Dailydave mailing list archives
DNS "leak"
From: Alexander Sotirov <alex () sotirov net>
Date: Thu, 24 Jul 2008 23:00:02 -0700
Why are people (including Dan) referring to the Matasano post as a leak? Halvar got 95% of the attack right in his blog post. He figured out that: 1) sending an A records for ns.victim.com in the spoofed response will poison the cache 2) doing multiple queries for non-existant domains gives us an unlimited number of opportunities to spoof a response 3) using a different domain in each query avoids the problems with cached responses The only mistake in his attack is that he's sending queries for xxx.com instead of xxx.victim.com. It wouldn't have taken long for somebody who knows what 'in bailiwick' means to realize out that the fake ns.victim.com RR needs to be in a response for a .victim.com domain and then they'll have the full attack figured out. When 95% of the vulnerability are public information and remaining 5% are easy to guess, you have to treat the bug as public. How can Matasano leak something that's public? Alex
Attachment:
_bin
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- DNS "leak" Alexander Sotirov (Jul 25)
- Re: DNS "leak" Parity (Jul 25)