ABSTRACT
The research and operational communities believe that TCP provides protection against IP fragmentation attacks and recommend that servers avoid sending DNS responses over UDP but use TCP instead.
In this work we show that IP fragmentation attacks also apply to servers that communicate over TCP. Our measurements indicate that in the 100K-top Alexa domains there are 393 additional domains whose nameservers can be forced to (source) fragment IP packets that contain TCP segments. In contrast, responses from these domains cannot be forced to fragment when sent over UDP.
Our study not only shows that the recommendation to use TCP instead of UDP in order to avoid attacks that exploit fragmentation is risky, but it also unveils that the attack surface due to fragmentation is larger than was previously believed. We evaluate IP fragmentation-based DNS cache poisoning attacks against DNS responses over TCP.
References
- 2020. DNS Flag Day 2020. https://dnsflagday.net/2020/Google Scholar
- Ron Bonica, Fred Baker, Geoff Huston, Bob Hinden, Ole Troan, and Fernando Gont. 2019. IP fragmentation considered fragile. Technical Report. IETF Internet-Draft (draft-ietf-intarea-frag-fragile), work in progress ....Google Scholar
- Markus Brandt, Tianxiang Dai, Amit Klein, Haya Shulman, and Michael Waidner. 2018. Domain validation++ for mitm-resilient pki. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2060--2076. Google Scholar
Digital Library
- Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M Maggs, Alan Mislove, and Christo Wilson. 2017. A longitudinal, end-to-end view of the {DNSSEC} ecosystem. In 26th {USENIX} Security Symposium ({USENIX} Security 17). 1307--1322. Google Scholar
Digital Library
- J Dickinson, S Dickinson, R Bellis, A Mankin, and D Wessels. 2016. RFC7766: DNS transport over TCP-implementation requirements.Google Scholar
- Xuewei Feng, Chuanpu Fu, Qi Li, Kun Sun, and Ke Xu. 2020. Off-Path TCP Exploits of the Mixed IPID Assignment. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 1323--1335. Google Scholar
Digital Library
- K Fujiwara and P Vixie. 2020. Fragmentation Avoidance in DNS. Technical Report. IETF Internet-Draft (draft-fujiwara-dnsop-avoid-fragmentation-03), work in progress ....Google Scholar
- Yossi Gilad and Amir Herzberg. 2011. Fragmentation considered vulnerable: blindly intercepting and discarding fragments. In Proceedings of the 5th USENIX conference on Offensive technologies. 2--2. Google Scholar
Digital Library
- Matthias Göhring, Haya Shulman, and Michael Waidner. 2018. Path MTU Discovery Considered Harmful. In 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS). IEEE, 866--874.Google Scholar
- Amir Herzberg and Haya Shulman. 2013. Fragmentation Considered Poisonous, or: One-domain-to-rule-them-all.org. In 2013 IEEE Conference on Communications and Network Security (CNS). IEEE, 224--232.Google Scholar
Cross Ref
- Amir Herzberg and Haya Shulman. 2013. Vulnerable delegation of DNS resolution. In European Symposium on Research in Computer Security. Springer, 219--236.Google Scholar
Cross Ref
- Philipp Jeitner and Haya Shulman. 2021. Injection Attacks Reloaded: Tunnelling Malicious Payloads over {DNS}. In 30th {USENIX} Security Symposium ({USENIX} Security 21).Google Scholar
- Philipp Jeitner, Haya Shulman, and Michael Waidner. 2020. The Impact of DNS Insecurity on Time. In 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 266--277.Google Scholar
- Philipp Jeitner, Haya Shulman, and Michael Waidner. 2020. Pitfalls of Provably Secure Systems in Internet The Case of Chronos-NTP. In 2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S). IEEE, 49--50.Google Scholar
- Charlie Kaufman, Radia Perlman, and Bill Sommerfeld. 2003. DoS protection for UDP-based protocols. In Proceedings of the 10th ACM conference on Computer and communications security. 2--7. Google Scholar
Digital Library
- Christopher A Kent and Jeffrey C Mogul. 1987. Fragmentation considered harmful. Vol. 17. Google Scholar
Digital Library
- Amit Klein and Benny Pinkas. 2019. From IP ID to Device ID and KASLR Bypass. In 28th {USENIX} Security Symposium ({USENIX} Security 19). 1063--1080. Google Scholar
Digital Library
- LetsEncrypt. 2018. Mitigating DNS Fragmentation Attack. https://community.letsencrypt.org/t/mitigating-dns-fragmentation-attack/74838.Google Scholar
- Aanchal Malhotra, Isaac E Cohen, Erik Brakke, and Sharon Goldberg. 2016. Attacking the Network Time Protocol.. In NDSS.Google Scholar
- Sophon Mongkolluksamee, Kensuke Fukuda, and Panita Pongpaibool. 2012. Counting NATted hosts by observing TCP/IP field behaviors. In 2012 IEEE International Conference on Communications (ICC). IEEE, 1265--1270.Google Scholar
Cross Ref
- Liran Orevi, Amir Herzberg, and Haim Zlatokrilov. 2018. DNS-DNS: DNS-based de-nat scheme. In International Conference on Cryptology and Network Security. Springer, 69--88.Google Scholar
Cross Ref
- Jon Postel. 1981. Internet Control Message Protocol darpa internet program protocol specification. RFC 792 (1981). Google Scholar
Digital Library
- Jon Postel. 1981. Internet protocol---DARPA internet program protocol specification, rfc 791. (1981).Google Scholar
- Haya Shulman and Michael Waidner. 2014. Fragmentation considered leaking: port inference for dns poisoning. In International Conference on Applied Cryptography and Network Security. Springer, 531--548.Google Scholar
Cross Ref
- Haya Shulman and Michael Waidner. 2015. Towards security of internet naming infrastructure. In European Symposium on Research in Computer Security. Springer, 3--22. Google Scholar
Digital Library
- Haya Shulman and Michael Waidner. 2017. One key to sign them all considered vulnerable: Evaluation of {DNSSEC} in the internet. In 14th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 17). 131--144. Google Scholar
Digital Library
- Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, and Nikita Somaiya. 2015. Connection-oriented DNS to improve privacy and security. In 2015 IEEE symposium on security and privacy. IEEE, 171--186. Google Scholar
Digital Library
Index Terms
DNS-over-TCP considered vulnerable





Comments