黑帽大会2023(美国)

摘要

In this paper, we report MaginotDNS, a powerful cache poisoning attack against DNS servers that simultaneously act as recursive resolvers and forwarders (termed as CDNS). The attack is made possible through exploiting vulnerabilities in the bailiwick checking algorithms, one of the cornerstones of DNS security since the 1990s, and affects multiple versions of popular DNS software, including BIND and Microsoft DNS. Through field tests, we find that the attack is potent, allowing attackers to take over entire DNS zones, even including Top-Level Domains (e.g., .com and .net). Through a large-scale measurement study, we also confirm the extensive usage of CDNSes in real-world networks (up to 41.8% of our probed open DNS servers) and find that at least 35.5% of all CDNSes are vulnerable to MaginotDNS. After interviews with ISPs, we show a wide range of CDNS use cases and real-world attacks. We have reported all the discovered vulnerabilities to DNS software vendors and received acknowledgments from all of them. 3 CVE-ids have been published, and 2 vendors have fixed their software. Our study brings attention to the implementation inconsistency of security checking logic in different DNS software and server modes (i.e., recursive resolvers and forwarders), and we call for standardization and agreements among software vendors.

日期
8月 9, 2023 12:00 AM — 11:59 PM
位置
MANDALAY BAY CONVENTION CENTER
3950 Las Vegas Blvd. South, Las Vegas, 89119

在黑帽大会2023(美国)上, 李洲助理教授分享了我们的研究工作:“The Maginot Line: Attacking the Boundary of DNS Caching Protection”。

李想
李想
南开大学副教授

李想,南开大学副教授,南开大学CTF战队指导老师、ACM会员、CCF会员、中国通讯学会会员、顶会IMC 2025 PC、AsiaCCS 2025 PC。研究方向为网络与协议安全、Web安全、漏洞挖掘等,已发表论文18篇(含一作6篇:在网络安全四大顶会均有发表、通讯1篇、二作3篇),第一发明人授权专利1项及实质审查中5项(共11项),在Black Hat多次分享,获得200+CVE等漏洞编号,370+GitHub stars。研究获得多个政府及大学CERT安全公告、100+媒体报道,并被纳入RFC标准文档。其也获得了多项奖项荣誉,如2024年度ACM SIGSAC中国优博奖、2024年度黑客奥斯卡Pwnie提名奖、IPv6创新大赛一等奖、GeekCon国际安全极客大赛亚军及非凡黑客荣誉称号、王大中奖学金、博士研究生国家奖学金、清华优秀奖学金、优秀博士毕业生等。