DNS cache poisoning attacks -- are they real?
Joe Maimon
jmaimon at ttec.com
Wed Mar 30 04:23:15 UTC 2005
Brad,
I suspect and google confirms, that you know a whole lot more about this
than I do, so please have a little patience explaining this to me.
Brad Knowles wrote:
> At 8:49 AM -0500 2005-03-29, Joe Maimon wrote:
>
>> 1) Registrars being required to verify Authority in delegated to
>> nameservers (will this break any appreciated valid models?) before
>> activating/changing delegation for zone.<REAL FIX>
>
>
> Okay, so the spammers make the data appear valid just long enough to
> pass the test, then they go back to their wily ways. Not a real fix.
>
Why would this not work against the procedure as originaly described?
Step 1) Spammers register Domain and delegate it to nameserver that
respond with AA set for domain.
Step 2) Registrar activated delegation due to Authority response from
nameservers
Step 3) Spammers seed recursive resolvers
Step 4) Spammers change delegation by registrar to seeded resolvers
Step 5) Change fails because Registrar check Authority from seeded
resolvers and does not get it.
How do spammers make step 5 succeed?
>> 2) Stricter settings as regards to all lame delegations -- SERVFAIL by
>> default without recursion/caching attempts?
>
>
> You'd have the caching server check the name of the zone to see if
> it is claimed as an NS record, even when it's just caching/recursive?
> Now, tell me how they'd do this at all the sites on the Internet, since
> we assume that the data advertised may change at any moment?
What I meant is that when a server attempts to seed its cache and it
encounters lameness it should not attempt to obtain it from any other
servers. Perhaps it should return the answer but not cache it (or cache
with forced small TTL).
Now lameness is something that the server SHOULD see when it attempts to
recursively resolve the name without extra effort.
>
> In terms of running a caching/recursive server, I don't think
> there's any way to reliably detect that someone has aimed an NS record
> at you. That would be like asking how you know, a prior, whether or not
> www.youareadamnedbloodyfool.com is a now CNAME record for your webserver.
I am suggesting that the server can semi-reliably detect that the parent
soa hasnt aimed the ns record for the subzone at it. It would verify its
cache contents every X before sending on the answers it has. It should
purge from cache anytime the check reveals that the parent zone has an
NS aimed at it for the cache contents -- which should be a clear
indication of cache hijacking.
Or perhaps servers should check periodicaly for all kinds of lameness of
the cached contents. This would prevent practical usage of a technique
where spammers spray-seed all resolvers they can with large TTL's so
that the resolvers users see them for quite some time irregardless of
registrars/parent zone's actions.
>
>> 3) Paranoid checking for situations such as these by having recursing
>> nameservers attempt to periodically check for suspicous NS and glue from
>> the parent zone's POV and compare it to cache, trashing cached records
>> if they do not like result.
>
>
> How do they know who their claimed "parent" is, when someone aims a
> totally bogus NS record at them? Do you ask them to walk the entire DNS
> tree throughout the entire Internet?
>
And thats so hard? Servers do this all the time fairly often.
>
> An open recursive/caching nameserver is like an open mail relay.
> There may be some people who stubbornly insist that they are a necessary
> evil -- feel free to become the next toad.com if you like. There may be
> a lot of people who have one but don't know it.
>
> But they are evil, and I believe that they should be eliminated.
>
So far nobody here has said that they are either neccessary or evil --
'cept for you and chris on the evil part.
As to that, I cant credit the resulting evilness you paint as evil as
open mail servers became, not because open mail-relay servers were
intrinsically so but because they become so very attractive to all the
evil users out there.
For a real life example of an open-relay mail server, walk to your
nearest corner and see the maildrop that takes mail from anybody and
delivers it to anyone else.
A commandeered open-relay server is spewing garbage to its victims.
A commandeered open-recursion server, while not a good thing, is hardly
doing the same - in most cases described here its simply perpetuating a
domain name far longer than POLICY reasons would like. This was probably
a designed for feature, for example keeping panix.com going strong for
the lucky one due to cached large NS TTLS would have been viewed as a
good thing at the time.
Furthermore, as others have pointed out, eliminating the openness of
these resolvers would simply force a push to have spammers trojan armies
seek 'n' seed the resolvers they can recurse from.
Due to the nature of this game, the larger client base the resolver
serves, the better the chances of it getting seeded. These would be the
same resolvers targetted were they open. And as others have pointed out,
once an answer is in cache, its not considered recursion and different
access control needs to be applied.
More information about the NANOG
mailing list