[aklug] Re: DNS Exploit (fwd)

or
as Arthur suggested blast the internet or subnets with replies for a
site
you wish to lure users to as you've mirrored it at your site. if you
match the=20
query for bank of america or whatever you are attemping to poison and
ISPs would have
a LOT of such queries it might stick then stay till its ttl expired.
a bot could do this with all possible port and sequence number combos
or=20
bad guy has a site setup with a DNS server and a web server. lures users
ther with=20
any of several techniques. had juicy links you click on with names he
resolves as
authority so your request seq number and port history are captured. then
lures=20
you to resolve bank of america and speeds HIS reply to you.
or
other techniques come to mind
=20

-----Original Message-----
From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org] On Behalf
Of James Zuelow
Sent: Friday, July 11, 2008 7:03 AM
To: aklug@aklug.org
Subject: [aklug] Re: DNS Exploit (fwd)

On Friday 11 July 2008 02:54:03 am bryanm@acsalaska.net wrote:
> On Thu, July 10, 2008 10:41 am, Arthur Corliss wrote:
> > Your boxed router is typically using an upstream DNS server. If
your ISP
> > hasn't updated, you're vulnerable by proxy. If, however, it runs a
true
> > caching DNS then you're not vulnerable since it'll be talking to
> > authoritative DNS servers only.
>
> I'm a little confused. Presumably most home users get their
> name resolution from their ISP's DNS servers. Doesn't that
> make them vulnerable?
>

I think any actual attack like this would have to be very targeted. To
attack=20
an ISP's DNS servers an attacker would have to determine what port the
ISP's=20
DNS severs were making requests on, sniff the request ID, and then
insert=20
their replies into data the ISP's DNS servers are expecting back. AND=20
account for multiple ISP DNS servers, AND account for a BIND daemon=20
restarting and changing ports.

Maybe I'm betraying my non-1337 status (1 5ux0rz! ) but that seems non
trivial=20
to me.

James
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Jul 11 09:16:47 2008