tag:blogger.com,1999:blog-14114712.post4444348861149115121..comments2024-03-03T02:04:07.138-08:00Comments on ADD / XOR / ROL: halvar.flakehttp://www.blogger.com/profile/12486016980670992738noreply@blogger.comBlogger40125tag:blogger.com,1999:blog-14114712.post-87530220705156895192008-08-07T07:31:00.000-07:002008-08-07T07:31:00.000-07:00"It feels like we're all trying to rock the train....<I>"It feels like we're all trying to rock the train."</I><BR/><BR/>Are you saying we should shoot the developers of DNS ? :P. good one :)))PHhttps://www.blogger.com/profile/09644023682723452420noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-43786584775701374192008-07-24T17:17:00.000-07:002008-07-24T17:17:00.000-07:00> We are not buying anybody time, we are buying...> We are not buying anybody time, we are buying people a <BR/>> warm and fuzzy feeling.<BR/><BR/>Nowadays, high premiums are paid for warm and fuzzy feelings.padraighttps://www.blogger.com/profile/06567721244433276365noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-27785983972229098062008-07-24T13:29:00.000-07:002008-07-24T13:29:00.000-07:00I think the solution is going to require that dns ...I think the solution is going to require that dns lookup responces will have to be digitaly signed in the future.Icepir8https://www.blogger.com/profile/08466909865260759074noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-40705611369156288842008-07-24T11:43:00.001-07:002008-07-24T11:43:00.001-07:00I think the main difference between your speculati...I think the main difference between your speculations and Dan is that Dan also worked for months with DNS stakeholders to build fixes for the products we all use.<BR/><BR/>I am glad for all this bantering about the issues but unless you can fix it to protect my network. You are a script kiddie who reads Dummies books.<BR/>Sorry my plane to vegas is leaving now. Got to go hear the experts explain THEIR SOLUTIONS.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-14114712.post-28322353307221846072008-07-24T11:43:00.000-07:002008-07-24T11:43:00.000-07:00I think the main difference between your speculati...I think the main difference between your speculations and Dan is that Dan also worked for months with DNS stakeholders to build fixes for the products we all use.<BR/><BR/>I am glad for all this bantering about the issues but unless you can fix it to protect my network. You are a script kiddie who reads Dummies books.<BR/>Sorry my plane to vegas is leaving now. Got to go hear the experts explain THEIR SOLUTIONS.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-14114712.post-51767277208916391842008-07-24T07:05:00.000-07:002008-07-24T07:05:00.000-07:00You've stumbled upon the gist of an attack that ha...You've stumbled upon the gist of an attack that has been known for many years. In fact, a more sophisticated version that uses the birthday paradox has been known since 2002.<BR/><BR/>The new attack is an improvement on that.MrConceitedhttps://www.blogger.com/profile/13203795317906233238noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-6231090787402899902008-07-24T04:52:00.000-07:002008-07-24T04:52:00.000-07:00@caf thats how I took it as well.A couple things o...@caf thats how I took it as well.<BR/><BR/>A couple things on this though, it was discovered and an article was written back in 2001 and earlier iirc.<BR/><BR/>The reason though not to make this widely known is if it is widely known someone will write a tool to exploit it, then every script kiddie and his troll will get that tool and bring done thousands of networks.<BR/><BR/>There is TIME and a way to do full disclosure doing it without giving the affected (in this case everyone) time to attempt a fix is just silly.<BR/><BR/>http://morganstorey.comMorgan Storeyhttps://www.blogger.com/profile/10406049887224934659noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-35537728232332004422008-07-23T16:31:00.000-07:002008-07-23T16:31:00.000-07:00Sorry halvar-have to stick up for you here and say...Sorry halvar-have to stick up for you here and say that I think you're right to discuss the whole issue.<BR/>"DNS For Dummies"? More like DNS For a Smart Guy.<BR/>Still have to wait and see what the rest of the stuff is that Dan will talk about-like you said, he is a very intelligent dude.<BR/>I'm also impressed that you let that post through from the guy being abusive.<BR/>This discussion of what can be 'discussed' reminds me of something I read in a Carl Jung book(IIRC); He said that when he was young, he was told it was forbidden to blaspheme against that holy spirit. What was blasphemy against the Holy Spirit? He didn't know, because it was forbidden to talk about that.<BR/>So...logically...Unknownhttps://www.blogger.com/profile/08511937095859100205noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-35108593204426689262008-07-23T02:15:00.000-07:002008-07-23T02:15:00.000-07:00allen baranov,Not exactly. Here's a better analog...allen baranov,<BR/><BR/>Not exactly. Here's a better analogy for what Halvar's suggesting:<BR/><BR/>The magician, through the power of suggestion, makes you want to choose a card. You do so, and send it off to a third party (who you cannot see). Then the magician starts shouting guesses: "FIVE OF HEARTS... ACE OF DIAMONDS..." etc, as quickly as he can. Eventually, the third party yells out the correct card, and the magician has failed.<BR/><BR/>Most of the time.<BR/><BR/>But the magician can do this over, and over, and over, again; until through sheer chance, he <I>does</I> manage to guess it right, before the real answer comes back. Wow! you think - this guy is for real!<BR/><BR/>Back in the land of DNS, at this point the attacker has managed to feed you a bogus response for some random subdomain you don't care about anyway. However, you have a certain amount of misplaced trust in this result, which the attacker can transfer to <I>other</I> bogus results, that you <I>do</I> care about.<BR/><BR/>The magician has all your money.Unknownhttps://www.blogger.com/profile/13391217761753729906noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-92219347326792183242008-07-23T00:07:00.000-07:002008-07-23T00:07:00.000-07:00I'm sorry to rain on your parade but pretty much e...I'm sorry to rain on your parade but pretty much everyone has guessed that the weakness is to do with the TXID. <BR/><BR/>Get rid of the TXID complexity and voila - random ports are your only protection against DNS cache poisoning.<BR/><BR/>Increasing the complexity of TXID creation may help but is not so easy to sort out quickly. <BR/><BR/>The question is "how" did Dan do it? Mayber I am giving him too much credit but I doubt he will stand up at a hacker conference and tell them to flood the DNS server with thousands of guesses. Your IPS should block this and the real request will arrive long before you hit the correct TXID. <BR/><BR/>Flood-guessing the correct TXID is the equivalent of a magician going through a pack of cards and saying "is this your chosen card? no? This one? no? this one? no? this one? no...etc". No magic. I think Dan has found a way to guess the card. <BR/><BR/>Keeping with the analogy - this blog post is like saying "Dan will guess which card you chose". The magic will be the "how".Anonymoushttps://www.blogger.com/profile/03852785044280265442noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-17190708033381320502008-07-22T21:14:00.000-07:002008-07-22T21:14:00.000-07:00"The odds that the attacker manages to guess the c..."The odds that the attacker manages to guess the correct TXID the first time is 2^-16. The odds that he also guesses the correct root server is 1/13. The odds that he is also able to outrun the server without having the forge reach ns.polya.com to early are not very good, either."<BR/><BR/>Over time, given enough opportunities, the probability of the exploit succeeding tends towards 1.haddithttps://www.blogger.com/profile/11397439599207705823noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-53898113029544748082008-07-22T18:37:00.000-07:002008-07-22T18:37:00.000-07:00It looks simple to me. Just send a response that's...It looks simple to me. Just send a response that's spoofed from all 13 root servers with about 5000 different TXIDs. you can do this 14 times in a row and one of them is bound to be right. Even better, if you start this before the original request you can cause a denial of service to ensure that the actual root server can't get a response in before yours is accepted. If you have a bot net doing this it's even better.Paul Lhttps://www.blogger.com/profile/15241698710926114178noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-89051838481419087742008-07-22T16:50:00.000-07:002008-07-22T16:50:00.000-07:00It seems to me this would only work for redirectin...It seems to me this would only work for redirecting entries that were unpopular enough to have not been in the cache already. I'm not familiar on the eviction methods, but if the lookup were that unpopular in the first place, wouldn't it likely be bumped out of the cache before anyone actually tried to reference it?Matt Sandyhttps://www.blogger.com/profile/17793172658775973393noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-6574426033683142602008-07-22T14:33:00.000-07:002008-07-22T14:33:00.000-07:00My guess is that the problem is related to two (de...My guess is that the problem is related to two (dependent) querys. Both of them should be spoofed. Tihis is the difference from the trivial hacks. But this is just a random guess. BoldiUnknownhttps://www.blogger.com/profile/15659752565386605913noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-64790322128900457002008-07-22T13:01:00.000-07:002008-07-22T13:01:00.000-07:00@Rory, It's actually irrelevant to the attack that...@Rory, It's actually irrelevant to the attack that the subdomains are irrelevant. You are only kicking off the requests so that you have a (much) greater chance of guessing the TXID. You only have to get one right.<BR/><BR/>@Egil, that won't work because of the bailiwick checking discussed throughout this thread.<BR/><BR/>@caf, Thanks for the response! I actually found out a lot more about determining bailiwick from a couple of different sources. This linuxjournal article does a decent job of explaining it:<BR/><BR/>http://www.linuxjournal.com/article/9905Nathan Keltnerhttps://www.blogger.com/profile/08165445198675206275noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-27842132767252242652008-07-22T10:55:00.000-07:002008-07-22T10:55:00.000-07:00Nice blog! If you like we can exchange links on ou...Nice blog! If you like we can exchange links on our blogs! My blog talks about information security software tools and resources which is being updated daily, you can also subscribe to see the updates on your Google page:<BR/><BR/>Information Security Software Tools<BR/>http://cryptoexperts.blogspot.comNimahttps://www.blogger.com/profile/16686148286993221431noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-51709271883233751722008-07-22T09:26:00.000-07:002008-07-22T09:26:00.000-07:00Having listened to many of Dan's talks at Black Ha...Having listened to many of Dan's talks at Black Hat, he will probably ramble for an hour about unrelated DNS/network voodoo and then unfold the problem which won't be much different from what's been explained above. No disrespect to Dan, he discovered it, he wrote a prove of concept, he get all the credit. He just should not have tried to keep it quiet for so long. Thank you Halvar.RichieBhttps://www.blogger.com/profile/07084975967458150996noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-57412621084189317312008-07-22T08:17:00.000-07:002008-07-22T08:17:00.000-07:00LOL@halvar [not at the joke :P]Nice chain of thoug...LOL@halvar [not at the joke :P]<BR/><BR/>Nice chain of thought on the DNS issue.mokum von Amsterdamhttps://www.blogger.com/profile/03801346660588264367noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-17428457120022826762008-07-22T04:01:00.000-07:002008-07-22T04:01:00.000-07:00No, it does not work. If ns.polya.com gets the cor...No, it does not work. If ns.polya.com gets the correct reply for ns.gmx.net first, it's in ns.polya.com's cache.<BR/><BR/>The odds that the attacker manages to guess the correct TXID the first time is 2^-16. The odds that he also guesses the correct root server is 1/13. The odds that he is also able to outrun the server without having the forge reach ns.polya.com to early are not very good, either.Claus Färberhttps://www.blogger.com/profile/03593417817352166714noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-40518691260694984922008-07-22T03:41:00.000-07:002008-07-22T03:41:00.000-07:00Aysz88,Who gives a damn about stealing someone's t...Aysz88,<BR/><BR/>Who gives a damn about stealing someone's thunder? Some of us have networks to secure against smart people that don't post their speculations where the rest of us can benefit from them. Halvar helped us all out by giving us an opportunity to make informed decisions about our networks. Dan can still bask in his glory, and the rest of us can get back to work.Stevehttps://www.blogger.com/profile/06779020054285806710noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-18590322764091011992008-07-22T03:20:00.000-07:002008-07-22T03:20:00.000-07:00Halvar - it's actually worse than that... if a "du...Halvar - it's actually worse than that... if a "dude" can figure it out after reading a "DNS-for-dummies" book (and, from what I've seen, looks as if you got it *almost* right) it totally does my head in how on earth it's possible 'experts' have totally missed it.<BR/><BR/>That's not being asleep at the wheel: it's more like having taken a dose of sleeping drug before setting off...<BR/><BR/>BTW - that's the Italian Hell :-)Marco Massenziohttps://www.blogger.com/profile/07909737351121376431noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-15904304199652229662008-07-22T02:58:00.000-07:002008-07-22T02:58:00.000-07:00Here is why it works:Malory wants to poison the se...Here is why it works:<BR/><BR/>Malory wants to poison the server ns.polya.com<BR/><BR/>Malory sends NS requests for ulam00001.com, ulam00002.com ... to ns.polya.com.<BR/><BR/>Malory then sends a forged answer, saying that the NS for www.ulam00002.com is ns.google.com *AND* puts a glue record saying that ns.google.com is 66.6.6.6<BR/><BR/>Because the glue records corresponds with the answer record, (same domain) the targetted nameserver will cache or replace it's curent record of ns.google.com to be 66.6.6.6Unknownhttps://www.blogger.com/profile/01316164092502455782noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-65333427042901379782008-07-22T02:10:00.000-07:002008-07-22T02:10:00.000-07:00natron,Typically, in that case, when you query the...natron,<BR/><BR/>Typically, in that case, when you query the .com servers for www.customdomain.com, they return "customdomain.com NS ns1.godaddy.com" with no corresponding glue record - so your resolver then has to go look up ns1.godaddy.com's A record for itself (obviously, you eventually end up having to rely on glue records somewhere along the line).<BR/><BR/>You might think "oh, you can just ignore all glue records that are out-of-domain (eg. if looking up x.foo.com, accept a glue record for ns.foo.com but not one for ns.bar.com)" but that fails if foo.com's nameservers are under bar.com <I>and</I> bar.com's name servers are under foo.com (ie. a circular reference). Now that's a pretty stupid setup, so you might well be happy to break it...Unknownhttps://www.blogger.com/profile/13391217761753729906noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-17917938623210933952008-07-22T01:46:00.000-07:002008-07-22T01:46:00.000-07:00For those of you that think my post took anything ...For those of you that think my post took anything away from Dan's talk:<BR/><BR/>Imagine there's a world-renowned export on particle physics coming to town, and you want to go see what his theories are. He will give a 1-hour long lecture on his newest discoveries. On your way to the lecture, some random dude on the street corner comes up to you and goes:<BR/><BR/>"Hey, I think I know what he'll say, it's (..30 seconds of vague mumbling follows..)". <BR/><BR/>Do you then decide that watching the physics expert is no longer worth it ?<BR/><BR/>Seriously, if you think that my vague mumblings take anything away from Dan's talk, you're insulting Dan. He's one of the leading experts on DNS, and he'll give a talk about much more than the 8 lines of potential bullshit that I wrote.halvar.flakehttps://www.blogger.com/profile/12486016980670992738noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-87477484969277979552008-07-22T01:13:00.000-07:002008-07-22T01:13:00.000-07:00One thing in all this, having heard the detailed e...One thing in all this, having heard the detailed explanation from matasano on the vulnerability, is wouldn't it be possible to mitigate this by changing the behaviour of the authoritative name server..?<BR/><BR/>If I'm understandning things correctly as the authoritative name server for a domain you'd see a whole load of requests for invalid subdomains to your domain (eg, AAAA.MYDOMAIN.COM AAAB.MYDOMAIN.COM) and usually you just respond with NXDOMAIN. <BR/><BR/>Would it be possible to change that behaviour to respond as the attacker would do with the RR for your valid hosts, so causing the caching DNS server to cache them on the first attempt and preventing the attacker from getting the incorrect entries in first..?Rory McCunehttps://www.blogger.com/profile/02041778936182391744noreply@blogger.com