcp on dns is used only for zone transfers – OscarAkaElvis Nov 17 '17 at 08:36
  • Would you mind pointing me in the right direction to find that information in one of the many relevant specifications? Because when I was implementing my own nameserver, I was reading the specifications, and as I mentioned earlier I couldn't find any mention of TCP being exclusively for zone transfers. It may be the case that DNS over TCP is *typically* used for zone transfers... You can find what I believe is the relevant section of the specification in rfc1035.txt by searching for the section entitled "4.2.2. TCP usage". Enjoy your research! – autistic Nov 17 '17 at 09:00
  • DNS goes over TCP when the size of the request or the response is greater than a single packet such as with responses that have many records or many IPv6 responses or most DNSSEC responses. The maximum size was originally 512 bytes but there is an extension to the DNS protocol that allows clients to indicate that they can handle UDP responses of up to 4096 bytes. DNSSEC responses are usually larger than the maximum UDP size. Transfer requests are usually larger than the maximum UDP size and hence will also be done over TCP. So it's not purely exclusive but in practice is what happens – OscarAkaElvis Nov 17 '17 at 09:04
  • I think in practice you'll start to see a huge number of people using DNS over TCP as more and more fibre is rolled out; the combination of data integrity without retransmission, convenience of data reordering and general difficulty to forge (a major issue, hence DNSSEC) will make it the vastly superior choice quite soon. In fact it wouldn't surprise me in ten or fifteen years if games start using other protocols and DNS evolves away from UDP. Better choices than both TCP and UDP have emerged, SCTP to name one, which could theoretically be used to mimic either TCP or UDP use with ease. – autistic Nov 17 '17 at 09:20
0

I'm not sure if the term "cache poisoning" means what you think it means; it's not a form of DoS but rather a security breach.

Regarding UDP and DoS attacks, as the source IP field for UDP packets aren't always filtered by ISPs it's sometimes possible to fraudulently send packets on behalf of other servers. This makes all sorts of amplified and reflected DoS attacks possible, the subject of which I believe your question is about.

One of the most dangerous DoS attacks nowadays is the classical DNS amplification attack, where much like a classical SYN flood, packets are forged at a computer with the source IP field maliciously tampered with. In this attack, the source of the packet is reported to be the end target, so that the response from the server, usually crafted to be many times larger than the request sent by the attacker, will be sent to the target. This causes nameservers to multiply the size of the flood, thus the bandwidth consumed and also makes the source of the attack incredibly difficult to track down.

This can of course be extended to a DRDoS (distributed, reflected denial of service) attack, where multiple malicious connections are forging requests at multiple nameservers on behalf of the target of the attack, in order to multiply the bandwidth of the nameservers and aim it at the end target.

To be clear, UDP isn't required to poison a DNS cache, though the unreliability of packets certainly introduces many attacks, particularly when DNSSEC extensions aren't installed!

It's entirely possible that a malicious employee at an ISP (or anyone who has administrative access to a nameserver in question) could corrupt a piece of memory using some local vulnerability, for example, and this would constitute a DNS cache poisoning attack which doesn't rely upon UDP at all.

Even when TCP is used in place of UDP, it's entirely possible that there may be an error somewhere in a chip of RAM between source and destination which causes a bit to flip. A bit flipping from stackoverflow.com to stacioverflow.com at the client side would cause the request to be forwarded to a potentially malicious nameserver, for example, which might respond as though it owns that domain. That's called bitsquatting, and it doesn't rely specifically upon UDP; DNS does (at least partially) support TCP, after all.

Furthermore, on each packet there is a TTL (time-to-live) field, which each router updates as the packet is sent from router to router towards the destination. The reason for this is so that the source can be notified if no route exists, for example. Unfortunately, this means the checksum needs to be updated at each hop, which means errors in memory at each hop might not be identified by UDPs checksum mechanism. Big frown: :(

While we can see DNS cache poisoning attacks are certainly a major concern, I think you should now be able to see how they're not really relevant to the bulk of your question.

autistic
  • 734
  • 6
  • 17