[aklug] Re: DNS Exploit

From: Arthur Corliss <acorliss@nevaeh-linux.org>
Date: Thu Jul 10 2008 - 01:16:13 AKDT

On Wed, 9 Jul 2008, Jenkinson, John P (SAIC) wrote:

<snip>

> BUT your upstrean DNS server can still be vulnerable and pass you the
> "poisioned" dns response from their cache.
> so in theory a bad person can monitor traffic, capture the request ID
> and
> port, respond with a response that steers your bank transaction to their
> site
> instead of your banks. they just have to beat the real response
> bottom line (imho) the ends are still vulnerable if the patch is applied
> in the middle.

For most people running caching DNS on their local network upstream DNS from
an ISP is typically irrelevant since they'll be walking the root servers.
You'd have to specifically configure your DNS server to forward queries to
an upstream DNS server, something I've only seen in the rarest of
circumstances since the value of doing so is minimal.

Also consider that most poisoning attempts are actually done (from the
reports I've read) from bots not in a position to monitor traffic. Let's
face it: barring a DNSSEC implementation they'd own you outright if they
could, since they'd have *everything* they need to fake a response in a
heartbeat. Most will try to do some stealth floods of response packets
after some initial probes in the hopes of hitting something valid. With
most responses coming and going from well known ports it took a lot of the
guess work out of the equation.

Considering all that, if people updated their local DNS they'd be almost as
hard to hit as the clients they serve.

> ie its more of a client issue than media reports to date might indicate.

That's not actually true. Bear in mind that most resolvers in clients *do*
use randomized high-number ports as the source port of the request,
especially on *NIX systems where the average user is an unprivileged user
and doesn't have the rights to use a low number port in the first place.
That makes the client a much harder target to hit than the DNS server in the
first place.

         --Arthur Corliss
           Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Jul 10 01:16:32 2008

This archive was generated by hypermail 2.1.8 : Thu Jul 10 2008 - 01:16:33 AKDT