The Impact of RFC Guidelines on DNS Spoofing Attacks

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: The Impact of RFC Guidelines on DNS Spoofing Attacks
From: have2Banonymous <a637831@xxxxxxxxx>
Date: Mon, 12 Jul 2004 05:45:37 -0700 (PDT)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

EXECUTIVE SUMMARY

This paper provides a brief overview of basic Domain Name System (DNS) spoofing 
attacks against
DNS client resolvers.  Technical challenges are proposed that should help to 
both identify
attempted attacks and prevent them from being successful.  Relevant Request for 
Comments (RFC)
guidelines, used by programmers to help ensure their DNS resolver code meets 
specifications, are
reviewed.  This results in the realisation that the RFC guidelines are not 
adequately specific or
forceful to help identify or prevent DNS spoofing attacks against DNS client 
resolvers. 
Furthermore, the RFC guidelines actually simplify such attacks to a level that 
has not previously
been discussed in the public domain until now.

To highlight the consequences of merely conforming to the RFC guidelines 
without considering
security ramifications, an example DNS spoofing attack against the DNS resolver 
in Microsoft
Windows XP is provided.  This illustrates serious weaknesses in the Windows XP 
DNS resolver client
implementation.  For example, Windows XP will accept a DNS reply as being valid 
without performing
a thorough check that the DNS reply actually matches the DNS request.  This 
allows an attacker to
create a malicious generic DNS reply that only needs to meet a couple of 
criteria with predictable
values in order to be accepted as a valid DNS reply by the targeted user.

This paper discusses the practical impact of the issues raised, such as the 
ability to perform a
successful and reasonably undetectable DNS spoofing attack against a large 
target base of Windows
XP users, without the attacker requiring knowledge of the DNS requests issued 
by the targeted
users.  Finally, a comparison with the DNS resolver in Debian Linux is supplied.


The paper can be found at the following URL:
http://members.ozemail.com.au/~987654321/impact_of_rfc_on_dns_spoofing.pdf
























                
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail

Prev by Date: White Paper: 0x00 vs ASP file upload scripts
Next by Date: Re: current leading bots used in drone armies [June/July 2004]
Previous by thread: Re: White Paper: 0x00 vs ASP file upload scripts
Next by thread: RE: The Impact of RFC Guidelines on DNS Spoofing Attacks
Index(es):
- Date
- Thread