Dailydave mailing list archives
Re: The audacity of thinking you're not owned
From: "Thomas Pollet" <thomas.pollet () gmail com>
Date: Mon, 14 Jul 2008 18:26:31 +0200
Hi, thanks for your reply, I didn't know about the negative ttl before, however this can be circumvented by specifying different nonexistant subdomains, this would somehow complicate/slow down the attack. I was thinking that, if you'd control whatever subdomain on a given domain, there are some fun things that can be done on the application level. Arbitrary RR poisoning is preferrable ofcourse. But if the goal is to map a subdomain to an ip in a browser dns cache, there might be a way to do so. A 4G search space is still huge, but combined with every possible way to reduce the search space, this approach might become feasible within a reasonable time limit. My understanding of actual dns implementation is limited, but suppose a txid/port combination is created such that there are no 2 txid's in use at the same time (as opposed to no 2 txid/port combinations in use at the same time), then the search space would decrease with 2^16 for every txid you can exclude (as you may find out other txids by querying the dns resolver yourself to find out some txids not to use for flooding). Also, the dns server may be configured to not use the full range of ports, this can also be guessed, etc. Regards, Thomas 2008/7/14 Jon Oberheide <jon () oberheide org>:
On Mon, 2008-07-14 at 08:21 +0200, Thomas Pollet wrote:- suppose you want to spoof a nonexistant subdomain of a site, e.g. pwned.paypal.com - you get a user on a website to repeatedly request something on that domain from within a web page - as the domain does not exist, every request will result in a dns lookupNot necessarily. DNS has all sorts of wonderfully quirky features, one of them being negative caching [1]. So your NXDOMAIN/SERVFAIL/whatever responses for a RR can be cached too.- while the dns request is ongoing, flood the client (and intermediate dns in a recursive scheme) with fake responses.Even if you did succeed, all you'd be left with pwned.paypal.com which might be more effective than heyipromisethisispaypal.com in your phishing emails, but has no where near the impact of arbitrary RR poisoning. Regards, Jon Oberheide [1] http://www.ietf.org/rfc/rfc2308.txt -- Jon Oberheide <jon () oberheide org> GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The audacity of thinking you're not owned Dave Aitel (Jul 12)
- Re: The audacity of thinking you're not owned Parity (Jul 12)
- Re: The audacity of thinking you're not owned Brandon Enright (Jul 12)
- Re: The audacity of thinking you're not owned Parity (Jul 12)
- Re: The audacity of thinking you're not owned Halvar Flake (Jul 13)
- Re: The audacity of thinking you're not owned Jason Ross (Jul 13)
- Re: The audacity of thinking you're not owned Thomas Pollet (Jul 14)
- Re: The audacity of thinking you're not owned Jon Oberheide (Jul 14)
- Re: The audacity of thinking you're not owned Thomas Pollet (Jul 14)
- Re: The audacity of thinking you're not owned Brandon Enright (Jul 12)
- Re: The audacity of thinking you're not owned Parity (Jul 12)