short-paper

DNS-over-TCP considered vulnerable

Authors:

Haya Shulman, and

Michael WaidnerAuthors Info & Claims

ANRW '21: Proceedings of the Applied Networking Research Workshop

July 2021

Pages 76 - 81

https://doi.org/10.1145/3472305.3472884

Published: 24 July 2021 Publication History

Abstract

The research and operational communities believe that TCP provides protection against IP fragmentation attacks and recommend that servers avoid sending DNS responses over UDP but use TCP instead.

In this work we show that IP fragmentation attacks also apply to servers that communicate over TCP. Our measurements indicate that in the 100K-top Alexa domains there are 393 additional domains whose nameservers can be forced to (source) fragment IP packets that contain TCP segments. In contrast, responses from these domains cannot be forced to fragment when sent over UDP.

Our study not only shows that the recommendation to use TCP instead of UDP in order to avoid attacks that exploit fragmentation is risky, but it also unveils that the attack surface due to fragmentation is larger than was previously believed. We evaluate IP fragmentation-based DNS cache poisoning attacks against DNS responses over TCP.

References

[1]

2020. DNS Flag Day 2020. https://dnsflagday.net/2020/

[2]

Ron Bonica, Fred Baker, Geoff Huston, Bob Hinden, Ole Troan, and Fernando Gont. 2019. IP fragmentation considered fragile. Technical Report. IETF Internet-Draft (draft-ietf-intarea-frag-fragile), work in progress ....

[3]

Markus Brandt, Tianxiang Dai, Amit Klein, Haya Shulman, and Michael Waidner. 2018. Domain validation++ for mitm-resilient pki. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2060--2076.

Digital Library

[4]

Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M Maggs, Alan Mislove, and Christo Wilson. 2017. A longitudinal, end-to-end view of the {DNSSEC} ecosystem. In 26th {USENIX} Security Symposium ({USENIX} Security 17). 1307--1322.

[5]

J Dickinson, S Dickinson, R Bellis, A Mankin, and D Wessels. 2016. RFC7766: DNS transport over TCP-implementation requirements.

[6]

Xuewei Feng, Chuanpu Fu, Qi Li, Kun Sun, and Ke Xu. 2020. Off-Path TCP Exploits of the Mixed IPID Assignment. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 1323--1335.

Digital Library

[7]

K Fujiwara and P Vixie. 2020. Fragmentation Avoidance in DNS. Technical Report. IETF Internet-Draft (draft-fujiwara-dnsop-avoid-fragmentation-03), work in progress ....

[8]

Yossi Gilad and Amir Herzberg. 2011. Fragmentation considered vulnerable: blindly intercepting and discarding fragments. In Proceedings of the 5th USENIX conference on Offensive technologies. 2--2.

[9]

Matthias Göhring, Haya Shulman, and Michael Waidner. 2018. Path MTU Discovery Considered Harmful. In 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS). IEEE, 866--874.

[10]

Amir Herzberg and Haya Shulman. 2013. Fragmentation Considered Poisonous, or: One-domain-to-rule-them-all.org. In 2013 IEEE Conference on Communications and Network Security (CNS). IEEE, 224--232.

[11]

Amir Herzberg and Haya Shulman. 2013. Vulnerable delegation of DNS resolution. In European Symposium on Research in Computer Security. Springer, 219--236.

[12]

Philipp Jeitner and Haya Shulman. 2021. Injection Attacks Reloaded: Tunnelling Malicious Payloads over {DNS}. In 30th {USENIX} Security Symposium ({USENIX} Security 21).

[13]

Philipp Jeitner, Haya Shulman, and Michael Waidner. 2020. The Impact of DNS Insecurity on Time. In 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 266--277.

[14]

Philipp Jeitner, Haya Shulman, and Michael Waidner. 2020. Pitfalls of Provably Secure Systems in Internet The Case of Chronos-NTP. In 2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S). IEEE, 49--50.

[15]

Charlie Kaufman, Radia Perlman, and Bill Sommerfeld. 2003. DoS protection for UDP-based protocols. In Proceedings of the 10th ACM conference on Computer and communications security. 2--7.

Digital Library

[16]

Christopher A Kent and Jeffrey C Mogul. 1987. Fragmentation considered harmful. Vol. 17.

[17]

Amit Klein and Benny Pinkas. 2019. From IP ID to Device ID and KASLR Bypass. In 28th {USENIX} Security Symposium ({USENIX} Security 19). 1063--1080.

[18]

LetsEncrypt. 2018. Mitigating DNS Fragmentation Attack. https://community.letsencrypt.org/t/mitigating-dns-fragmentation-attack/74838.

[19]

Aanchal Malhotra, Isaac E Cohen, Erik Brakke, and Sharon Goldberg. 2016. Attacking the Network Time Protocol. In NDSS.

[20]

Sophon Mongkolluksamee, Kensuke Fukuda, and Panita Pongpaibool. 2012. Counting NATted hosts by observing TCP/IP field behaviors. In 2012 IEEE International Conference on Communications (ICC). IEEE, 1265--1270.

[21]

Liran Orevi, Amir Herzberg, and Haim Zlatokrilov. 2018. DNS-DNS: DNS-based de-nat scheme. In International Conference on Cryptology and Network Security. Springer, 69--88.

[22]

Jon Postel. 1981. Internet Control Message Protocol darpa internet program protocol specification. RFC 792 (1981).

[23]

Jon Postel. 1981. Internet protocol---DARPA internet program protocol specification, rfc 791. (1981).

[24]

Haya Shulman and Michael Waidner. 2014. Fragmentation considered leaking: port inference for dns poisoning. In International Conference on Applied Cryptography and Network Security. Springer, 531--548.

[25]

Haya Shulman and Michael Waidner. 2015. Towards security of internet naming infrastructure. In European Symposium on Research in Computer Security. Springer, 3--22.

Digital Library

[26]

Haya Shulman and Michael Waidner. 2017. One key to sign them all considered vulnerable: Evaluation of {DNSSEC} in the internet. In 14th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 17). 131--144.

[27]

Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, and Nikita Somaiya. 2015. Connection-oriented DNS to improve privacy and security. In 2015 IEEE symposium on security and privacy. IEEE, 171--186.

Digital Library

Cited By

Kosek MDoan THuber SBajpai V(2022)Measuring DNS over TCP in the era of increasing DNS response sizesACM SIGCOMM Computer Communication Review10.1145/3544912.354491852:2(44-55)Online publication date: 20-Jun-2022
https://dl.acm.org/doi/10.1145/3544912.3544918
Dai TShulman H(2021)SMap: Internet-wide Scanning for SpoofingProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3485917(1039-1050)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3485917

Index Terms

DNS-over-TCP considered vulnerable
1. Security and privacy
  1. Network security

Recommendations

Fragmentation Considered Vulnerable

We show that fragmented IPv4 and IPv6 traffic is vulnerable to effective interception and denial-of-service (DoS) attacks by an off-path attacker. Specifically, we demonstrate a weak attacker intercepting more than 80% of the data between peers and ...
Read More
The incremental deployability of RTT-based congestion avoidance for high speed TCP Internet connections
SIGMETRICS '00: Proceedings of the 2000 ACM SIGMETRICS international conference on Measurement and modeling of computer systems

Our research focuses on end-to-end congestion avoidance algorithms that use round trip time (RTT) fluctuations as an indicator of the level of network congestion. The algorithms are referred to as delay-based congestion avoidance or DCA. Due to the ...
Read More
The incremental deployability of RTT-based congestion avoidance for high speed TCP Internet connections
Special issue on proceedings of ACM SIGMETRICS 2000

Our research focuses on end-to-end congestion avoidance algorithms that use round trip time (RTT) fluctuations as an indicator of the level of network congestion. The algorithms are referred to as delay-based congestion avoidance or DCA. Due to the ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ANRW '21: Proceedings of the Applied Networking Research Workshop

July 2021

98 pages

ISBN:9781450386180

DOI:10.1145/3472305

Program Chairs:
Nick Feamster
University of Chicago
,
Andra Lutu
Telefonica Research

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

In-Cooperation

IRTF: Internet Research Task Force
Internet Society: Internet Society

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 July 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

Hessen State Ministry for Higher Education, Research and Arts
German Federal Ministry of Education and Research
Deutsche Forschungsgemeinschaft

Conference

ANRW '21

Sponsor:

SIGCOMM

ANRW '21: Applied Networking Research Workshop

July 24 - 30, 2021

Virtual Event, USA

Acceptance Rates

ANRW '21 Paper Acceptance Rate 16 of 28 submissions, 57%;

Overall Acceptance Rate 34 of 58 submissions, 59%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
326
Total Downloads

Downloads (Last 12 months)53
Downloads (Last 6 weeks)3

Other Metrics

View Author Metrics

Citations

Cited By

Kosek MDoan THuber SBajpai V(2022)Measuring DNS over TCP in the era of increasing DNS response sizesACM SIGCOMM Computer Communication Review10.1145/3544912.354491852:2(44-55)Online publication date: 20-Jun-2022
https://dl.acm.org/doi/10.1145/3544912.3544918
Dai TShulman H(2021)SMap: Internet-wide Scanning for SpoofingProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3485917(1039-1050)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3485917

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents