1、#BHUSA BlackHatEventsTuDoor Attack:Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed PacketsSpeaker(s):Qi Wang,Tsinghua UniversityContributor(s):Xiang Li,Nankai University&Chuhan Wang,Tsinghua University#BHUSA BlackHatEventsAttack Impact2Pois
2、oning vulnerable resolvers cache within just one second.Our TuDoor attack could poisonarbitrary domains,e.g.,.com .#BHUSA BlackHatEventsDomain Name System(DNS)3DNS Overviewq Translating domain names to IP addressesq Entry point of many Internet activitiesq Domain names are widely 93.184.216.34DNSWeb
3、CDNEmailCertificateCited from BlackHatEventsDomain Name System(DNS)4Hierarchical Name Spaceq Authoritative zones:root,TLD,SLD DNS recordsq Domain delegation Domain registrationMultiple Resolver Rolesq Client,forwarder,recursive,authoritativeq CachingIterative Resolution Processq Client-server stylen
4、etcomexampleDNSclientForw-arderRecursiveresolverAuthoritative serversRootTLDSLD.DNS namespaceDelegateDelegateQuery Referral to SLD NSQuery Referral to TLD NS123456Query Authoritative answer78910QueryQueryResponse#BHUSA BlackHatEventsnetcomexampleDomain Name System(DNS)5DNS Resolution Processq Primar
5、ily over UDPq Iterative and recursiveq CachingDNSclientForw-arderRecursiveresolverAuthoritative serversRootTLDSLD.DNS namespaceDelegateDelegateQuery Referral to SLD NSQuery Referral to TLD NS123456Query Authoritative answer78910QueryQueryR A?(empty)(empty)(empty)SP=50000QDANAUARDP=53TXID= A? A 1.1.1
6、.1(empty)(empty)SP=53QDANAUARDP=50000TXID=1001QueryResponseSource portTXID6 5 5 3 66 5 5 3 632 bits space#BHUSA BlackHatEventsTakeaway6Attackers have long been trying to manipulate its response for hijacking via cache poisoning attacks.Since DNS is the cornerstone of the Internet,enabling multiple c