Kaminsky finds DNS exploit

Jack Lloyd lloyd at randombit.net
Thu Jul 10 09:59:36 EDT 2008 

On Wed, Jul 09, 2008 at 02:39:42PM -0500, Harald Hanche-Olsen wrote:
> + John Kemp <john at jkemp.net>:
>
> > It does seem he would like an air of some mystery to exist though
> > until he makes his presentation about the issue at Defcon - did he,
> > himself, discover something new? We'll just have to wait, unless we
> > go play with the BIND code ourselves.
>
> Unless he is merely blowing smoke, it would seem that he discovered
> some little twist that makes the known vulnerability much more easily
> exploitable than previously assumed. That would explain his statement:
> the patch fixes a well known vulnerability, and as a side effect stops
> the more serious attack, in effect making it hard to tell what is
> involved in that attack from reading the patch.

I came across a plausible sounding theory about this.

Quoting from http://wari.mckay.com/~rm/dns_theroy.txt

"""
So I have a theory on what it is that Dan Kaminsky may have discovered
that is broken with DNS (it was already _so_ broken, what else could be
wrong?!)

Basically it has to do with ICMP packets (spoofed ICMP unreachables sent
in response to DNS packets the attacker can't see, but can guess - thanks
to non-random port selection).

The biggest problem with spoofing DNS at the moment is that you need
to silence the real nameservers in order to get your fake replies in.

For an ICMP response to be valid, it must contain the IP header of the
packet it is a reponse too, but it also must contain 64bits of the data
payload. The reason for requiring 64bits of the payload is to prevent
people from spoofing ICMP replies to packets they have not received. In
the case of a DNS packet, that payload is the first 64 bits of the UDP
header.

What is in the first 64bits of the UDP header? The source and destination
ports of the DNS servers. If these are easily predictable then you can
spoof an ICMP unreachable response to a dns query or reply without
actually receiving it.

If you can spoof ICMP; You can prevent the recursor from communicating
with the real nameserver. This will make it very very easy to spoof DNS as
it removes the biggest hurdle; that of silencing the real nameservers. It
only takes about 2min on a 10mbit/s connection to run through all 65536
possible sequence numbers so if you can prevent the recursor from talking
to the real nameservers it really is easy as pie.
"""

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list