[Dailydave] The audacity of thinking you're not owned
Thomas Pollet
thomas.pollet at gmail.com
Mon Jul 14 12:26:31 EDT 2008
Hi,
thanks for your reply, I didn't know about the negative ttl before,
however this can be circumvented by specifying different nonexistant
subdomains, this would somehow complicate/slow down the attack. I was
thinking that, if you'd control whatever subdomain on a given domain,
there are some fun things that can be done on the application level.
Arbitrary RR poisoning is preferrable ofcourse. But if the goal is to
map a subdomain to an ip in a browser dns cache, there might be a way
to do so. A 4G search space is still huge, but combined with every
possible way to reduce the search space, this approach might become
feasible within a reasonable time limit. My understanding of actual
dns implementation is limited, but suppose a txid/port combination is
created such that there are no 2 txid's in use at the same time (as
opposed to no 2 txid/port combinations in use at the same time), then
the search space would decrease with 2^16 for every txid you can
exclude (as you may find out other txids by querying the dns resolver
yourself to find out some txids not to use for flooding). Also, the
dns server may be configured to not use the full range of ports, this
can also be guessed, etc.
Regards,
Thomas
2008/7/14 Jon Oberheide <jon at oberheide.org>:
> On Mon, 2008-07-14 at 08:21 +0200, Thomas Pollet wrote:
>> - suppose you want to spoof a nonexistant subdomain of a site, e.g.
>> pwned.paypal.com
>> - you get a user on a website to repeatedly request something on that
>> domain from within a web page
>> - as the domain does not exist, every request will result in a dns lookup
>
> Not necessarily. DNS has all sorts of wonderfully quirky features, one
> of them being negative caching [1]. So your NXDOMAIN/SERVFAIL/whatever
> responses for a RR can be cached too.
>
>> - while the dns request is ongoing, flood the client (and intermediate
>> dns in a recursive scheme) with fake responses.
>
> Even if you did succeed, all you'd be left with pwned.paypal.com which
> might be more effective than heyipromisethisispaypal.com in your
> phishing emails, but has no where near the impact of arbitrary RR
> poisoning.
>
> Regards,
> Jon Oberheide
>
> [1] http://www.ietf.org/rfc/rfc2308.txt
>
> --
> Jon Oberheide <jon at oberheide.org>
> GnuPG Key: 1024D/F47C17FE
> Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
>
More information about the Dailydave
mailing list