Re: DNS Speculation

[Jon Oberheide <jon () oberheide org>]

Halvar,

On Mon, 2008-07-21 at 10:24 +0200, Halvar Flake wrote:
[snip]
> Mallory wants to poison DNS lookups on server ns.polya.com for the
> domain www.gmx.net. The nameserver
> for gmx.net is ns.gmx.net. Mallory's IP is 244.244.244.244.
>
> Mallory begins to send bogus requests for www.ulam00001.com,
> www.ulam00002.com ... to ns.polya.com.
> ns.polya.com doesn't have these requests cached, so it asks a root
> server "where can I find the .com NS?"
> It then receives a referral to the .com NS. It asks the nameserver for
> .com where to find the nameserver
> for ulam00001.com, ulam00002.com etc.
>
> Mallory spoofs referrals claiming to come from the .com nameserver to
> ns.polya.com. In these referrals, it
> says that the nameserver responsible for ulamYYYYY.com is a server
> called ns.gmx.net and that
> this server is located at 244.244.244.244. Also, the time to live of
> this referral is ... long ...
>
> Now eventually, Mallory will get one such referral spoofed right, e.g.
> the TXID etc. will be guessed properly.
> ns.polya.com will then cache that ns.gmx.net can be found at ...
> 244.244.244.244. Yay.

This step is the difficult part where the scenario breaks down.

When the attacker is asking the resolver to service the bogus requests,
the resolver will query the .com authoritative server (question section
RR: ulamYYYYY.com/A/IN).  Since each query the resolver sends has a
different transaction ID, you're still be stuck having to guess the
16-bit TXID.  And since each query has a different question section, the
bday attack scenario is not possible.

Regards,
Jon Oberheide

-- 
Jon Oberheide <jon () oberheide org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave