A flaw discovered in Linux allows DNS servers to be attacked and potentially redirect millions of users at once to bogus sites. Up to 38% of DNS servers could be affected, including services like OpenDNS.
To understand, we have to go back to the initial discovery of a failure in the DNS servers in 2008. These servers contain the complete list of alland the from the corresponding website. When you enter an address, your computer connects to a DNS server, usually that of your service provider, to obtain the IP address. At that time, researchers discovered that it was possible to poison the cache of DNS servers by sending them a fake update with which trusted sites, for example .com, then it referred to fake sites.
An attack made possible by brute force
At that time, updating the servers’ DNS cache was only protected by a 16-bit transaction ID, or 65,536 possibilities. Then it was possible to attack a server by brute force, trying all the identifiers, and thus redirect all the computers that depend on it. the it was solved by using a random UDP port to communicate, multiplying the possibilities by 16 bits, or roughly four billion possible combinations.
Researchers have shown that it is possible to use an ICMP message to determine the correct UDP port number.
However, a new flaw discovered inquestion this security. It is based on error messages, called ICMP, used by DNS servers to communicate. Researchers have shown that it is possible to use an ICMP message to determine the correct UDP port number. An attack would only need to find the transaction ID by brute force, like when the original flaw was discovered in 2008.
All Linux-based DNS servers are potentially affected
The it affects them , or about 38% of servers according to the researchers. It works by sending a very specific error message (of the type ICMP redirection and ICMP Fragment Required). Since this is an error message, the server is not responding and theoretically it is impossible to know if it was sent to the correct port. However, on Linux, this message can change the maximum server packet size (MTU), which can then be measured with a simple ” “All you have to do is repeat the operation, changing the ports until you find the correct one, that is, a maximum of 65,536 times. It is then possible to launch a direct brute force attack using the method discovered in 2008.
According to the researchers, the servers and FreeBSD are not affected by this flaw. Therefore, macOS servers shouldn’t be vulnerable because they use the server stack. FreeBSD Network. Researchers suggest three solutions: Use the IP_PMTUDISC_OMIT socket option to reject messages of type ICMP Fragment Required, to make the cache structure random, or simply to reject messages of type ICMP redirection, which are rarely used. According to the site , the Cisco company, owner of Cited as vulnerable by researchers, they said they have already fixed the flaw.
What to remember
- The 2008 DNS cache poisoning flaw resurfaces.
- DNS cache poisoning allows you to replace legitimate sites with fake ones.
- All DNS servers on Linux are potentially affected.
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.