nanog mailing list archives
Re: Exploit for DNS Cache Poisoning - RELEASED
From: Kevin Day <toasty () dragondata com>
Date: Wed, 23 Jul 2008 18:06:54 -0500
On Jul 23, 2008, at 5:30 PM, Joe Greco wrote:
Maybe I'm missing it, but this looks like a fairly standard DNS exploit.Keep asking questions and sending fake answers until one gets lucky. It certainly matches closely with my memory of discussions of theweaknesses in the DNS protocol from the '90's, with the primary differencebeing that now networks and hardware may be fast enough to make theflooding (significantly) more effective. I have to assume that one other standard minor enhancement has been omitted (or at least not explicitlymentioned), and will refrain from mentioning it for now.So, I have to assume that I'm missing some unusual aspect to this attack. I guess I'm getting older, and that's not too shocking. Anybody see it?
What's new is the method of how it is being exploited.Before, if you wanted to poison a cache for www.gmail.com, you get the victim name server to try to look up www.gmail.com and spoof flood the server trying to beat the real reply by guessing the correct ID. if you fail, you may need to wait for the victim name server to expire the cache before trying again.
The new way is slightly more sneaky. You get the victim to try to resolve an otherwise invalid and uncached hostname like 00001.gmail.com, and try to beat the real response with spoofed replies. Except this time your reply comes with an additional record containing the IP for www.gmail.com to the one you want to redirect it to. If you win the race and the victim accepts your spoof for 00001.gmail.com, it will also accept (and overwrite any cached value) for your additional record for www.gmail.com as well. If you don't win the race, you try again with 00002.gmail.com, and keep going until you finally win one. By making up uncached hostnames, you get as many tries as you want in winning the race. By tacking on an additional reply record to your response packet you can poison the cache for anything the victim believes your name server should be authoritative for.
This means DNS cache poisoning is possible even on very busy servers that normally you wouldn't be able to predict when it was going expire its cache, and if you fail the first time you can keep trying again and again until you succeed with no wait.
-- Kevin
Current thread:
- Re: Software router state of the art, (continued)
- Message not available
- Re: Software router state of the art William Herrin (Jul 23)
- Re: Software router state of the art Kevin Oberman (Jul 23)
- Re: Software router state of the art William Herrin (Jul 23)
- Re: Software router state of the art Kevin Oberman (Jul 23)
- sizing router buffers (Re: Software router state of the art ) Mikael Abrahamsson (Jul 23)
- Exploit for DNS Cache Poisoning - RELEASED Robert D. Scott (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Joe Greco (Jul 23)
- RE: Exploit for DNS Cache Poisoning - RELEASED Robert D. Scott (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED David Conrad (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Mike Lewinski (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Kevin Day (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Joe Greco (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED William Herrin (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Joe Greco (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED Tony Finch (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED Joe Abley (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Jasper Bryant-Greene (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Patrick W. Gilmore (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Jared Mauch (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Mike Lewinski (Jul 23)
- RE: Exploit for DNS Cache Poisoning - RELEASED Skywing (Jul 23)