Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS Speculation

From: "Dominique Brezinski" <dominique.brezinski () gmail com>
Date: Tue, 22 Jul 2008 09:51:17 -0700
On Tue, Jul 22, 2008 at 2:42 AM, Alexander Sotirov <alex () sotirov net> wrote:

Spoofing a A record:

Right before step 7, the attacker sends a spoofed response from ns.google.com
that includes an A record for www.google.com and points it to 1.2.3.4 (which is
an attacker controlled name server). If the attacker does not win the race,
they just try again with 1235.google.com and so on.

When ns.isp.com receives the spoofed response, it puts the A record for
www.google.com in its cache and from now on google is at 1.2.3.4.

Why would this work? ns.isp.com did not ask for www.google.com, it asked only
for 1234.google.com. Why would ns.isp.com cache that unsolicted A record? Is
there some obscure DNS feature that requires this behavior?


Not quite it. The attack is actually to send the spoof response that
is an A record for 1234.google.com, which also includes an additional
RR field with an attacker controlled IP for ns.google.com, effectively
poisoning the cache for google's name server.

Also the subtle aspect of the attack is what TXID is chosen for the
spoofed response.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: