|Main Archive Page > Month Archives > full-disclosure-uk archives|
Newly emerging techniques of DNS cache poisoning have caused quite a stir recently, prompting security researchers to speculate on the nature of the issue, and naturally inducing press stunts by some individuals, including "accidential" information leaks and hasty exploit releases. Many other, more relaxed researchers, who had figured out the attack and had coded working exploits within a few hours (which, by the way, was incredibly easy to do, knowing that an undocumented attack actually existed), decided to coordinate with Dan Kaminsky, who had organized a huge multi-vendor security patch, and withhold information for the proposed 30 days.
SEC Consult's researchers were among the first to write a working "fast cache poisoning" exploit, details of which will now be published in a whitepaper, which also includes some calculations on the reliability of the attack.
The paper details a way of making DNS cache poisoning / response spoofing attacks more reliable. A caching server will store any NS delegation RRs if it receives a delegation which is "closer" to the answer than the nameservers it already knows. By spoofing replies that contain a delegation for a single node, the nameserver will eventually cache the delegation when we hit the right transfer id.
Bernhard -- _________________________________________ Bernhard Mueller Security Consultant SEC Consult Unternehmensberatung GmbH www.sec-consult.com A-1190 Vienna, Mooslackengasse 17 phone +43 1 8903043 34 fax +43 1 8903043 15 mobile +43 676 840301 718 email email@example.com Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223 Firmensitz: Prof. Dr. Stephan KorenstraĆe 10, A-2700 Wiener Neustadt Advisor for your information security. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/