[Dailydave] The audacity of thinking you're not owned

[Parity]

My totally uninformed speculation is worth way less than $0.02, but -

Dan says he discovered the attack by accident.  Mapping a sequence of TXID's
into a rainbow table is not something one does on a whim.  Moreover, if the
attack you just proposed works against TXID's, then it ought to just as
likely work against source ports as well.

For my money, if he says he discovered it by accident, then Dan means to say
that he was looking at a graph of some sort at the time.

pty

> So here's what I think the exploit is, which is a slightly advanced
> method of some of Amit's stuff. I'm not a DNS  (or crypto, for that
> matter) expert, so feel free to fill me in on where I'm missing stuff.
>
> 1. You can use the TTL to find out when to do your spoofing.
> 2. Use your own DNS to respond to some requests setting TTL=0 to get a
> long list of TXIDs from the resolver.
> 3. Map this list of TXIDs into an internal RNG state using a rainbow
> table. This lets you predict the next set of TXID's with just a hash
> lookup.
> 4. Make a request for mail.google.com and send your spoofed packets to
> infect the cache.
>
> - -dave
> P.S.: Kudos to the thousand people who posted about MOV RAX, RAX.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD4DBQFIeOwatehAhL0gheoRArf2AJUWsIr+YtCUeNtkglCenHegFqB7AJ4pXm5z
> M8td0TvVvWmrxHWN52NNSQ==
> =vtaV
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080712/aaa9efd3/attachment.htm