Dailydave mailing list archives

Re: DNS Speculation

From: Petja van der Lek <lek () xs4all nl>
Date: Wed, 23 Jul 2008 03:15:58 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In an effort to move beyond the "guess the bug" stage a bit, and
thinking more about detection and mitigation, I'm trying to gauge
whether this vulnerability is Really Bad™ or Extremely Bad™. In
particular, whether ye olde caching resolver will overwrite an RR
already in the cache with the one received in the spoofed response's
additional data (or whatever the exact method being used).

If it does, then this would obviously be an Extremely Bad thing, since
an attacker could just poison a resolver anytime, anyplace, anywhere. If
it doesn't overwrite the cached entry, I presume we'd have to scratch
the "anytime" from that list, and the attacker would have to wait until
the entry expires. Assuming that domain names worth spoofing would be
the more heavily trafficked ones -- and therefore likely to be present
in a resolver's cache already -- this would leave a rather small window
of opportunity every 24 hours or so (or whatever the TTL of the to-be
spoofed entry is set at).

RFC1035, section 7.4, is rather vague about all this:

"In a similar vein, when a resolver has a set of RRs for some name in a
response, and wants to cache the RRs, it should check its cache for
already existing RRs.  Depending on the circumstances, either the data
in the response or the cache is preferred, but the two should never be
combined.  If the data in the response is from authoritative data in the
answer section, it is always preferred."

The "depending on the circumstances" doesn't exactly hit me with a
clue-by-four. Does anyone care to shed some light?

Cheers,
Lek.

Dominique Brezinski wrote:
[SNIP]
| The problem is the ability to spoof the response from the
| authoritative server (cause TXID collision). Once you do that, you
| speak for the domain. DNS is already a very chatty protocol, so
| limiting the authoritative server to just being able to deliver the A
| or CNAME record that was queried and the names of the authoritative
| name servers would greatly increase the traffic volume. Yes it would
| complicate the attack, but it would not entirely stop it. And changing
| this behavior would effectively cause a DDoS against many of the name
| servers out there.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiGhk4ACgkQN3p7TrVtLg1LAgCeIHaKsf0ZEuR/5+APDB8nR/8h
F/4AoIb/Q9RLfP8waXtksOaujt/QiZjm
=7uO8
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: DNS Speculation, (continued)
- Re: DNS Speculation Jon Oberheide (Jul 21)
- Re: DNS Speculation Petja van der Lek (Jul 21)
  - Re: DNS Speculation natron (Jul 22)
  - Re: DNS Speculation Parity (Jul 22)
    - Re: DNS Speculation Tetrapodal Giant (Jul 22)
    - Re: DNS Speculation Blue Boar (Jul 23)
- Re: DNS Speculation Alexander Sotirov (Jul 22)
  - Re: DNS Speculation natron (Jul 22)
  - Re: DNS Speculation Dominique Brezinski (Jul 22)
    - Message not available
    - Re: DNS Speculation Dominique Brezinski (Jul 22)
    - Re: DNS Speculation Petja van der Lek (Jul 22)
    - Re: DNS Speculation Tyler Krpata (Jul 23)
  - Message not available
    - Re: DNS Speculation Alexander Sotirov (Jul 22)
  - Re: DNS Speculation Tyler Krpata (Jul 22)
  - Re: DNS Speculation Cedric Blancher (Jul 23)
    - Re: DNS Speculation ninjaboy (Jul 23)
    - Re: DNS Speculation Cedric Blancher (Jul 24)
    - Re: DNS Speculation marc_bevand (Jul 25)
    - Re: DNS Speculation Bryan Burns (Jul 25)
    - Message not available
    - Re: DNS Speculation marc_bevand (Jul 28)
    - Re: DNS Speculation Macvarish, Richard C (Jul 24)

(Thread continues...)