Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS Speculation

From: "Tyler Krpata" <krpatasec () gmail com>
Date: Wed, 23 Jul 2008 11:08:58 -0400
On Tue, Jul 22, 2008 at 9:15 PM, Petja van der Lek <lek () xs4all nl> wrote:


If it does, then this would obviously be an Extremely Bad thing, since
an attacker could just poison a resolver anytime, anyplace, anywhere. If
it doesn't overwrite the cached entry, I presume we'd have to scratch
the "anytime" from that list, and the attacker would have to wait until
the entry expires. Assuming that domain names worth spoofing would be
the more heavily trafficked ones -- and therefore likely to be present
in a resolver's cache already -- this would leave a rather small window
of opportunity every 24 hours or so (or whatever the TTL of the to-be
spoofed entry is set at).



More to the point, if my math is right (and it may not be), if the
spoofed glue record DOES overwrite the entry in cache, then source
port randomization doesn't actually fix the problem. It just changes
the time scale for success from seconds to potentially days. I haven't
found a definitive answer on this yet either. Hopefully I will get
some time to test it soon.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: