Fragmentation Considered Poisonous

TL;DR

This paper demonstrates practical off-path DNS poisoning and name-server blocking attacks exploiting IP fragmentation, especially in DNSSEC scenarios, enabling domain hijacking, traffic analysis, and covert channels.

Contribution

It introduces new fragmentation-based DNS attacks that bypass existing defenses and shows how to manipulate DNS resolution and security mechanisms.

Findings

Attacks enable complete domain hijacking in DNSSEC partially deployed.

Attacks allow off-path traffic analysis and covert channels.

Name server blocking attacks degrade service and facilitate DNS poisoning.

Abstract

We present practical poisoning and name-server block- ing attacks on standard DNS resolvers, by off-path, spoofing adversaries. Our attacks exploit large DNS responses that cause IP fragmentation; such long re- sponses are increasingly common, mainly due to the use of DNSSEC. In common scenarios, where DNSSEC is partially or incorrectly deployed, our poisoning attacks allow 'com- plete' domain hijacking. When DNSSEC is fully de- ployed, attacker can force use of fake name server; we show exploits of this allowing off-path traffic analy- sis and covert channel. When using NSEC3 opt-out, attacker can also create fake subdomains, circumvent- ing same origin restrictions. Our attacks circumvent resolver-side defenses, e.g., port randomisation, IP ran- domisation and query randomisation. The (new) name server (NS) blocking attacks force re- solver to use specific name server. This attack allows Degradation of Service, traffic-analysis and covert chan- nel, and also facilitates DNS poisoning. We validated the attacks using standard resolver soft- ware and standard DNS name servers and zones, e.g., org.