Bugtraq mailing list archives
Re: Thoughts about DNS...
From: vermont () GATE NET (Illuminati Primus)
Date: Sun, 27 Apr 1997 04:35:36 -0400
On Sun, 27 Apr 1997, Thomas H. Ptacek wrote:
You can't guarantee that every nameserver in the world will support TCP.
Its more dependable than trying to depend on some type of cookie hidden in areas that arent guaranteed to come back unmangled
[ re: the possibility of manipulating servers into caching NXDOMAIN as a result of forgery protection ]
Servers shouldn't cache this unless theyre broken. And if theyre broken in this regard, then they most likely also have predictable IDs and all the other fun stuff that goes along with old software.
Well since we are dealing with these problems right now, we can be intelligent and not cache a host/IP as broken when we receive spoofedOk, just bringing it up. However, we've still prevented a legitimate query from resolving, so the only choices we have are to play dead or to incorrectly return an NXDOMAIN (right?).
Well, if the tcp connection also fails, we can return failure and try again later.. So each lookup request that the attacker generates will give him one try at guessing the ID number.. And each time, his plans might get foiled by a successful connection to the real name servers, or a living sysadmin noticing all of the logs spewing out.. Again, the best protection would be cryptography
That doesn't work. This is a blind attack; I can make the queries come from any address in the world I want them to come from. I don't think anything that relies on router configuration is a solution - do you?
You can probably configure what addresses you'll accept recursive queries from in the bind config also.. Ill check it out
[ re: TCP vs Cookie Response ]I think connecting to the servers via TCP would be the better solution, since it is a capability built into almost every DNS server in existence.Responding NXDOMAIN to a query is a capability built into every DNS server in existance. TCP DNS is not. It's an excellent idea, though!
TCP-ready BIND servers are probably 99% of the internet. However, if you find that cookies work more reliably, then that would be the superior solution. It certainly has more room for strange failures though
If it doesn't, I can continue trying this attack indefinitely until I win.
The same with the cookies, except over a larger range of ID space. Also: what do you do if a server doesnt return your cookies? Return a failure? Ignore it?
it would be that quick and easy. This is really a serious problem that should be addressed.Agreed. I think the combination of D.O.S. with the ID prediction attack is the most significant issue here.
Well, with the method I am proposing, a DOS attack will only be possible if port 53 is unavailable on the authoritative nameservers for the domain that is being blocked. So the problem no longer lies in your nameserver, it is now a problem of the site being blocked for whatever reason, and would have to be fixed on that end. What else can be done on our end? -vermont () gate net
Current thread:
- Overflow in xlock, (continued)
- Overflow in xlock George Staikos (Apr 26)
- Re: Overflow in xlock David Hedley (Apr 27)
- Re: Overflow in xlock Bollinger (Apr 27)
- Re: Overflow in xlock Andrew G. Morgan (Apr 27)
- Thoughts about DNS... Thomas H. Ptacek (Apr 26)
- Re: Thoughts about DNS... Illuminati Primus (Apr 26)
- Re: Thoughts about DNS... Thomas H. Ptacek (Apr 26)
- Re: Thoughts about DNS... Illuminati Primus (Apr 26)
- Re: Thoughts about DNS... Thomas H. Ptacek (Apr 27)
- BIND ID Brute Force Fix Illuminati Primus (Apr 27)
- Re: Thoughts about DNS... Illuminati Primus (Apr 27)
- Re: Thoughts about DNS... Thomas H. Ptacek (Apr 27)
- Re: Thoughts about DNS... Illuminati Primus (Apr 26)
- Overflow in xlock George Staikos (Apr 26)