SADDNS is a tool for launching the DNS cache poisoning attack. It infers the ephemeral port number and TxID by exploiting ICMP global rate limit as a side channel.
- Scan ephemeral ports opened by the resolver.
- Brute force TxID.
The side channel leverage the global rate limit counter as a shared resource (between the spoofed and non-spoofed IPs), which controls whether an ICMP reply should be sent or not. This gives the off-path attacker the ability to identify whether previous spoofed UDP port probing packets solicited ICMP replies or not.
The following figure shows the detail of inferring ephemeral ports.
- DNS software like BIND uses
connect()for their northbound query sockets, which renders the port only discoverable by the NS' IP address. - Bypass per-IP ICMP rate limit.
DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels
Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan
In Proceedings of ACM Conference on Computer and Communications Security (CCS`20), November 9-13, 2020, Virtual Event, USA.
The attack tool is implemented in two languages: Go and C.
The files in /saddns_go belong to Go implementation of the attack. This is the major version we maintained and contains many features to facilitate the attack. The author is Keyu Man. The detailed running instruction can be found at saddns_go/Readme.md.
The C version files are in /saddns_c and we are giving credits to our collaborator @wonderqs. The C version has a better performance and for people who are not familiar with Go. The detailed running instruction can be found at saddns_c/README.md.
Please submit them by opening a new issue.