Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/_blog_main.inc.php on line 412

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/_main.inc.php on line 128

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/_main.inc.php on line 134

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/_main.inc.php on line 141

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/_main.inc.php on line 169

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/_main.inc.php on line 199

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/_main.inc.php on line 205

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/_main.inc.php on line 233

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/_main.inc.php on line 248

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/_main.inc.php on line 254

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/_main.inc.php on line 267

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/_main.inc.php on line 595

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/files/model/_file.funcs.php on line 559

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/_connect_db.inc.php on line 29

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/_core/_param.funcs.php on line 1692

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/generic/model/_genericelement.class.php on line 109

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/_core/model/dataobjects/_dataobject.class.php on line 428

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/_core/model/dataobjects/_dataobject.class.php on line 437

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/items/model/_itemlist.class.php on line 483

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/items/model/_itemlistlight.class.php on line 119

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/items/model/_itemlistlight.class.php on line 838

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/items/model/_item.class.php on line 1426

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/items/model/_item.class.php on line 1429

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/items/model/_item.class.php on line 3020

Warning: Cannot modify header information - headers already sent by (output started at /home/asamhuri/public_html/blog/inc/items/model/_item.class.php:1429) in /home/asamhuri/public_html/blog/inc/skins/_skin.funcs.php on line 383
Archives for: July 2008, 28 - Securebits Blog

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/widgets/model/_widget.class.php on line 451

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/widgets/model/_widget.class.php on line 547

Securebits Blog

Securebits -- Network Security Researches and Projects

Archives for: July 2008, 28

07/28/08

DNS in Danger again [2]

Permalink 04:07:29 am, Categories: dns

…Continuation of the previous entry…

Dan's Discovery
Although the attack discovered by Dan Kaminsky is still about DNS cache poisoning, the attack has a unique feature that exploits an inherent DNS implementation. The attack can successfully poison the cache even though the cache might already contain the entry (hostname and IP) the attacker wants to set. For example, if the cache contains an entry like www.securebitsorg -> 65.65.65.65, the attack can successfully overwrite it.
The attack happens as follows: the attacker sends many a DNS Query packets to the DNS server to be poisoned, and after sending each query packet, he also sends a reply packet. The query packets ask for non-existent names under specific domain (for example: 00001.securebits.org, 00002.securebits.org, 00003.securebits.org, etc). Since the DNS server under attack is not the authoritative server for the domain securebits.org, it will poll the address through recursive queries. Typically, the Name Server which will give the final answer is the authoritative Name Server of securebits.org, that is, ns.securebits.org.

The fake replies sent by the attacker along the queries have the source IP address as ns.securebits.org. Also, they all have the same TXID. Another thing to note is that the destination port address must match the source port address of the packets sent by the DNS server. The attacker can easily guess this at the beginning by issuing a query to a name under a domain he controls. The source port number will be used as destination port number in all the replies. Since the TXID is 16 bits, in average, it takes around 30,000 replies to hit the correct the TXID; and the cache is poisoned …

Until here, the cache is poisoned with a record for a non-existent name like 12345.securebits.org. Since the attacker is more interested in setting a record for www.securebits.org, the reply can be a more sophisticated; it can contain additional Resource Record (RR) that says www.securebits.org is at 33.33.33.33

A few notes to bear in mind:

- The attack works regardless of the cache contains a record for the name that attacker wants to inject.

- Almost all DNS servers can be attacked/poisoned. Even with the patches released by vendors, the attack process can take couple of hours instead of couple of seconds.

- To block this attack using an IDS/IPS, a signature would be multiple DNS reply packets with the same source IP address and the same TXID.

PermalinkPermalink

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/skins/_item_feedback.inc.php on line 156

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/plugins/_calendar.plugin.php on line 190

Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/plugins/_calendar.plugin.php on line 905
July 2008
Sun Mon Tue Wed Thu Fri Sat
 << < Current> >>
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Securebits Blog

This is the Blog of Securebits Think-Tank. It is maintained by AR Samhuri. The blog is about topics like Network Security, Penetration Testing, TCP/IP Attacks, Security R&D, Security Tools, etc.

Search




Categories

Tag cloud

arp arp poisoning conferences dhcp ntp tunnel papers poisoning port scanners presentations protocol tunnels reverse shell sniffing spoofing tcp/ip traffic interception vista vulnerability scanners

XML Feeds

What is RSS?
free blog tool