Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing

From: "Roger A. Grimes" <roger () banneretcs com>
Date: Tue, 17 Apr 2007 18:46:34 -0400
Thanks for responding.

If this is the case, why is this report a report of a Windows DNS
vulnerability, since it appears to be a DNS (or at least BIND and
Windows) vulnerability?  My guess is the original poster didn't include
BIND in his test scope or something like that.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************


-----Original Message-----
From: 3APA3A [mailto:3APA3A () SECURITY NNOV RU] 
Sent: Tuesday, April 17, 2007 4:50 PM
To: Roger A. Grimes
Cc: Makoto Shiotsuki; bugtraq () securityfocus com
Subject: Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing

Dear Roger A. Grimes,

 DNS  spoofing attack in general can not be 'patched', because this is a
weakness of DNS protocol itself.

 As  for  birthday  attack  applicability, this problem was discussed in
2002.  In  2003  problem still exist in both bind 8 and 9. According to
CERT  (US-CERT) as on 10/18/2004 bind was still vulnerable. As far as I
remember,  there  never  was  a patch for bind to prevent this specific
attack, yet it can be a part of some later bind release.

 A possible mitigation against birthday attacks (not against spoofing in
 general) on the server software level are any of:

 1.  Do  no reuse source port for DNS requests. Have every request to be
issued  from  different  source  ports  (resource consumption attack is
possible).
 2.  Keep  a  table  of issued requests and do not issue request for the
same  name  before  response  for  previous one is received (can not be
implemented in scalable 'multiple processes' DNS server architecture)
3. Monitor if multiple replies are received for a single request.

 I don't know if bind actually use any. Hope, this helps.
 

--Tuesday, April 17, 2007, 8:48:04 PM, you wrote to shio () st rim or jp:

RAG> How does BIND stop this sort of attack? 

RAG> Can a BIND expert respond?

RAG> Roger

RAG> *****************************************************************
RAG> *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: 
RAG> Security (2000/2003/MVP), CEH, yada...yada...
RAG> *email: roger_grimes () infoworld com or roger () banneretcs com *Author 
RAG> of Professional Windows Desktop and Server Hardening (Wrox)
RAG> *http://www.amazon.com/gp/product/0764599909
RAG> *****************************************************************


RAG> -----Original Message-----
RAG> From: Makoto Shiotsuki [mailto:shio () st rim or jp]
RAG> Sent: Tuesday, April 17, 2007 12:31 PM
RAG> To: Roger A. Grimes
RAG> Cc: bugtraq () securityfocus com
RAG> Subject: Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing


One question.  Is BIND any better at preventing this type of attack? 


RAG> As far as I know, this vulnerability is specific to the Windows
DNS.

RAG> Makoto Shiotsuki


--
~/ZARAZA http://securityvulns.com/
Previous By Date Next
Previous By Thread Next

Current thread: