Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing

To: "Roger A. Grimes" <roger@xxxxxxxxxxxxxx>
Subject: Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Date: Wed, 18 Apr 2007 00:49:59 +0400
Cc: "Makoto Shiotsuki" <shio@xxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <096A04F511B7FD4995AE55F13824B833212968@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.security.nnov.ru
References: <096A04F511B7FD4995AE55F13824B833212965@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <200704171630.AA00000@xxxxxxxxxxxxxxxxxxxx> <096A04F511B7FD4995AE55F13824B833212968@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>

Dear Roger A. Grimes,

 DNS  spoofing attack in general can not be 'patched', because this is a
 weakness of DNS protocol itself.

 As  for  birthday  attack  applicability, this problem was discussed in
 2002.  In  2003  problem still exist in both bind 8 and 9. According to
 CERT  (US-CERT) as on 10/18/2004 bind was still vulnerable. As far as I
 remember,  there  never  was  a patch for bind to prevent this specific
 attack, yet it can be a part of some later bind release.

 A possible mitigation against birthday attacks (not against spoofing in
 general) on the server software level are any of:

 1.  Do  no reuse source port for DNS requests. Have every request to be
 issued  from  different  source  ports  (resource consumption attack is
 possible).
 2.  Keep  a  table  of issued requests and do not issue request for the
 same  name  before  response  for  previous one is received (can not be
 implemented in scalable 'multiple processes' DNS server architecture)
 3. Monitor if multiple replies are received for a single request.

 I don't know if bind actually use any. Hope, this helps.
 

--Tuesday, April 17, 2007, 8:48:04 PM, you wrote to shio@xxxxxxxxxxxx:

RAG> How does BIND stop this sort of attack? 

RAG> Can a BIND expert respond?

RAG> Roger

RAG> *****************************************************************
RAG> *Roger A. Grimes, InfoWorld, Security Columnist 
RAG> *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
RAG> *email: roger_grimes@xxxxxxxxxxxxx or roger@xxxxxxxxxxxxxx
RAG> *Author of Professional Windows Desktop and Server Hardening (Wrox)
RAG> *http://www.amazon.com/gp/product/0764599909
RAG> *****************************************************************


RAG> -----Original Message-----
RAG> From: Makoto Shiotsuki [mailto:shio@xxxxxxxxxxxx] 
RAG> Sent: Tuesday, April 17, 2007 12:31 PM
RAG> To: Roger A. Grimes
RAG> Cc: bugtraq@xxxxxxxxxxxxxxxxx
RAG> Subject: Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing

>>One question.  Is BIND any better at preventing this type of attack? 

RAG> As far as I know, this vulnerability is specific to the Windows DNS.

RAG> Makoto Shiotsuki


-- 
~/ZARAZA http://securityvulns.com/

Follow-Ups:
- RE: Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
  - From: Roger A. Grimes

References:
- RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
  - From: Roger A. Grimes
- Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
  - From: Makoto Shiotsuki
- RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
  - From: Roger A. Grimes

Prev by Date: Multiple Ask IE Toolbar denial of service vulnerabilities
Next by Date: Gizzar <= (basePath) Remote File Include Vulnerability
Previous by thread: RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
Next by thread: RE: Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
Index(es):
- Date
- Thread