Dailydave mailing list archives
Re: DNS Guess 2 for the day
From: "piggly wiggly" <pigglydwiggly () gmail com>
Date: Sun, 13 Jul 2008 20:09:57 -0700
From http://wari.mckay.com/~rm/dns_theroy.txt :
So I have a theory on what it is that Dan Kaminsky may have discovered that is broken with DNS (it was already _so_ broken, what else could be wrong?!) Basically it has to do with ICMP packets (spoofed ICMP unreachables sent in response to DNS packets the attacker can't see, but can guess - thanks to non-random port selection). The biggest problem with spoofing DNS at the moment is that you need to silence the real nameservers in order to get your fake replies in. For an ICMP response to be valid, it must contain the IP header of the packet it is a reponse too, but it also must contain 64bits of the data payload. The reason for requiring 64bits of the payload is to prevent people from spoofing ICMP replies to packets they have not received. In the case of a DNS packet, that payload is the first 64 bits of the UDP header. What is in the first 64bits of the UDP header? The source and destination ports of the DNS servers. If these are easily predictable then you can spoof an ICMP unreachable response to a dns query or reply without actually receiving it. If you can spoof ICMP; You can prevent the recursor from communicating with the real nameserver. This will make it very very easy to spoof DNS as it removes the biggest hurdle; that of silencing the real nameservers. It only takes about 2min on a 10mbit/s connection to run through all 65536 possible sequence numbers so if you can prevent the recursor from talking to the real nameservers it really is easy as pie. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- DNS Guess 2 for the day Dave Aitel (Jul 12)
- <Possible follow-ups>
- Re: DNS Guess 2 for the day Petja van der Lek (Jul 13)
- Re: DNS Guess 2 for the day Parity (Jul 13)
- Re: DNS Guess 2 for the day Paul Vixie (Jul 13)
- Re: DNS Guess 2 for the day piggly wiggly (Jul 13)
- Re: DNS Guess 2 for the day Jon Oberheide (Jul 14)
- Re: DNS Guess 2 for the day Marc Heuse (Jul 14)
- Re: DNS Guess 2 for the day Lee Brotherston (Jul 14)
- Re: DNS Guess 2 for the day Jon Oberheide (Jul 14)