Dailydave mailing list archives
DNS Speculation
From: Halvar Flake <halvar () gmx de>
Date: Mon, 21 Jul 2008 10:24:11 +0200
(Scroll down to skip the introduction) I know that Dan asked the public researchers to "not speculate publicly" about the vulnerability, in order to buy people time. This is a commendable goal. I respect Dans viewpoint, but I disagree that this buys anyone time (more on this below). I am fully in agreement with the entire way he handled the vulnerability (e.g. getting the vendors on board, getting the patches made and released, and deciding to not disclose extra information) except the proposed "discussion blackout". In a strange way, if nobody speculates publicly, we are pulling wool over the eyes of the general public, and ourselves. Consider the following: Let's assume that the DNS problem is sufficiently complicated that an average person that has _some_ background in security, but little idea of protocols or DNS, would take N days to figure out what is problem is. So clearly, the assumption behind the "discussion blackout" is that no evil person will figure it out before the end of the N days. Let's say instead of having an average person with _some_ background in security, we have a particularly bright evil person. Perhaps someone whose income depends on phishing, and who is at the same time bright enough to build a reasonably complicated rootkit. This person is smart, and has a clear financial incentive to figure this out. I'd argue that it would take him N/4 days. By asking the community not to publicly speculate, we make sure that we have no idea what N actually is. We are not buying anybody time, we are buying people a warm and fuzzy feeling. It is imaginable that N is something like 4 days. We don't know, because there's no public speculation. So in that case, we are giving people 29 days of "Thank us for buying you time.", when in fact we have bought them a false perception of having time. The actual time they have is N/4th, and we're just making sure they think that N/4th > 30. Which it might not be. It might be ... 1. It all reminds me of a strange joke I was told last week. It's a russian joke that makes fun of the former east german government, so it might not be funny to everyone. I apologize up front: I am both german and a mathematician, so by definition the following can't be funny. "Lenin travels with the train through Russia, and the train grinds to a halt. Engine failure. Lenin sends all workers in the factory that might be responsible to a labor camp. Stalin travels with the train through Russia a few years later, and the train grinds to a halt. Eninge failure. Stalin has all workers in the factory that might be responsible shot. Honecker (the former head of State of the GDR) travels with the train through Russia. The train grinds to a halt. Engine failure. Honecker has a brilliant idea: "The people that are responsible should be forced to rock the train, so we can sit inside and feel like it is still running." " It feels like we're all trying to rock the train. If there was public speculation, we'd at least get a lower boundary on the "real" N, not the N we wish for. So I will speculate. The last weeks I was in the middle of preparing for an exam, so I really didn't have time to spend on the DNS flaw. I couldn't help myself though and spent a few minutes every other evening or so reading a DNS-for-dummies-text. I have done pretty much no protocol work in my life, so I have little hope for having gotten close to the truth. As such, anyone with a clue will probably laugh at my naive ideas. Here's my speculation: Mallory wants to poison DNS lookups on server ns.polya.com for the domain www.gmx.net. The nameserver for gmx.net is ns.gmx.net. Mallory's IP is 244.244.244.244. Mallory begins to send bogus requests for www.ulam00001.com, www.ulam00002.com ... to ns.polya.com. ns.polya.com doesn't have these requests cached, so it asks a root server "where can I find the .com NS?" It then receives a referral to the .com NS. It asks the nameserver for .com where to find the nameserver for ulam00001.com, ulam00002.com etc. Mallory spoofs referrals claiming to come from the .com nameserver to ns.polya.com. In these referrals, it says that the nameserver responsible for ulamYYYYY.com is a server called ns.gmx.net and that this server is located at 244.244.244.244. Also, the time to live of this referral is ... long ... Now eventually, Mallory will get one such referral spoofed right, e.g. the TXID etc. will be guessed properly. ns.polya.com will then cache that ns.gmx.net can be found at ... 244.244.244.244. Yay. The above is almost certainly wrong. Can someone with more insight into DNS tell me why it won't work ? _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- DNS Speculation Halvar Flake (Jul 21)
- Re: DNS Speculation Jon Oberheide (Jul 21)
- Re: DNS Speculation Petja van der Lek (Jul 21)
- Re: DNS Speculation natron (Jul 22)
- Re: DNS Speculation Parity (Jul 22)
- Re: DNS Speculation Tetrapodal Giant (Jul 22)
- Re: DNS Speculation Blue Boar (Jul 23)
- Re: DNS Speculation Alexander Sotirov (Jul 22)
- Re: DNS Speculation natron (Jul 22)
- Re: DNS Speculation Dominique Brezinski (Jul 22)
- Message not available
- Re: DNS Speculation Dominique Brezinski (Jul 22)