Dailydave mailing list archives
Re: DNS Speculation
From: "Dominique Brezinski" <dominique.brezinski () gmail com>
Date: Tue, 22 Jul 2008 09:51:17 -0700
On Tue, Jul 22, 2008 at 2:42 AM, Alexander Sotirov <alex () sotirov net> wrote:
Spoofing a A record: Right before step 7, the attacker sends a spoofed response from ns.google.com that includes an A record for www.google.com and points it to 1.2.3.4 (which is an attacker controlled name server). If the attacker does not win the race, they just try again with 1235.google.com and so on. When ns.isp.com receives the spoofed response, it puts the A record for www.google.com in its cache and from now on google is at 1.2.3.4. Why would this work? ns.isp.com did not ask for www.google.com, it asked only for 1234.google.com. Why would ns.isp.com cache that unsolicted A record? Is there some obscure DNS feature that requires this behavior?
Not quite it. The attack is actually to send the spoof response that is an A record for 1234.google.com, which also includes an additional RR field with an attacker controlled IP for ns.google.com, effectively poisoning the cache for google's name server. Also the subtle aspect of the attack is what TXID is chosen for the spoofed response. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- DNS Speculation Halvar Flake (Jul 21)
- Re: DNS Speculation Jon Oberheide (Jul 21)
- Re: DNS Speculation Petja van der Lek (Jul 21)
- Re: DNS Speculation natron (Jul 22)
- Re: DNS Speculation Parity (Jul 22)
- Re: DNS Speculation Tetrapodal Giant (Jul 22)
- Re: DNS Speculation Blue Boar (Jul 23)
- Re: DNS Speculation Alexander Sotirov (Jul 22)
- Re: DNS Speculation natron (Jul 22)
- Re: DNS Speculation Dominique Brezinski (Jul 22)
- Message not available
- Re: DNS Speculation Dominique Brezinski (Jul 22)
- Re: DNS Speculation Petja van der Lek (Jul 22)
- Re: DNS Speculation Tyler Krpata (Jul 23)
- Re: DNS Speculation Alexander Sotirov (Jul 22)
- Re: DNS Speculation ninjaboy (Jul 23)
- Re: DNS Speculation Cedric Blancher (Jul 24)
- Re: DNS Speculation marc_bevand (Jul 25)
- Re: DNS Speculation Bryan Burns (Jul 25)