Dailydave mailing list archives

Re: DNS Guess 2 for the day

From: Jon Oberheide <jon () oberheide org>
Date: Mon, 14 Jul 2008 05:06:40 -0400

On Sun, 2008-07-13 at 20:09 -0700, piggly wiggly wrote:

Basically it has to do with ICMP packets (spoofed ICMP unreachables sent
in response to DNS packets the attacker can't see, but can guess - thanks
to non-random port selection).


Or ICMP redirect messages for that matter (although I'd hope most sane
distributions are shipping with accept_redirects off by default
nowadays).

The biggest problem with spoofing DNS at the moment is that you need
to silence the real nameservers in order to get your fake replies in.

For an ICMP response to be valid, it must contain the IP header of the
packet it is a reponse too, but it also must contain 64bits of the data
payload. The reason for requiring 64bits of the payload is to prevent
people from spoofing ICMP replies to packets they have not received. In
the case of a DNS packet, that payload is the first 64 bits of the UDP
header.

What is in the first 64bits of the UDP header? The source and destination
ports of the DNS servers. If these are easily predictable then you can
spoof an ICMP unreachable response to a dns query or reply without
actually receiving it.


The first 8 bytes of the UDP header may be predictable but you're
forgetting the IP header that must be included in the ICMP response
message as well.  The IP header of course contains the 16-bit IP ID
field which is randomly generated on many platforms.

So the attacker would have to guess the 16-bit IP ID correctly to have
his ICMP unreachable accepted which would be just as difficult as
guessing the DNS TXID.  Stacks that still use incremental IP ID
generation could be affected, however.

Regards,
Jon Oberheide

-- 
Jon Oberheide <jon () oberheide org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

DNS Guess 2 for the day Dave Aitel (Jul 12)
- <Possible follow-ups>
- Re: DNS Guess 2 for the day Petja van der Lek (Jul 13)
  - Re: DNS Guess 2 for the day Parity (Jul 13)
  - Re: DNS Guess 2 for the day Paul Vixie (Jul 13)
- Re: DNS Guess 2 for the day piggly wiggly (Jul 13)
  - Re: DNS Guess 2 for the day Jon Oberheide (Jul 14)
    - Re: DNS Guess 2 for the day Marc Heuse (Jul 14)
  - Re: DNS Guess 2 for the day Lee Brotherston (Jul 14)