Dailydave mailing list archives
Re: DNS Guess 2 for the day
From: Jon Oberheide <jon () oberheide org>
Date: Mon, 14 Jul 2008 05:06:40 -0400
On Sun, 2008-07-13 at 20:09 -0700, piggly wiggly wrote:
Basically it has to do with ICMP packets (spoofed ICMP unreachables sent in response to DNS packets the attacker can't see, but can guess - thanks to non-random port selection).
Or ICMP redirect messages for that matter (although I'd hope most sane distributions are shipping with accept_redirects off by default nowadays).
The biggest problem with spoofing DNS at the moment is that you need to silence the real nameservers in order to get your fake replies in. For an ICMP response to be valid, it must contain the IP header of the packet it is a reponse too, but it also must contain 64bits of the data payload. The reason for requiring 64bits of the payload is to prevent people from spoofing ICMP replies to packets they have not received. In the case of a DNS packet, that payload is the first 64 bits of the UDP header. What is in the first 64bits of the UDP header? The source and destination ports of the DNS servers. If these are easily predictable then you can spoof an ICMP unreachable response to a dns query or reply without actually receiving it.
The first 8 bytes of the UDP header may be predictable but you're forgetting the IP header that must be included in the ICMP response message as well. The IP header of course contains the 16-bit IP ID field which is randomly generated on many platforms. So the attacker would have to guess the 16-bit IP ID correctly to have his ICMP unreachable accepted which would be just as difficult as guessing the DNS TXID. Stacks that still use incremental IP ID generation could be affected, however. Regards, Jon Oberheide -- Jon Oberheide <jon () oberheide org> GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- DNS Guess 2 for the day Dave Aitel (Jul 12)
- <Possible follow-ups>
- Re: DNS Guess 2 for the day Petja van der Lek (Jul 13)
- Re: DNS Guess 2 for the day Parity (Jul 13)
- Re: DNS Guess 2 for the day Paul Vixie (Jul 13)
- Re: DNS Guess 2 for the day piggly wiggly (Jul 13)
- Re: DNS Guess 2 for the day Jon Oberheide (Jul 14)
- Re: DNS Guess 2 for the day Marc Heuse (Jul 14)
- Re: DNS Guess 2 for the day Lee Brotherston (Jul 14)
- Re: DNS Guess 2 for the day Jon Oberheide (Jul 14)