The soft chewy center of the Internet

Spoofing a UDP Packet

When spoofing a UDP packet, you need to know the IP addresses and ports in use, which is trivial with a DNS query because the IP addresses are known (the server making the query and the server answering it) and, because it is a DNS request, the destination port is always 53. This leaves only the source port to determine, and because many operating systems simply use a static port for outgoing connections or ports incremented by one for each outgoing request, it's relatively easy for an attacker to guess.

Transaction ID

In an attempt to address the packet-spoofing issue within the DNS protocol, a transaction ID was added. A simple 16-bit number – with 65,536 possibilities – that is sent in the request and that must be copied into the answering packet theoretically prevents an attacker from blindly spoofing the replies because it must now guess the transaction ID as well.

Unfortunately, creating really good random values is surprisingly tricky, and some implementations of Bind simply use transaction IDs that increment by 1 for each request, making them completely predictable. Now you're back to the place where an attacker can easily spoof a packet and insert hostile data into a DNS server.

How the Attack Works

So how do attackers exploit this issue? The first thing they do is find a vulnerable server and a domain that they want to control (e.g., Then they find a machine that is allowed to use the vulnerable server for DNS lookups.

Large ISPs – such as mine, which has two DNS servers for the city – are likely targets because compromising them gives the attackers access to thousands of clients, so compromising a single machine to launch the attack does not present a significant hurdle.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • ARP Spoofing

    Any user on a LAN can sniff and manipulate local traffic. ARP spoofing and poisoning techniques give an attacker an easy way in.

  • Hotspotter

    Security experts are always concerned with WLAN access points, but they sometimes forget that the client is also open to attack. Public hotspots make it quite easy for attackers to hijack connections, as the Hotspotter tool demonstrates.

  • DDoS Defense

    To ward off DDoS attacks, websites and services often seek the protection of Internet giants, such as Amazon, but you have other ways to protect your connectivity.

  • TCP Hijacking

    It is quite easy to take a TCP connection down using a RST attack, and this risk increases with applications that need long-term connections, such as VPNs, DNS zone transfers, and BGP. We’ll describe how a TCP attack can happen, and we’ll show you some simple techniques for protecting your network.

  • Backdoors

    Backdoors give attackers unrestricted access to a zombie system. If you plan to stop the bad guys from settling in, you’ll be interested in this analysis of the tools they might use for building a private entrance.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More