Samba DNS Ping-Pong DoS Attack (CVE-2014-0239)
The DNS protocol is once again the source of denial of service (DoS) attack against internet-connected servers. http://www.samba.org/samba/security/CVE-2014-0239, describes a vulnerability in versions of Samba prior to 4.0.18, in which one or more attackers can send a spoofed DNS packet to a Samba server and cause it to enter into an infinite communications loop with the spoofed Samba server. Update ATI-2014-14 from Ixia’s Application and Threat Intelligence service includes a canned test simulating such a DDoS attack, in which two Samba servers DoS each other.
DNS messages have a one-bit flag called the QR field that specifies whether the message is a request or reply. When the message is a response, the flag is set to 1.
When sending a DNS query, the client typically sends the request using a high-port number (> 1024); the server will then send the response message to the port used by the client in the request. When two DNS servers exchange requests and responses, they will both use port 53 for both source and destination ports.
Samba servers can be configured to act as Active Directory Domain Controllers; in this configuration, by default, its own internal DNS server is used. This internal DNS server does not check the QR field of a DNS message, which means it will send a response, whether the incoming message was a query or a response.
By spoofing the IP address of a vulnerable server, and using a source port of 53, a single DNS response message could cause two vulnerable Samba servers to enter into a communications loop. It might not seem like more than a nuisance for two servers to send a packet back and forth between themselves, but each of these packets is causing the server to expend resources for processing. With a relatively low volume of spoofed DNS messages, two vulnerable Samba servers could be made to DoS each other.
Below is a diagram of the attack as simulated in BreakingPoint Samba DNS Ping-Pong DDoS Test (ATI-2014-14).
Leverage Subscription Service to Stay Ahead of Attacks
The Ixia BreakingPoint Application and Threat Intelligence (ATI) program provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.