Vulnerability Development mailing list archives
Re: distributed.net and seti@home
From: core.lists.exploit-dev () CORE-SDI COM (Iván Arce)
Date: Wed, 2 Feb 2000 18:47:26 -0300
Oliver Friedrichs wrote:
DNS cache corruption will be possible until DNS-SEC is in wide use. I haven't seen any tools using the parallel query attack to poison the cache however (yet). Randomizing the query ID does little to protect you if you can send 100 queries for the same name, causing BIND to send out 100 queries. All of a sudden you've increased your chance of guessing a valid ID to 1/6554 instead of 1/65535. Send out a 1000 queries and you only need to send out 655 spoofed replies to get one right. I believe BIND will still do this, however I don't know what it does when it receives invalid replies - whether it invalidates the original query or not. Something to look at..
There is no way for that to happend, the lookup for a pending query that corresponds to a received response is done using the query id, so if the query id is wrong (does not match any pending query) it will just log the fact and drop the response, named wont know which pending query to invalidate. I remember discussing this with several people years ago, when the query id problem was found and a patch was being thought, we all knew that randomizing the qid was not enough given the 16bit space for it. Maybe doing a lookup on the qname received on an invalid response against the list of pending queries and incrementing a counter for "wrong qid responses" could help detect an attack, i dont think its much of performance penalty since it would be done ONLY on invalid responses, then again it might open named to a DoS attack. The other interesting thing is that last time i checked named did not verify that there was no outstanding recursed query for a query received, that means that if you sent 100 queries to the nameserver for the SAME rr and the nameserver uses recursion it it send out 100 queries (with different qids), thus making the parallel attack feasible. I really dont see why this couldnt be fixed as it not only improves security but reduces network traffic (i havent checked the latest bind sources tho.) -ivan -- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, It's nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email: iarce () core-sdi com http://www.core-sdi.com Pte. Juan D. Peron 315 Piso 4 UF 17 1038 Capital Federal Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 Casilla de Correos 877 (1000) Correo Central ===================================================================== --- For a personal reply use iarce () core-sdi com
Current thread:
- Re: distributed.net and seti@home Sen_Ml Sen_Ml (Jan 30)
- Re: distributed.net and seti@home Stefan Aeschbacher (Feb 01)
- <Possible follow-ups>
- Re: distributed.net and seti@home Robert Wojciechowski Jr. (Jan 31)
- Re: distributed.net and seti@home Sebastian (Jan 31)
- Re: distributed.net and seti@home Clifford, Shawn A (Jan 31)
- Re: distributed.net and seti@home Seth R Arnold (Jan 31)
- Re: distributed.net and seti@home CyberPsychotic (Jan 31)
- Re: distributed.net and seti@home Oliver Friedrichs (Feb 01)
- Re: distributed.net and seti@home Iván Arce (Feb 02)
- Re: distributed.net and seti@home Oliver Friedrichs (Feb 01)
- Re: distributed.net and seti@home Sen_Ml Sen_Ml (Feb 01)
- Re: distributed.net and seti@home Kerneels (Feb 02)
- Re: distributed.net and seti@home Granquist, Lamont (Feb 03)
- Re: distributed.net and seti@home Steffen Zahn (Feb 04)
- Re: distributed.net and seti@home Sen_Ml Sen_Ml (Feb 01)
- Possible DHCP DOS attack Paul Keefer (Feb 02)
- Re: Possible DHCP DOS attack Sebastian Andersson (Feb 02)
- Re: Possible DHCP DOS attack Eric Hacker (Feb 03)
- Re: Possible DHCP DOS attack C.J. Oster (Feb 03)
- Re: Possible DHCP DOS attack Erik Fichtner (Feb 03)