Exploit for DNS Cache Poisoning - RELEASED
Kevin Day
toasty at dragondata.com
Wed Jul 23 23:06:54 UTC 2008
On Jul 23, 2008, at 5:30 PM, Joe Greco wrote:
>
> Maybe I'm missing it, but this looks like a fairly standard DNS
> exploit.
>
> Keep asking questions and sending fake answers until one gets lucky.
>
> It certainly matches closely with my memory of discussions of the
> weaknesses in the DNS protocol from the '90's, with the primary
> difference
> being that now networks and hardware may be fast enough to make the
> flooding (significantly) more effective. I have to assume that one
> other
> standard minor enhancement has been omitted (or at least not
> explicitly
> mentioned), and will refrain from mentioning it for now.
>
> So, I have to assume that I'm missing some unusual aspect to this
> attack.
> I guess I'm getting older, and that's not too shocking. Anybody see
> it?
>
What's new is the method of how it is being exploited.
Before, if you wanted to poison a cache for www.gmail.com, you get the
victim name server to try to look up www.gmail.com and spoof flood the
server trying to beat the real reply by guessing the correct ID. if
you fail, you may need to wait for the victim name server to expire
the cache before trying again.
The new way is slightly more sneaky. You get the victim to try to
resolve an otherwise invalid and uncached hostname like
00001.gmail.com, and try to beat the real response with spoofed
replies. Except this time your reply comes with an additional record
containing the IP for www.gmail.com to the one you want to redirect it
to. If you win the race and the victim accepts your spoof for
00001.gmail.com, it will also accept (and overwrite any cached value)
for your additional record for www.gmail.com as well. If you don't win
the race, you try again with 00002.gmail.com, and keep going until you
finally win one. By making up uncached hostnames, you get as many
tries as you want in winning the race. By tacking on an additional
reply record to your response packet you can poison the cache for
anything the victim believes your name server should be authoritative
for.
This means DNS cache poisoning is possible even on very busy servers
that normally you wouldn't be able to predict when it was going expire
its cache, and if you fail the first time you can keep trying again
and again until you succeed with no wait.
-- Kevin
More information about the NANOG
mailing list