Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/seclab-ucr/saddns

SADDNS: Side Channel Based DNS Cache Poisoning Attack
https://github.com/seclab-ucr/saddns

dns kernel network security side-channel

Last synced: about 1 month ago
JSON representation

SADDNS: Side Channel Based DNS Cache Poisoning Attack

Host: GitHub
URL: https://github.com/seclab-ucr/saddns
Owner: seclab-ucr
License: odbl-1.0
Created: 2020-11-06T23:47:04.000Z (about 4 years ago)
Default Branch: master
Last Pushed: 2021-09-27T18:48:23.000Z (about 3 years ago)
Last Synced: 2023-08-23T13:01:42.553Z (over 1 year ago)
Topics: dns, kernel, network, security, side-channel
Language: C
Homepage:
Size: 48.8 KB
Stars: 47
Watchers: 2
Forks: 7
Open Issues: 0
Metadata Files:
- Readme: Readme.md

Awesome Lists containing this project

README

# SADDNS: Side Channel Based DNS Cache Poisoning Attack

## Introduction
**SADDNS** is a tool for launching the **DNS cache poisoning attack**. It infers the ephemeral port number and TxID by exploiting ICMP global rate limit as a side channel.

## How it works
1. Scan ephemeral ports opened by the resolver.
2. Brute force TxID.

The side channel leverage the global rate limit counter as a shared resource (between the **spoofed** and non-spoofed IPs), which controls whether an ICMP reply should be sent or not. This gives the off-path attacker the ability to identify whether previous **spoofed** UDP port probing packets solicited ICMP replies or not.

The following figure shows the detail of inferring ephemeral ports.

![Off-path port scanning](https://www.saddns.net/attack.svg)

### Why spoofed IP is necessary for UDP port discovery?
- DNS software like BIND uses ```connect()``` for their northbound query sockets, which renders the port only discoverable by the NS' IP address.
- Bypass per-IP ICMP rate limit.

## Additional resources

### Publication

[**DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels**](https://doi.org/10.1145/3372297.3417280)

Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan

*In Proceedings of ACM Conference on Computer and Communications Security (CCS`20), November 9-13, 2020, Virtual Event, USA.*

### Website

[**SADDNS**](https://www.saddns.net)

## How to run

The attack tool is implemented in two languages: **Go** and **C**.

The files in ```/saddns_go``` belong to **Go** implementation of the attack. This is the major version we maintained and contains many features to facilitate the attack. The author is [Keyu Man](https://github.com/mkyybx). The detailed running instruction can be found at [saddns_go/Readme.md](https://github.com/seclab-ucr/SADDNS/blob/master/saddns_go/Readme.md).

The **C** version files are in ```/saddns_c``` and we are giving credits to our collaborator [@wonderqs](https://github.com/wonderqs). The C version has a better performance and for people who are not familiar with Go. The detailed running instruction can be found at [saddns_c/README.md](https://github.com/seclab-ucr/SADDNS/blob/master/saddns_c/README.md).

## Questions and issues

Please submit them by opening a new issue.