Dailydave mailing list archives
Re: DNS "leak"
From: Parity <pty.err () gmail com>
Date: Fri, 25 Jul 2008 14:20:56 -0400
When Halvar's post went up, it was unclear -- even to Halvar -- whether he had found a viable attack. Moreover, even after the bailiwick angle came to light, nobody except Dan & his trustees had any way of knowing whether Halvar had found the same attack, or a different one. But even if Halvar had nailed the attack with 100% accuracy, Matasano was particularly obliged *not* to confirm or deny. Unlike the rest of the public, Matasano was bound by an agreement Thomas made with Dan. I appreciate that Matasano owned up to their mistake, but it *was* a mistake. Confirmation should have come from anywhere - Dan, you, me, even n3td3v ;) - except Matasano. pty On Fri, Jul 25, 2008 at 2:00 AM, Alexander Sotirov <alex () sotirov net> wrote:
Why are people (including Dan) referring to the Matasano post as a leak? Halvar got 95% of the attack right in his blog post. He figured out that: 1) sending an A records for ns.victim.com in the spoofed response will poison the cache 2) doing multiple queries for non-existant domains gives us an unlimited number of opportunities to spoof a response 3) using a different domain in each query avoids the problems with cached responses The only mistake in his attack is that he's sending queries for xxx.cominstead of xxx.victim.com. It wouldn't have taken long for somebody who knows what 'in bailiwick' means to realize out that the fake ns.victim.com RR needs to be in a response for a .victim.com domain and then they'll have the full attack figured out. When 95% of the vulnerability are public information and remaining 5% are easy to guess, you have to treat the bug as public. How can Matasano leak something that's public? Alex _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- DNS "leak" Alexander Sotirov (Jul 25)
- Re: DNS "leak" Parity (Jul 25)