Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: distributed.net and seti@home

From: core.lists.exploit-dev () CORE-SDI COM (Iván Arce)
Date: Wed, 2 Feb 2000 18:47:26 -0300

Oliver Friedrichs wrote:



DNS cache corruption will be possible until DNS-SEC is in wide use.
I haven't seen any tools using the parallel query attack to poison
the cache however (yet).  Randomizing the query ID does little to
protect you if you can send 100 queries for the same name, causing
BIND to send out 100 queries.  All of a sudden you've increased your
chance of guessing a valid ID to 1/6554 instead of 1/65535.  Send out
a 1000 queries and you only need to send out 655 spoofed replies to
get one right.  I believe BIND will still do this, however I don't
know what it does when it receives invalid replies - whether it
invalidates the original query or not.  Something to look at..


There is no way for that to happend, the lookup for a pending query that
corresponds to a received response is done using the query id, so if
the query id is wrong (does not match any pending query) it will just
log the fact and drop the response, named wont know which pending query
to
invalidate.
I remember discussing this with several people years ago, when the
query id problem was found and a patch was being thought, we all knew
that randomizing the qid was not enough given the 16bit space for it.
Maybe doing a lookup on the qname received on an invalid response
against
the list of pending queries and incrementing a counter for "wrong qid
responses"
could help detect an attack, i dont think its much of performance
penalty since
it would be done ONLY on invalid responses, then again it might open
named to a DoS
attack.

The other interesting thing is that last time i checked named did not
verify that
there was no outstanding recursed query for a query received, that means
that if you
sent 100 queries to the nameserver for the SAME rr  and the nameserver
uses recursion it
it send out 100 queries (with different qids), thus making the parallel
attack
feasible. 
I really dont see why this couldnt be fixed as it not only improves
security but
reduces network traffic (i havent checked the latest bind sources tho.)

-ivan


-- 
"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 It's nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email: iarce () core-sdi com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina.              Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================

--- For a personal reply use iarce () core-sdi com
Previous By Date Next
Previous By Thread Next

Current thread: