{"id":21393790,"url":"https://github.com/seclab-ucr/saddns","last_synced_at":"2025-07-13T18:32:13.365Z","repository":{"id":48746090,"uuid":"310729969","full_name":"seclab-ucr/SADDNS","owner":"seclab-ucr","description":"SADDNS: Side Channel Based DNS Cache Poisoning Attack","archived":false,"fork":false,"pushed_at":"2021-09-27T18:48:23.000Z","size":50,"stargazers_count":58,"open_issues_count":0,"forks_count":8,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-06-04T10:11:55.150Z","etag":null,"topics":["dns","kernel","network","security","side-channel"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"odbl-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/seclab-ucr.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-11-06T23:47:04.000Z","updated_at":"2025-05-22T13:50:34.000Z","dependencies_parsed_at":"2022-09-23T21:10:26.135Z","dependency_job_id":null,"html_url":"https://github.com/seclab-ucr/SADDNS","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/seclab-ucr/SADDNS","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seclab-ucr%2FSADDNS","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seclab-ucr%2FSADDNS/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seclab-ucr%2FSADDNS/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seclab-ucr%2FSADDNS/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/seclab-ucr","download_url":"https://codeload.github.com/seclab-ucr/SADDNS/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seclab-ucr%2FSADDNS/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265186815,"owners_count":23724745,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns","kernel","network","security","side-channel"],"created_at":"2024-11-22T14:13:21.655Z","updated_at":"2025-07-13T18:32:12.973Z","avatar_url":"https://github.com/seclab-ucr.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SADDNS: Side Channel Based DNS Cache Poisoning Attack\n\n## Introduction\n**SADDNS** is a tool for launching the **DNS cache poisoning attack**. It infers the ephemeral port number and TxID by exploiting ICMP global rate limit as a side channel.\n\n## How it works\n1. Scan ephemeral ports opened by the resolver.\n2. Brute force TxID.\n\nThe side channel leverage the global rate limit counter as a shared resource (between the **spoofed** and non-spoofed IPs), which controls whether an ICMP reply should be sent or not. This gives the off-path attacker the ability to identify whether previous **spoofed** UDP port probing packets solicited ICMP replies or not.\n\nThe following figure shows the detail of inferring ephemeral ports.\n\n![Off-path port scanning](https://www.saddns.net/attack.svg)\n\n### Why spoofed IP is necessary for UDP port discovery?\n- DNS software like BIND uses ```connect()``` for their northbound query sockets, which renders the port only discoverable by the NS' IP address.\n- Bypass per-IP ICMP rate limit.\n\n## Additional resources\n\n### Publication\n\n[**DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels**](https://doi.org/10.1145/3372297.3417280)\n\nKeyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan\n\n*In Proceedings of ACM Conference on Computer and Communications Security (CCS`20), November 9-13, 2020, Virtual Event, USA.*\n\n### Website\n\n[**SADDNS**](https://www.saddns.net)\n\n## How to run\n\nThe attack tool is implemented in two languages: **Go** and **C**.\n\nThe files in ```/saddns_go``` belong to **Go** implementation of the attack. This is the major version we maintained and contains many features to facilitate the attack. The author is [Keyu Man](https://github.com/mkyybx). The detailed running instruction can be found at [saddns_go/Readme.md](https://github.com/seclab-ucr/SADDNS/blob/master/saddns_go/Readme.md).\n\nThe **C** version files are in ```/saddns_c``` and we are giving credits to our collaborator [@wonderqs](https://github.com/wonderqs). The C version has a better performance and for people who are not familiar with Go. The detailed running instruction can be found at [saddns_c/README.md](https://github.com/seclab-ucr/SADDNS/blob/master/saddns_c/README.md).\n\n## Questions and issues\n\nPlease submit them by opening a new issue.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fseclab-ucr%2Fsaddns","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fseclab-ucr%2Fsaddns","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fseclab-ucr%2Fsaddns/lists"}