Dailydave mailing list archives
Re: DNS Speculation
From: Petja van der Lek <lek () xs4all nl>
Date: Wed, 23 Jul 2008 03:15:58 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In an effort to move beyond the "guess the bug" stage a bit, and thinking more about detection and mitigation, I'm trying to gauge whether this vulnerability is Really Badâ„¢ or Extremely Badâ„¢. In particular, whether ye olde caching resolver will overwrite an RR already in the cache with the one received in the spoofed response's additional data (or whatever the exact method being used). If it does, then this would obviously be an Extremely Bad thing, since an attacker could just poison a resolver anytime, anyplace, anywhere. If it doesn't overwrite the cached entry, I presume we'd have to scratch the "anytime" from that list, and the attacker would have to wait until the entry expires. Assuming that domain names worth spoofing would be the more heavily trafficked ones -- and therefore likely to be present in a resolver's cache already -- this would leave a rather small window of opportunity every 24 hours or so (or whatever the TTL of the to-be spoofed entry is set at). RFC1035, section 7.4, is rather vague about all this: "In a similar vein, when a resolver has a set of RRs for some name in a response, and wants to cache the RRs, it should check its cache for already existing RRs. Depending on the circumstances, either the data in the response or the cache is preferred, but the two should never be combined. If the data in the response is from authoritative data in the answer section, it is always preferred." The "depending on the circumstances" doesn't exactly hit me with a clue-by-four. Does anyone care to shed some light? Cheers, Lek. Dominique Brezinski wrote: [SNIP] | The problem is the ability to spoof the response from the | authoritative server (cause TXID collision). Once you do that, you | speak for the domain. DNS is already a very chatty protocol, so | limiting the authoritative server to just being able to deliver the A | or CNAME record that was queried and the names of the authoritative | name servers would greatly increase the traffic volume. Yes it would | complicate the attack, but it would not entirely stop it. And changing | this behavior would effectively cause a DDoS against many of the name | servers out there. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiGhk4ACgkQN3p7TrVtLg1LAgCeIHaKsf0ZEuR/5+APDB8nR/8h F/4AoIb/Q9RLfP8waXtksOaujt/QiZjm =7uO8 -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: DNS Speculation, (continued)
- Re: DNS Speculation Jon Oberheide (Jul 21)
- Re: DNS Speculation Petja van der Lek (Jul 21)
- Re: DNS Speculation natron (Jul 22)
- Re: DNS Speculation Parity (Jul 22)
- Re: DNS Speculation Tetrapodal Giant (Jul 22)
- Re: DNS Speculation Blue Boar (Jul 23)
- Re: DNS Speculation Alexander Sotirov (Jul 22)
- Re: DNS Speculation natron (Jul 22)
- Re: DNS Speculation Dominique Brezinski (Jul 22)
- Message not available
- Re: DNS Speculation Dominique Brezinski (Jul 22)
- Re: DNS Speculation Petja van der Lek (Jul 22)
- Re: DNS Speculation Tyler Krpata (Jul 23)
- Re: DNS Speculation Alexander Sotirov (Jul 22)
- Re: DNS Speculation ninjaboy (Jul 23)
- Re: DNS Speculation Cedric Blancher (Jul 24)
- Re: DNS Speculation marc_bevand (Jul 25)
- Re: DNS Speculation Bryan Burns (Jul 25)
- Message not available
- Re: DNS Speculation marc_bevand (Jul 28)