Link-local Multicast Name Resolution (LLMNR)
Voir toute la rfc dans une seule page
Page : 24 / 31
Télécharger le PDF
Auteur(s) :
D. Thaler,
B. Aboba,
L. Esibov
RFC 4795 LLMNR January 2007
5.2. Spoofing
LLMNR is designed to prevent reception of queries sent by an off-link
attacker. LLMNR requires that responders receiving UDP queries check
that they are sent to a link-scope multicast address. However, it is
possible that some routers may not properly implement link-scope
multicast, or that link-scope multicast addresses may leak into the
multicast routing system. To prevent successful setup of TCP
connections by an off-link sender, responders receiving a TCP SYN
reply with a TCP SYN-ACK with TTL set to one (1).
While it is difficult for an off-link attacker to send an LLMNR query
to a responder, it is possible for an off-link attacker to spoof a
response to a query (such as an A or AAAA query for a popular
Internet host), and by using a TTL or Hop Limit field larger than one
(1), for the forged response to reach the LLMNR sender. Since the
forged response will only be accepted if it contains a matching ID
field, choosing a pseudo-random ID field within queries provides some
protection against off-link responders.
When LLMNR is utilized as a secondary name resolution service,
queries can be sent when DNS server(s) do not respond. An attacker
can execute a denial of service attack on the DNS server(s), and then
poison the LLMNR cache by responding to an LLMNR query with incorrect
information. As noted in "Threat Analysis of the Domain Name System
(DNS)" [RFC3833], these threats also exist with DNS, since DNS-
response spoofing tools are available that can allow an attacker to
respond to a query more quickly than a distant DNS server. However,
while switched networks or link-layer security may make it difficult
for an on-link attacker to snoop unicast DNS queries, multicast LLMNR
queries are propagated to all hosts on the link, making it possible
for an on-link attacker to spoof LLMNR responses without having to
guess the value of the ID field in the query.
Since LLMNR queries are sent and responded to on the local link, an
attacker will need to respond more quickly to provide its own
response prior to arrival of the response from a legitimate
responder. If an LLMNR query is sent for an off-link host, spoofing
a response in a timely way is not difficult, since a legitimate
response will never be received.
This vulnerability can be reduced by limiting use of LLMNR to
resolution of single-label names as described in Section 3, or by
implementation of authentication (see Section 5.3).
Aboba, et al. Informational [Page 24]