Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: distributed.net and seti@home

From: OFriedrichs () SECURITY-FOCUS COM (Oliver Friedrichs)
Date: Tue, 1 Feb 2000 11:19:37 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Often DNS servers don't allow queries from strangers, which is good
and should be the default configuration (except external queries
for your domains).


This isn't true at all.  By default anyone can launch recursive
queries through pretty much any nameserver (AFAIK no default
configurations will prevent this).  Even then, many nameservers don't
support this type of access restriction to begin with (NT).  If
someone does limit the source of recursive queries, I can still spoof
a query from a valid source.  Afterall, all I want is the DNS server
to send out a recursive query so I can poison it's cache, I don't
care about getting a response.

DNS cache corruption will be possible until DNS-SEC is in wide use.
I haven't seen any tools using the parallel query attack to poison
the cache however (yet).  Randomizing the query ID does little to
protect you if you can send 100 queries for the same name, causing
BIND to send out 100 queries.  All of a sudden you've increased your
chance of guessing a valid ID to 1/6554 instead of 1/65535.  Send out
a 1000 queries and you only need to send out 655 spoofed replies to
get one right.  I believe BIND will still do this, however I don't
know what it does when it receives invalid replies - whether it
invalidates the original query or not.  Something to look at..

Oliver Friedrichs
securityfocus.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOJcwkMm4FXxxREdXEQJSogCfU+sJgNsKag4Q9cYTjMlyDsh4AqYAnRf2
bjXDtopvoomQw9i+jq1u1aaV
=u1Bi
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: