Dailydave mailing list archives

Re: DNS Guess 2 for the day

From: Marc Heuse <mh () baseline-security de>
Date: Mon, 14 Jul 2008 14:57:45 +0200

Jon Oberheide wrote:

On Sun, 2008-07-13 at 20:09 -0700, piggly wiggly wrote:

Basically it has to do with ICMP packets (spoofed ICMP unreachables sent
in response to DNS packets the attacker can't see, but can guess - thanks
to non-random port selection).


Or ICMP redirect messages for that matter (although I'd hope most sane
distributions are shipping with accept_redirects off by default
nowadays).


most distributions ship with secure redirects enabled - which is not 
"secure" in a sensible way ;-)

So the attacker would have to guess the 16-bit IP ID correctly to have
his ICMP unreachable accepted which would be just as difficult as
guessing the DNS TXID.  Stacks that still use incremental IP ID
generation could be affected, however.


thankfully IP IDs were removed in IPv6 ...

Cheers,
Marc

-- 
Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 28097468
www.baseline-security.de

Baseline Security Consulting
Chausseestr. 15
10115 Berlin

Ust.-Ident.-Nr.: DE244222388
PGP: D069 301E B401 828C 4E72  0BEA D9C9 6088 36F2 A05E
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

DNS Guess 2 for the day Dave Aitel (Jul 12)
- <Possible follow-ups>
- Re: DNS Guess 2 for the day Petja van der Lek (Jul 13)
  - Re: DNS Guess 2 for the day Parity (Jul 13)
  - Re: DNS Guess 2 for the day Paul Vixie (Jul 13)
- Re: DNS Guess 2 for the day piggly wiggly (Jul 13)
  - Re: DNS Guess 2 for the day Jon Oberheide (Jul 14)
    - Re: DNS Guess 2 for the day Marc Heuse (Jul 14)
  - Re: DNS Guess 2 for the day Lee Brotherston (Jul 14)