Full Disclosure mailing list archives
Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion)
From: "eugaaa () gmail com" <eugaaa () gmail com>
Date: Sun, 13 Jul 2008 21:44:19 -0500
If the nameserver is "down" most likely the resolver is going to try a different one. Meaning you're back to square one. Which is why I asked what happens if the resolver recv's a response after it's been told the nameserver is down. In any case, I'm not even sure how resolvers handle dest unreachables. And again, I think that avenue is moot. As for your question about theory versus practicality. 2^16 seems possible. This exact same problem exist with ASLR implementations as well as stack protection mechanisms (canary values etc). I think even vista's current address space randomization is 16-bits. However with these DNS transaction ID's you're not looking at a random number. It's scope is limited because you've seen the transaction ID's of each request you've made. IE my first request was 125, my second was 133, etc. Meaning you pick a number higher up (180) and try to win the race. Any BIND pros here? On 7/13/08, coderman <coderman () gmail com> wrote:
On Sun, Jul 13, 2008 at 5:26 PM, eugaaa () gmail com <eugaaa () gmail com> wrote:What you wrote...please note that is not my post on that site; i merely link to it. thanks.Why flood with dest unreachables when your goal is to answer before the nameserver?if the nameserver is "down", you no longer need to race against it.Meaning it is a remote timing based attack...sure. the bigger question is how large the temporal window of opportunity. if you have a large window, practical attacks become widely possible. a small niche and you're dealing with mostly theoretical impact.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- DNS Cache Dan Kamikaze (Actual Exploit Discussion) eugaaa () gmail com (Jul 13)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Paul Schmehl (Jul 13)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) eugaaa () gmail com (Jul 13)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) coderman (Jul 13)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) eugaaa () gmail com (Jul 13)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) coderman (Jul 13)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) eugaaa () gmail com (Jul 13)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Paul Schmehl (Jul 13)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) eugaaa () gmail com (Jul 13)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) eugaaa () gmail com (Jul 13)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Valdis . Kletnieks (Jul 13)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Paul Schmehl (Jul 14)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Mark Andrews (Jul 14)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Paul Schmehl (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Mark Andrews (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) FRLinux (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Mark Andrews (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) eugaaa () gmail com (Jul 13)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Paul Schmehl (Jul 13)