There are two preconditions for the attack:
- One of the queries results in 2k valid answer
- One of the queries soft-fails and will be retried
Mitigating (1) with UDP is simple: set maximum UDP buffer size to <2048B [1] That leaves TCP.
Marek Vavruša vavrusa
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var net = require('net'); | |
| var dgram = require('dgram'); | |
| function ntohs(arr) { | |
| return ((arr[0] & 0xFF) << 8) | (arr[1] & 0xFF); | |
| } | |
| function parse_name(data, pos) | |
| { | |
| for (base = pos; pos < data.length;) { |
vavrusa
/ csv-sans-header.csv
Created
April 28, 2015 12:11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 3 | 0.979429111596 | |
|---|---|---|
| 4 | 0.979429111596 | |
| 5 | 0.979429111596 | |
| 6 | 0.979429111596 | |
| 7 | 0.979429111596 | |
| 8 | 0.979429111596 | |
| 9 | 0.979429111596 | |
| 10 | 0.979429111596 | |
| 11 | 0.979429111596 | |
| 12 | 0.979429111596 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## How it deals with bad CDNs | |
| The query is `who.ami.here.com. A` | |
| 1. It's going to ask at `.` to `com. NS` and get a referral | |
| 2. it's going to ask `com.` nameserver about `here.com. NS` and get a referral | |
| ... see the pattern, it just appends labels, but bear with me | |
| 3. We're asking `here.com` nameserver about `ami.here.com. NS` , but he's a prick and tells us 'NXDOMAIN'. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Near-stretch ideas | |
| ------------------ | |
| * I *quite* like how it's built, but it's too much *PowerDNS*-y, hacking on it is a pain (if you work on cheap virtuals like me) because of long build times and dependencies (I know, but try it yourself on the budget DigitalOcean droplet...), I'd say lose the legacy and make it really a standalone thing. | |
| * The configuration is sometimes confusing, like if I set it up to listen on local interfaces, it happily does so but it silently drops all queries because the ACL allows localhost only (uhm, maybe it needs to say something in verbose mode or documentation update). | |
| * The config format for IPv6 has a poor choice of ':' as a separator, it's not possible to forward to IPv6 address on a custom port. | |
| Far-stretch ideas | |
| ----------------- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| local slowdrip = { | |
| tracked = {}, | |
| blocked = {}, | |
| window = 60, -- Length of the tracking window | |
| threshold = 100, -- Number of NXDOMAINs before blocking | |
| -- Track suffixes of names leading to NXDOMAIN | |
| layer = { | |
| finish = function(state, req, answer) | |
| local parent = answer:qname() | |
| parent = parent:sub(parent:find('.',0,true), -1) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <string.h> | |
| #include <lua.h> | |
| #include <lualib.h> | |
| #include <lauxlib.h> | |
| #include <arpa/inet.h> | |
| /* Get/set opcode */ | |
| static int msg_op(lua_State *L) | |
| { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- C definitions | |
| local ffi = require('ffi') | |
| local csym = ffi.C | |
| ffi.cdef[[ | |
| /* DHCP header format */ | |
| struct __attribute__((packed)) dhcp_msg { | |
| /* Header */ | |
| uint8_t op; | |
| uint8_t htype; | |
| uint8_t hlen; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| local mod = {} | |
| mod.layer = { | |
| consume = function (state, req, answer) | |
| if state == kres.FAIL then | |
| return state | |
| end | |
| answer = kres.pkt_t(answer) | |
| req = kres.request_t(req) | |
| if answer:qtype() == kres.type.NS then | |
| local qry = req:push(answer:qname(), kres.type.SOA, kres.class.IN) |
vavrusa
/ poc-dnsmasq.py
Last active
January 23, 2021 00:43
PoCs for CVE-2015-7547 (different attack vectors)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # | |
| # Copyright 2016 Google Inc | |
| # | |
| # Licensed under the Apache License, Version 2.0 (the "License"); | |
| # you may not use this file except in compliance with the License. | |
| # You may obtain a copy of the License at | |
| # | |
| # http://www.apache.org/licenses/LICENSE-2.0 | |
| # |
OlderNewer