nanog mailing list archives

Re: Exploit for DNS Cache Poisoning - RELEASED

From: Tony Finch <dot () dotat at>
Date: Thu, 24 Jul 2008 13:21:07 +0100

On Wed, 23 Jul 2008, Kevin Day wrote:


The new way is slightly more sneaky. You get the victim to try to
resolve an otherwise invalid and uncached hostname like 00001.gmail.com,
and try to beat the real response with spoofed replies. Except this time
your reply comes with an additional record containing the IP for
www.gmail.com to the one you want to redirect it to. If you win the race
and the victim accepts your spoof for 00001.gmail.com, it will also
accept (and overwrite any cached value) for your additional record for
www.gmail.com as well.


RFC 2181 says the resolver should not overwrite authoritative data with
additional data in this manner.

I believe the Matasano description is wrong.

Tony.
-- 
f.anthony.n.finch  <dot () dotat at>  http://dotat.at/
FORTIES CROMARTY FORTH TYNE DOGGER: EAST OR SOUTHEAST 3 OR 4, INCREASING 5 OR
6 LATER. SLIGHT OR MODERATE. FOG PATCHES. GOOD, OCCASIONALLY VERY POOR.

Current thread:

sizing router buffers (Re: Software router state of the art ), (continued)
- - - sizing router buffers (Re: Software router state of the art ) Mikael Abrahamsson (Jul 23)
    - Exploit for DNS Cache Poisoning - RELEASED Robert D. Scott (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Joe Greco (Jul 23)
    - RE: Exploit for DNS Cache Poisoning - RELEASED Robert D. Scott (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED David Conrad (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Mike Lewinski (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Kevin Day (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Joe Greco (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED William Herrin (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Joe Greco (Jul 24)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Tony Finch (Jul 24)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Joe Abley (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Jasper Bryant-Greene (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Patrick W. Gilmore (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Jared Mauch (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Mike Lewinski (Jul 23)
    - RE: Exploit for DNS Cache Poisoning - RELEASED Skywing (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Matthew Kaufman (Jul 23)
    - https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Robert Kisteleki (Jul 24)
    - Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Steven M. Bellovin (Jul 24)
    - Re: https Sam Stickland (Jul 24)

(Thread continues...)