Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

DNS "leak"

From: Alexander Sotirov <alex () sotirov net>
Date: Thu, 24 Jul 2008 23:00:02 -0700
Why are people (including Dan) referring to the Matasano post as a leak? Halvar
got 95% of the attack right in his blog post. He figured out that:

1) sending an A records for ns.victim.com in the spoofed response will poison the cache
2) doing multiple queries for non-existant domains gives us an unlimited number of
   opportunities to spoof a response
3) using a different domain in each query avoids the problems with cached responses

The only mistake in his attack is that he's sending queries for xxx.com instead
of xxx.victim.com. It wouldn't have taken long for somebody who knows what 'in
bailiwick' means to realize out that the fake ns.victim.com RR needs to be in a
response for a .victim.com domain and then they'll have the full attack figured
out.

When 95% of the vulnerability are public information and remaining 5% are easy
to guess, you have to treat the bug as public. How can Matasano leak something
that's public?

Alex

Attachment: _bin
Description: 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: