What is Kaminsky attack in DNS?

The Kaminsky attack, also known as DNS cache poisoning, is a security vulnerability that allows attackers to insert forged DNS records into the cache of a DNS resolver, leading to various malicious activities. It was discovered by security researcher Dan Kaminsky in 2008.

The attack exploits the weak randomness of transaction IDs used in DNS queries, allowing an attacker to maliciously insert forged DNS records into the cache of a recursive DNS resolver. This can lead to redirecting users to fake websites, intercepting their communications, or redirecting email traffic.

Attacker sending a fake DNS reply to the DNS resolver
Attacker sending a fake DNS reply to the DNS resolver

Basic functional components in DNS

Every DNS query is assigned a unique 16-bit identification number, generated randomly, and this number must be returned upon resolving the query to ensure the authenticity of the response. However, once the query is resolved, the response is cached on the local machine for a certain period so an attacker can no longer poison it.

The provided diagram illustrates the structure of a DNS entry, encompassing various components such as identification number, source port, destination port, and additional Resource Records (RR). These RRs contain supplementary information that can be utilized in subsequent queries and responses.

DNS response
DNS response

A more comprehensive representation is presented below, illustrating the functioning of the Questions, Answers, Authority, and Additional Information sections.

Kaminsky blind spoofing
Kaminsky blind spoofing

  • Transaction ID: This enables the DNS client to match the reply with the original request.

  • Answer: It reveals the corresponding IP address for the requested lookup, which can be cached for a specific duration known as TTL TTL stands for "Time to Live" and refers to the maximum amount of time that a data packet can remain on a network before it is discarded or considered invalid.(21,600 seconds).

  • Authority section: It specifies the responsible name servers for the provided answer. If the "Answer" section were empty, the resolver would proceed by forwarding the original query to one of these servers.

  • Additional section: It provides extra information to avoid the need for separate searches or helps with the initial setup process.

Launching of the Kaminsky attack

An attacker may seek to manipulate the functionality of DNS to redirect users to malicious websites or overload specific websites, potentially leading to crashes and DDoS attacks.

There are two reasons to keep in mind before knowing how the attack goes on:

  • Spoof uses an Additional field (rather than Answer).

  • An attacker can get around caching legit replies by generating a series of different name lookups.

An example is demonstrated of what goes inside the DNS replies during the Kaminsky attack.

Kaminsky blind spoofing
Kaminsky blind spoofing

Here, an attacker aims to manipulate the nameserver record for educative.io at a DNS resolver in, let's say, Hawaii. They would send queries like random1.educative.io, random2.educative.io, random3.educative.io, etc., attempting to override the cache for the educative nameserver record in the response's additional section. By predicting the correct identification number and outpacing the legitimate servers, the attacker tries to poison the DNS cache.

A simplified illustration of the attack is presented in the following slides, providing additional abstracted information.

1 of 5

Protection against Kaminsky attack

The attacker's success in sending a fake reply to the client depends on correctly guessing the identification number of the DNS query. With 16 bits, there is a chance of 1 in 65535. Additionally, we want to outpace the legitimate servers. To make the attack more challenging, we can increase the identification number or randomize the ports, making it harder for the attacker to generate rapid random replies. Other new DNS security measures like DNSSEC can also be used, which is a safer method to get queries back.

DNS response
DNS response

Conclusion

The Kaminsky attack has highlighted the significance of DNS security and the ongoing efforts required to safeguard the integrity of the DNS infrastructure. It emphasizes the need for developing advanced methods to protect the DNS protocol, considering that attackers may have improved resources in the future.

Copyright ©2024 Educative, Inc. All rights reserved

Learn in-demand tech skills in half the time

PRODUCTS

Mock Interview

New

Courses

Skill Paths

Projects

Assessments

TRENDING TOPICS

Learn to Code

Tech Interview Prep

Generative AI

Data Science

Machine Learning

GitHub Students Scholarship

Early Access Courses

Blind 75

Pricing

For Individuals

Try for Free

Gift a Subscription

CONTRIBUTE

Become an Author

Become an Affiliate

Earn Referral Credits

RESOURCES

Blog

Cheatsheets

Webinars

Answers

ABOUT US

Our Team

Careers

Hiring

Frequently Asked Questions

Contact Us

Press

LEGAL

Privacy Policy

Cookie Policy

Terms of Service

Business Terms of Service

Data Processing Agreement

INTERVIEW PREP COURSES

Grokking the Modern System Design Interview

Grokking the Product Architecture Design Interview

Grokking the Coding Interview Patterns

Machine Learning System Design

Tiktok Streamline Icon: https://streamlinehq.com

Copyright ©2024 Educative, Inc. All rights reserved.

soc2