Bugtraq mailing list archives
Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 18 Apr 2007 00:49:59 +0400
Dear Roger A. Grimes, DNS spoofing attack in general can not be 'patched', because this is a weakness of DNS protocol itself. As for birthday attack applicability, this problem was discussed in 2002. In 2003 problem still exist in both bind 8 and 9. According to CERT (US-CERT) as on 10/18/2004 bind was still vulnerable. As far as I remember, there never was a patch for bind to prevent this specific attack, yet it can be a part of some later bind release. A possible mitigation against birthday attacks (not against spoofing in general) on the server software level are any of: 1. Do no reuse source port for DNS requests. Have every request to be issued from different source ports (resource consumption attack is possible). 2. Keep a table of issued requests and do not issue request for the same name before response for previous one is received (can not be implemented in scalable 'multiple processes' DNS server architecture) 3. Monitor if multiple replies are received for a single request. I don't know if bind actually use any. Hope, this helps. --Tuesday, April 17, 2007, 8:48:04 PM, you wrote to shio () st rim or jp: RAG> How does BIND stop this sort of attack? RAG> Can a BIND expert respond? RAG> Roger RAG> ***************************************************************** RAG> *Roger A. Grimes, InfoWorld, Security Columnist RAG> *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... RAG> *email: roger_grimes () infoworld com or roger () banneretcs com RAG> *Author of Professional Windows Desktop and Server Hardening (Wrox) RAG> *http://www.amazon.com/gp/product/0764599909 RAG> ***************************************************************** RAG> -----Original Message----- RAG> From: Makoto Shiotsuki [mailto:shio () st rim or jp] RAG> Sent: Tuesday, April 17, 2007 12:31 PM RAG> To: Roger A. Grimes RAG> Cc: bugtraq () securityfocus com RAG> Subject: Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
One question. Is BIND any better at preventing this type of attack?
RAG> As far as I know, this vulnerability is specific to the Windows DNS. RAG> Makoto Shiotsuki -- ~/ZARAZA http://securityvulns.com/
Current thread:
- Windows DNS Cache Poisoning by Forwarder DNS Spoofing Makoto Shiotsuki (Apr 16)
- RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Roger A. Grimes (Apr 17)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Tim (Apr 17)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Makoto Shiotsuki (Apr 18)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Tim (Apr 18)
- RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Roger A. Grimes (Apr 18)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Tim (Apr 18)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Tim (Apr 17)
- RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Roger A. Grimes (Apr 17)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Makoto Shiotsuki (Apr 17)
- RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Roger A. Grimes (Apr 17)
- Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing 3APA3A (Apr 17)
- RE: Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Roger A. Grimes (Apr 18)
- RE: Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Oliver Friedrichs (Apr 19)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Bojan Zdrnja (Apr 18)
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Matthew Dixon Cowles (Apr 18)