Exploit for DNS Cache Poisoning - RELEASED

Kevin Day toasty at dragondata.com
Wed Jul 23 23:06:54 UTC 2008

On Jul 23, 2008, at 5:30 PM, Joe Greco wrote:
> Maybe I'm missing it, but this looks like a fairly standard DNS  
> exploit.
> Keep asking questions and sending fake answers until one gets lucky.
> It certainly matches closely with my memory of discussions of the
> weaknesses in the DNS protocol from the '90's, with the primary  
> difference
> being that now networks and hardware may be fast enough to make the
> flooding (significantly) more effective.  I have to assume that one  
> other
> standard minor enhancement has been omitted (or at least not  
> explicitly
> mentioned), and will refrain from mentioning it for now.
> So, I have to assume that I'm missing some unusual aspect to this  
> attack.
> I guess I'm getting older, and that's not too shocking.  Anybody see  
> it?

What's new is the method of how it is being exploited.

Before, if you wanted to poison a cache for www.gmail.com, you get the  
victim name server to try to look up www.gmail.com and spoof flood the  
server trying to beat the real reply by guessing the correct ID. if  
you fail, you may need to wait for the victim name server to expire  
the cache before trying again.

The new way is slightly more sneaky. You get the victim to try to  
resolve an otherwise invalid and uncached hostname like  
00001.gmail.com, and try to beat the real response with spoofed  
replies. Except this time your reply comes with an additional record  
containing the IP for www.gmail.com to the one you want to redirect it  
to. If you win the race and the victim accepts your spoof for  
00001.gmail.com, it will also accept (and overwrite any cached value)  
for your additional record for www.gmail.com as well. If you don't win  
the race, you try again with 00002.gmail.com, and keep going until you  
finally win one. By making up uncached hostnames, you get as many  
tries as you want in winning the race. By tacking on an additional  
reply record to your response packet you can poison the cache for  
anything the victim believes your name server should be authoritative  

This means DNS cache poisoning is possible even on very busy servers  
that normally you wouldn't be able to predict when it was going expire  
its cache, and if you fail the first time you can keep trying again  
and again until you succeed with no wait.

-- Kevin

More information about the NANOG mailing list