gfwleak/handingkang-fakedns6-v2
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
This repository has been archived on 2026-06-16. You can view files and clone it, but you cannot make any changes to its state, such as pushing and creating new issues, pull requests or comments.
3 commits 1 branch 0 tags 62 KiB
  • Go 94.6%
  • C 5.4%
Find a file
Exact
韩丁康 eb21943ad0 Update README.md
2024-06-18 08:59:15 +00:00
src/ucr.edu/SADDNS2.0 First Commit 2022-12-15 15:02:03 -08:00
guessSeed4.c First Commit 2022-12-15 15:02:03 -08:00
LICENCE First Commit 2022-12-15 15:02:03 -08:00
README.md Update README.md 2024-06-18 08:59:15 +00:00

README.md

SADDNS2.0: DNS Cache Poisoning Attack: Resurrections with Side Channels

Introduction

SADDNS2.0 is a tool for launching the DNS cache poisoning attack. It infers the ephemeral port number and brute forces the TxID by exploiting Forwarding Information Base(FIB) Next Hop Exception(FNHE) cache as a side channel.

This is a different side channel cache poisoning attack derived from SADDNS. Most code usage may remain the same.

How it works

  1. Scan ephemeral ports opened by the resolver.
  2. Brute force TxID.

The side channel leverages the hash table storing fnhe entry as a shared resource (between the spoofed and non-spoofed IPs), which controls whether an IP packet should be fragmented or not. This gives the off-path attacker the ability to identify whether previous spoofed ICMP fragment needed packets were accepted or not, which further indicates whether the guessed port is correct or not.

The following figure shows the detail of inferring ephemeral ports.

Off-path port scanning

Why spoofed IP is still necessary?

  • Compared with SADDNS, SADDNS2.0 uses embedded UDP packet to scan open port and therefore no IP spoofing is needed during the scanning phase.
  • IP spoofing is still required for injecting rogue responses.

Additional resources

Website

SADDNS

How to run

Requirements

  • An IP-spoofing-capable host (preferably Linux. Windows is ok but suffers from low performance.).
  • A domain (attacker-controlled name server)
  • Other things needed to make clear:
    • The resolver to poison (victim resolver)
    • The domain to poison (victim domain)
    • The victim domain's record will be poisoned on the victim resolver.

Overview

  • Determine the attack type (e.g., public or private port, fragment needed or redirect packet as the payload).
  • Guess the seed/key of FNHE hsah table if private port is used.
  • Flood query traffic to mute the name server of the victim domain (see SADDNS repo for flooding scripts).
  • Run attack program to guess the port number and TxID automatically.

Steps

  1. Compile

    go build ucr.edu/SADDNS2.0(requires gopacket and libpcap)

  2. Seed guessing (only required when probing private ports)

    See the paper for details. GuessSeed.go provides methods to send out seed guessing packets. guessSeed4.c implements hash guessing functions to guess the seed.

  3. Start flooding

    ./dns_query.sh &(requires hping3)

    Please see the comment in the file for usage.

  4. Start attacking (flooding is still in progress)

    sudo ./saddns [args]

    Run ./saddns -h for usage.

Questions and issues

Please submit them by opening a new issue.