DNS Speculation

[Halvar Flake <halvar () gmx de>]

(Scroll down to skip the introduction)

I know that Dan asked the public researchers to "not speculate publicly"
about the
vulnerability, in order to buy people time. This is a commendable goal.
I respect
Dans viewpoint, but I disagree that this buys anyone time (more on this
below). I am fully in agreement with the entire way he handled the
vulnerability (e.g.
getting the vendors on board, getting the patches made and released, and
deciding to not disclose extra information) except the proposed
"discussion blackout".

In a strange way, if nobody speculates publicly, we are pulling wool
over the eyes of
the general public, and ourselves. Consider the following:

Let's assume that the DNS problem is sufficiently complicated that
an average person that has _some_ background in security, but little
idea of protocols or DNS, would take N days to figure out what is
problem is.

So clearly, the assumption behind the "discussion blackout" is that
no evil person will figure it out before the end of the N days.

Let's say instead of having an average person with _some_ background in
security,
we have a particularly bright evil person. Perhaps someone whose income
depends on phishing, and who is at the same time bright enough to
build a reasonably complicated rootkit. This person is smart, and has a
clear financial incentive to figure this out. I'd argue that it would
take him N/4 days.

By asking the community not to publicly speculate, we make sure that
we have no idea what N actually is. We are not buying anybody time,
we are buying people a warm and fuzzy feeling.

It is imaginable that N is something like 4 days. We don't know, because
there's no public speculation.

So in that case, we are giving people 29 days of "Thank us for buying
you time.", when in
fact we have bought them a false perception of having time. The actual
time they have is
N/4th, and we're just making sure they think that N/4th > 30. Which it
might not be. It
might be ... 1.

It all reminds me of a strange joke I was told last week. It's a russian
joke that
makes fun of the former east german government, so it might not be funny to
everyone. I apologize up front: I am both german and a mathematician,
so by definition the following can't be funny.

"Lenin travels with the train through Russia, and the train grinds to a
halt. Engine failure.
Lenin sends all workers in the factory that might be responsible to a
labor camp.

Stalin travels with the train through Russia a few years later, and the
train grinds to a halt.
Eninge failure. Stalin has all workers in the factory that might be
responsible shot.

Honecker (the former head of State of the GDR) travels with the train
through Russia. The
train grinds to a halt. Engine failure. Honecker has a brilliant idea:
"The people that are
responsible should be forced to rock the train, so we can sit inside and
feel like it is
still running." "

It feels like we're all trying to rock the train.

If there was public speculation, we'd at least get a lower boundary on
the "real" N, not
the N we wish for.

So I will speculate.

The last weeks I was in the middle of preparing for an exam, so I really
didn't have time to spend
on the DNS flaw. I couldn't help myself though and spent a few minutes
every other evening or so
reading a DNS-for-dummies-text. I have done pretty much no protocol work
in my life, so I have
little hope for having gotten close to the truth.

As such, anyone with a clue will probably laugh at my naive ideas.
Here's my speculation:

Mallory wants to poison DNS lookups on server ns.polya.com for the
domain www.gmx.net. The nameserver
for gmx.net is ns.gmx.net. Mallory's IP is 244.244.244.244.

Mallory begins to send bogus requests for www.ulam00001.com,
www.ulam00002.com ... to ns.polya.com.
ns.polya.com doesn't have these requests cached, so it asks a root
server "where can I find the .com NS?"
It then receives a referral to the .com NS. It asks the nameserver for
.com where to find the nameserver
for ulam00001.com, ulam00002.com etc.

Mallory spoofs referrals claiming to come from the .com nameserver to
ns.polya.com. In these referrals, it
says that the nameserver responsible for ulamYYYYY.com is a server
called ns.gmx.net and that
this server is located at 244.244.244.244. Also, the time to live of
this referral is ... long ...

Now eventually, Mallory will get one such referral spoofed right, e.g.
the TXID etc. will be guessed properly.
ns.polya.com will then cache that ns.gmx.net can be found at ...
244.244.244.244. Yay.

The above is almost certainly wrong. Can someone with more insight into
DNS tell me why it won't work ?
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave