Hold-On Flashcards
an attacker who can observe and inject traffic
inserts fake replies to queries
DNS poisoning based on packet injection
Attackers against DNS fall into three categories:
off-path,
on-path, and
in-path.
lacks the ability to observe DNS queries and responses. Such an attacker will generally employ some means to trigger specific DNS lookups, but must guess the transaction ID and any other entropy (such as the source port and 0x20 encoding) in the request to forge a reply that the resolver will accept.
An off-path adversary
generally generate numerous packets in hopes of matching the request. Additionally, because resolvers do not issue new queries for a name that is already cached, off-path adversaries have difficulty targeting stub resolvers, since stubs, unlike recursive resolvers, do not generally accept and promote glue entries
Off-path adversaries
has the ability to passively observe
the actual lookups requested by a resolver
An on-path adversary
can directly forge DNS replies that match the full set of criteria used by the resolver to validate answers (other than use of DNSSEC). As long as a forged reply arrives at the resolver before the legitimate one, the resolver will accept the injected answer and become poisoned.
An on-path adversary
Absent a denial-of-service attack on legitimate servers, both off-path and on-path adversaries lack the ability to suppress legitimate responses. Thus, both of these adversaries necessarily create an observable artifact: the victim, if it waits sufficiently long, will receive both the attacker’s packet and the legitimate reply.
True facts
Only this is capable of blocking and modifying packets, can prevent the legitimate reply from reaching the victim.
an in-path adversary
Although in-path approaches have more power, on-path approaches have several advantages, making their use appealing for attackers
Censorship tools commonly use on-path rather
than in-path techniques to ease deployment and to make the system failure and load tolerant, as the censorship system can then operate on a traffic mirror rather than the live traffic.
works without modifying drivers, but suppressing legitimate replies requires hardware-specific access to the low-level air interface to detect and squelch a broadcast in flight
on-path WiFi packet injection
adds cryptographic authentication to prevent the
acceptance of invalid DNS replies
DNSSEC
does not suffice as a replacement for a mechanism such as Hold-On: resolvers need to maintain an open port for a period of time in order to attempt to validate all responses received for a query, not just the first.
DNSSEC
Hold-On can provide a robust defense against on-path injection only when combined with
DNSSEC
operates as a stub resolver to a known-uncensored remote recursive resolver, which enables accurate initial measurement of RTT and TTL to enable subsequent detection of unexpected replies
The current Hold-On implementation
Without DNSSEC, “Hold On” relies on attack packets exhibiting significant differences in “These 2 things” in order to distinguish them from legitimate replies.
IP TTL or RTT