Dailydave mailing list archives
Re: DNS Guess 2 for the day
From: Marc Heuse <mh () baseline-security de>
Date: Mon, 14 Jul 2008 14:57:45 +0200
Jon Oberheide wrote:
On Sun, 2008-07-13 at 20:09 -0700, piggly wiggly wrote:Basically it has to do with ICMP packets (spoofed ICMP unreachables sent in response to DNS packets the attacker can't see, but can guess - thanks to non-random port selection).Or ICMP redirect messages for that matter (although I'd hope most sane distributions are shipping with accept_redirects off by default nowadays).
most distributions ship with secure redirects enabled - which is not "secure" in a sensible way ;-)
So the attacker would have to guess the 16-bit IP ID correctly to have his ICMP unreachable accepted which would be just as difficult as guessing the DNS TXID. Stacks that still use incremental IP ID generation could be affected, however.
thankfully IP IDs were removed in IPv6 ... Cheers, Marc -- Marc Heuse Mobil: +49 177 9611560 Fax: +49 30 28097468 www.baseline-security.de Baseline Security Consulting Chausseestr. 15 10115 Berlin Ust.-Ident.-Nr.: DE244222388 PGP: D069 301E B401 828C 4E72 0BEA D9C9 6088 36F2 A05E _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- DNS Guess 2 for the day Dave Aitel (Jul 12)
- <Possible follow-ups>
- Re: DNS Guess 2 for the day Petja van der Lek (Jul 13)
- Re: DNS Guess 2 for the day Parity (Jul 13)
- Re: DNS Guess 2 for the day Paul Vixie (Jul 13)
- Re: DNS Guess 2 for the day piggly wiggly (Jul 13)
- Re: DNS Guess 2 for the day Jon Oberheide (Jul 14)
- Re: DNS Guess 2 for the day Marc Heuse (Jul 14)
- Re: DNS Guess 2 for the day Lee Brotherston (Jul 14)
- Re: DNS Guess 2 for the day Jon Oberheide (Jul 14)