Bugtraq mailing list archives
Re: CAIS-ALERT: Vulnerability in the sending requests control of BIND
From: Robert Tracz <rtracz () tele pw edu pl>
Date: Mon, 2 Dec 2002 14:02:01 +0100 (CET)
Hi Ivan, Ivn Arce wrote:
+ /* + * The 16 bit space is very small and brute force attempts are + * entirly feasible, we skip a random number of transaction ids + * so that an attacker will not get sequential ids. + */Using only brute force, the attack is very difficult to be applied. I tried this several times. I did several tests in my experiments. The probability of success is very low to get implement the attack using only brute force.The probability of sucess is exactly: m-responses-sent/65535 If I sent 65535 DNS responses with a different ID on each one one of then will hit the right ID. The attack is basically the same. Either you sent N spoofed requests or you send M spoofed responses. The network traffic generated is also the same and in both cases there is still a race to win against the real DNS.
As far as I understand the issue Vagner is right at this point. The birthday paradox comes into play: If you send m requests and m responses the probability of collision is: p = 1 - 65535*(65535-1)*(65535-2)*...*(65535-m+1)/65535^m In practice, if you send m = 256 responses and requests you have already p = 39.2%, while if you would send 1 request and 511 responses (the same traffic burden) you would get only p = 0.77%. And sending m = 1024 requests and responses gives you probability of success p = 99.9%. However I agree with you that it would be better to enhance the protocol. Regards, Robert
Current thread:
- Re: CAIS-ALERT: Vulnerability in the sending requests control of BIND Robert Tracz (Dec 02)
- <Possible follow-ups>
- RE: CAIS-ALERT: Vulnerability in the sending requests control of BIND Vagner Sacramento (Dec 02)