[106181] in North American Network Operators' Group
Re: Exploit for DNS Cache Poisoning - RELEASED
daemon@ATHENA.MIT.EDU (Tony Finch)
Thu Jul 24 08:21:29 2008
Date: Thu, 24 Jul 2008 13:21:07 +0100
From: Tony Finch <dot@dotat.at>
To: Kevin Day <toasty@dragondata.com>
In-Reply-To: <6E4AD80A-7BBF-4F8E-AE21-6F6BDD227CE6@dragondata.com>
Cc: North American Noise and Off-topic Gripes <nanog@merit.edu>,
Joe Greco <jgreco@ns.sol.net>
Errors-To: nanog-bounces@nanog.org
On Wed, 23 Jul 2008, Kevin Day wrote:
>
> The new way is slightly more sneaky. You get the victim to try to
> resolve an otherwise invalid and uncached hostname like 00001.gmail.com,
> and try to beat the real response with spoofed replies. Except this time
> your reply comes with an additional record containing the IP for
> www.gmail.com to the one you want to redirect it to. If you win the race
> and the victim accepts your spoof for 00001.gmail.com, it will also
> accept (and overwrite any cached value) for your additional record for
> www.gmail.com as well.
RFC 2181 says the resolver should not overwrite authoritative data with
additional data in this manner.
I believe the Matasano description is wrong.
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
FORTIES CROMARTY FORTH TYNE DOGGER: EAST OR SOUTHEAST 3 OR 4, INCREASING 5 OR
6 LATER. SLIGHT OR MODERATE. FOG PATCHES. GOOD, OCCASIONALLY VERY POOR.
