🐧 DNS SAD cache poisoning: interim fix for Linux servers and desktops

There is a new DNS cache poisoning threat called Side-channel AttackeD DNS (SAD DNS).

This new attack works as follows: SAD DNS allows hackers to redirect traffic destined for a specific domain to a server under their control.

With this attack, they can easily spy on your traffic.

This network side channel attack can have serious security implications for both users and businesses, even if your servers in Germany

This new flaw affects Linux (kernel 3.18-5.10), Windows Server 2019 (version 1809) and newer, macOS 10.15 and newer, FreeBSD 12.1.0 and newer.

Let me show you how to deploy the BlueCat script on your Linux computers and servers so that you can avoid problems until the DNS server vendors solve the problem.

What do you need

  • Accessing Linux machines that use DNS on your network
  • User with sudo privileges

How to use the script

The script generated by BlueCat is actually quite simple and looks like this:

#!/usr/bin/env bash
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
###########################################################################  
#
# Three options for installation. Choose one of the following:
#
# 1. Copy to /etc/cron.minutely
#
# 2. Copy the script to the DNS server. Create a file in /etc/cron.d with
#    the following syntax:
#
#    * * * * *root    /path/to/icmp_ratelimit.sh >/dev/null 2>&1
#
# 3. Create a user cron entry while using `crontab -e`
#
#    * * * * * /path/to/icmp_ratelimit.sh >/dev/null 2>&1
#
# - Change "/path/to" to match the exact location of the script.
# - Finally, make sure it is executable: chmod +x /path/to/icmp_ratelimit.sh
#
seconds="60"
while [[ ${seconds} -gt 0 ]]
do
     echo $((500 + ${RANDOM} % 1500)) > /proc/sys/net/ipv4/icmp_ratelimit
     echo $((500 + ${RANDOM} % 1500)) > /proc/sys/net/ipv6/icmp_ratelimit
    sleep .95
done

Note. BlueCat can update the script to include IPv6. Be sure to check out their official GitHub page for further updates to this script.

The script will do the same as the upcoming Linux patch and randomize the rate limit.

To be more specific, in the words of David Maxwell, director of software security at BlueCat:

“The script is roughly equivalent to the Linux kernel change made on October 16th. Once per second, it sets a new randomized limit for ICMP responses, between 500-1500 / s. It will work on systems running Linux 2.4.10. or newer “.

Create this script with the command:

sudo nano /usr/local/bin/icmp_ratelimit.sh

Paste the contents of the script into a new file and save / close the file. Give the file executable permissions with the command:

sudo chmod u+x /usr/local/bin/icmp_ratelimit.sh

When the script is ready, let’s now create a cron job to use it. Create a new daily cron job using the command:

sudo crontab -e

At the bottom of this file, paste the following:

*/10 * * * * flock -xn /root/.icmpratelimit-lock -c /usr/local/bin/icmp_ratelimit.sh

Save and close the file.

Be sure to take care of this on all your Linux machines.

Conclusion

That’s all there is to it.

Your Linux servers and desktops must be protected from SAD DNS before the specified time, as DNS vendors have a permanent fix or the Linux kernel will be officially patched against this attack.

Sidebar