Re: DNS Speculation

[Julien TINNES <jt () cr0 org>]

> Mallory spoofs referrals claiming to come from the .com nameserver to
> ns.polya.com. In these referrals, it
> says that the nameserver responsible for ulamYYYYY.com is a server
> called ns.gmx.net and that
> this server is located at 244.244.244.244. Also, the time to live of
> this referral is ... long ...

One problem I see with your attack is "claming to come from the .com 
nameserver". As there are several such servers  you will not know which one 
to spoof and this will adda few bits of entropy and make the number of 
ulamYYYY packets we have to send statistically higher.

But still the idea of exploiting a in-bailiwick glue record seems good to me, 
so maybe we could just transpose the attack and not involve the root servers.

Mallory can instead spoof referrals for ulam00001.target.com, 
ulam00002.target.com and so on.
In our packet related to ulamXXXXX.target.com there would be something like:
        - ulamXXXXX.target.com IN NS www.target.com
        - and a glue with "www.target.com in A OUR_IP_ADRESS"

And when for ulamYYYYY.target.com we match the TXID, ip source (the 
authorative NS for target.com hoping there is only one or at least less than 
than the 13 there are for .com) and source port, we have sucessfully hijacked 
www.target.com

This is the exact same attack but instead of having to find out which root DNS 
server was used we only have to find out which target.com dns server was used 
which is probably easier.

We should definetely take a better look at DNS to find out, but maybe we don't 
even have to do a referral ("IN NS" answer) in order to be able to glue 
something when we're in-bailiwick.

-- 
Julien TINNES
http://www.cr0.org
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave