nanog mailing list archives

Re: Exploit for DNS Cache Poisoning - RELEASED

From: "William Herrin" <herrin-nanog () dirtside com>
Date: Wed, 23 Jul 2008 22:34:17 -0400

On Wed, Jul 23, 2008 at 9:44 PM, Joe Greco <jgreco () ns sol net> wrote:

Except this time your reply comes with an additional record
containing the IP for www.gmail.com to the one you want to redirect it
to.


Thought that was the normal technique for cache poisoning.  I'm pretty
sure that at some point, code was added to BIND to actually implement
this whole bailiwick system, rather than just accepting arbitrary out-
of-scope data, which it ... used to do (sigh, hi BIND4).


Joe,

I think that's the beauty of this attack: the data ISN'T out of scope.
The resolver is expecting to receive one or more answers to
00001.gmail.com, one or more authority records (gmail.com NS
www.gmail.com) and additional records providing addresses for the
authority records (www.gmail.com A 127.0.0.1).

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin () dirtside com bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

Current thread:

Re: Software router state of the art, (continued)
- - - Re: Software router state of the art William Herrin (Jul 23)
    - Re: Software router state of the art Kevin Oberman (Jul 23)
    - sizing router buffers (Re: Software router state of the art ) Mikael Abrahamsson (Jul 23)
    - Exploit for DNS Cache Poisoning - RELEASED Robert D. Scott (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Joe Greco (Jul 23)
    - RE: Exploit for DNS Cache Poisoning - RELEASED Robert D. Scott (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED David Conrad (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Mike Lewinski (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Kevin Day (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Joe Greco (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED William Herrin (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Joe Greco (Jul 24)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Tony Finch (Jul 24)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Joe Abley (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Jasper Bryant-Greene (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Patrick W. Gilmore (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Jared Mauch (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Mike Lewinski (Jul 23)
    - RE: Exploit for DNS Cache Poisoning - RELEASED Skywing (Jul 23)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Matthew Kaufman (Jul 23)
    - https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Robert Kisteleki (Jul 24)

(Thread continues...)