Dailydave mailing list archives
Re: DNS Speculation
From: Julien TINNES <jt () cr0 org>
Date: Tue, 22 Jul 2008 15:32:53 +0200
Mallory spoofs referrals claiming to come from the .com nameserver to ns.polya.com. In these referrals, it says that the nameserver responsible for ulamYYYYY.com is a server called ns.gmx.net and that this server is located at 244.244.244.244. Also, the time to live of this referral is ... long ...
One problem I see with your attack is "claming to come from the .com nameserver". As there are several such servers you will not know which one to spoof and this will adda few bits of entropy and make the number of ulamYYYY packets we have to send statistically higher. But still the idea of exploiting a in-bailiwick glue record seems good to me, so maybe we could just transpose the attack and not involve the root servers. Mallory can instead spoof referrals for ulam00001.target.com, ulam00002.target.com and so on. In our packet related to ulamXXXXX.target.com there would be something like: - ulamXXXXX.target.com IN NS www.target.com - and a glue with "www.target.com in A OUR_IP_ADRESS" And when for ulamYYYYY.target.com we match the TXID, ip source (the authorative NS for target.com hoping there is only one or at least less than than the 13 there are for .com) and source port, we have sucessfully hijacked www.target.com This is the exact same attack but instead of having to find out which root DNS server was used we only have to find out which target.com dns server was used which is probably easier. We should definetely take a better look at DNS to find out, but maybe we don't even have to do a referral ("IN NS" answer) in order to be able to glue something when we're in-bailiwick. -- Julien TINNES http://www.cr0.org _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: DNS Speculation, (continued)
- Re: DNS Speculation Tyler Krpata (Jul 23)
- Message not available
- Re: DNS Speculation Alexander Sotirov (Jul 22)
- Re: DNS Speculation Tyler Krpata (Jul 22)
- Re: DNS Speculation Cedric Blancher (Jul 23)
- Re: DNS Speculation ninjaboy (Jul 23)
- Re: DNS Speculation Cedric Blancher (Jul 24)
- Re: DNS Speculation marc_bevand (Jul 25)
- Re: DNS Speculation Bryan Burns (Jul 25)
- Message not available
- Re: DNS Speculation marc_bevand (Jul 28)
- Re: DNS Speculation Macvarish, Richard C (Jul 24)
- Re: DNS Speculation natron (Jul 22)
- Re: DNS Speculation Dominique Brezinski (Jul 23)
- Message not available
- Re: DNS Speculation Joseph Patterson (Jul 25)