* Posts by not

1 post • joined 10 Jul 2008

Vendors form alliance to fix DNS poisoning flaw


Why this, why now?

So I have a theory on what it is that Dan Kaminsky may have discovered that is broken with DNS.

Basically it has to do with ICMP packets (spoofed ICMP unreachable response packets sent to the recursor in order to prevent it communicating with the real nameserver - or similarly sent to the real authorative nameservers to prevent them talking to the recursor).

The biggest difficulty with spoofing DNS at the moment is that you need to silence the real nameservers in order to get your fake replies in.

ICMP packets are sent in response to other IP packets. For an ICMP response to be valid, it must contain the IP header of the packet it is a reponse too, but it also must contain 64bits of the data payload. The reason for requiring 64bits of the payload is to prevent people from spoofing ICMP replies to packets they have not received. In the case of a DNS packet, that payload is the first 64 bits of the UDP header.

What is in the first 64bits of the UDP header? The source and destination ports of the DNS servers. If these are easily predictable then you can spoof ICMP.

If you can spoof ICMP; You can prevent the recursor from communicating with the real nameserver by sending an ICMP unreachable. This will make it very very easy to spoof DNS as it removes the biggest hurdle; that of silencing the real nameservers. It only takes about 2min on a 10mbit/s connection to run through all 65536 possible sequence numbers so if you can prevent the recursor from talking to the real nameservers it really is easy as pie.



Biting the hand that feeds IT © 1998–2017