[13724] in cryptography@c2.net mail archive
Attacking networks using DHCP, DNS - probably kills DNSSEC
daemon@ATHENA.MIT.EDU (Bill Stewart)
Sat Jun 28 18:44:01 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 28 Jun 2003 13:06:03 -0700
To: cypherpunks@lne.com
From: Bill Stewart <bill.stewart@pobox.com>
Cc: cryptography@metzdowd.com
Somebody did an interesting attack on a cable network's customers.
They cracked the cable company's DHCP server, got it to provide a
"Connection-specific DNS suffic" pointing to a machine they owned,
and also told it to use their DNS server.
This meant that when your machine wanted to look up yahoo.com,
it would look up yahoo.com.attackersdomain.com instead.
This looks like it has the ability to work around DNSSEC.
Somebody trying to verify that they'd correctly reached yahoo.com
would instead verify that they'd correctly reached
yahoo.com.attackersdomain.com, which can provide all the signatures
it needs to make this convincing.
So if you're depending on DNSSEC to secure your IPSEC connection,
do make sure your DNS server doesn't have a suffix of echelon.nsa.gov...
------------------------------
RISKS-LIST: Risks-Forum Digest Saturday 17 June 2003 Volume 22 : Issue 78
http://catless.ncl.ac.uk/Risks/22.78.html
------------------------------
Date: Fri, 20 Jun 2003 15:33:15 -0400
From: Tom Van Vleck <thvv@multicians.org>
Subject: ISP's DHCP servers infiltrated
http://ask.slashdot.org/article.pl?sid=03/06/19/2325235&mode=thread&tid=126&tid=172&tid=95
"... It turns out, Charter Communications' DHCP servers were
infiltrated and were providing p5115.tdko.com as the
'Connection-specific DNS suffix', causing all non-hardened Windows
(whatever that means in a Windows context) machines to get lookups
from a hijacked subdomain DNS server which simply responded to every
query with a set of 3 addresses (66.220.17.45, 66.220.17.46,
66.220.17.47).
On these IPs were some phantom services. There were proxying Web
servers (presumably collecting cookies and username/password combos),
as well as an ssh server where the perpetrators were most likely
hoping people would simply say 'yes' to the key differences and enter
in their username/password..."
Hmm, my cable ISP was down this morning. Maybe coincidence.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
