mailing list archives
Re: The cat is indeed out of the bag
From: "Robert McKay" <robert () mckay com>
Date: Wed, 23 Jul 2008 15:22:15 +0100
On Tue, Jul 22, 2008 at 3:36 AM, <monsieur.aglie () hushmail com> wrote:
from chargen 19/udp by ecopeland
The cat is out of the bag. Yes, Halvar Flake figured out the flaw
Dan Kaminsky will announce at Black Hat.
I believe I may have found an important optimisation to this attack.
Basically I observed that if you make a DNS request with a very long QNAME
then nameservers start dropping GLUE records in order to fit the reply into
the maximum UDP packet size.
If you query X.root-servers.net for <long-garbage>.whatever.com then the
reply you get from the root-servers can include as little as ONE actual GLUE
record for .COM. Now obviously .COM will be cached by almost everyone, but
the attack works on many TLDs.
Consider the following query:
rm () wari:~$ dig @a.root-servers.net.
; <<>> DiG 9.3.1 <<>> @a.root-servers.net.
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9857
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 1
;; QUESTION SECTION:
;; AUTHORITY SECTION:
ca. 172800 IN NS TLD3.ULTRADNS.ORG.
ca. 172800 IN NS NS-EXT.ISC.ORG.
ca. 172800 IN NS CA01.CIRA.ca.
ca. 172800 IN NS CA02.CIRA.ca.
ca. 172800 IN NS CA03.CIRA.ca.
ca. 172800 IN NS CA04.CIRA.ca.
ca. 172800 IN NS CA05.CIRA.ca.
ca. 172800 IN NS CA06.CIRA.ca.
ca. 172800 IN NS TLD1.ULTRADNS.NET.
ca. 172800 IN NS TLD2.ULTRADNS.NET.
;; ADDITIONAL SECTION:
CA01.CIRA.ca. 172800 IN A 22.214.171.124
;; Query time: 137 msec
;; SERVER: 126.96.36.199#53(188.8.131.52)
;; WHEN: Wed Jul 23 15:16:14 2008
;; MSG SIZE rcvd: 505
It always returns CA01.CIRA.ca. as the only GLUE record for .CA - No matter
which of the X.root-serveres.net is used. It seems to me that this should
greatly simply the task of gaining NS control of a TLD as you know exactly
which of the nameservers to spoof your replies from.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/