IETF Logo Mail Archive

Re: first succesful (lab) spoof of a fully source port randomized server reported

Alex Bligh <alex@alex.org.uk> Sun, 10 August 2008 08:54 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 92B383A6811; Sun, 10 Aug 2008 01:54:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.899
X-Spam-Level:
X-Spam-Status: No, score=0.899 tagged_above=-999 required=5 tests=[AWL=-0.094, BAYES_05=-1.11, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vlSIA+2m048T; Sun, 10 Aug 2008 01:54:58 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id AEC303A68A0; Sun, 10 Aug 2008 01:54:58 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KS6df-00066p-TV for namedroppers-data@psg.com; Sun, 10 Aug 2008 08:50:59 +0000
Received: from [217.147.82.63] (helo=mail.avalus.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <alex@alex.org.uk>) id 1KS6dc-00066K-CH for namedroppers@ops.ietf.org; Sun, 10 Aug 2008 08:50:58 +0000
Received: from [192.168.100.3] (localhost [127.0.0.1]) by mail.avalus.com (Postfix) with ESMTP id 9678AC2DB3; Sun, 10 Aug 2008 09:50:50 +0100 (BST)
Date: Sun, 10 Aug 2008 09:54:34 +0100
From: Alex Bligh <alex@alex.org.uk>
Reply-To: Alex Bligh <alex@alex.org.uk>
To: sthaug@nethelp.no, jeroen@unfix.org
cc: namedroppers@ops.ietf.org, Alex Bligh <alex@alex.org.uk>
Subject: Re: first succesful (lab) spoof of a fully source port randomized server reported
Message-ID: <1BDC660168661516D7087994@nimrod.local>
In-Reply-To: <20080810.093718.74690983.sthaug@nethelp.no>
References: <20080808111242.GI6566@outpost.ds9a.nl> <20080808.132607.41660169.sthaug@nethelp.no> <489C324B.1090603@spaghetti.zurich.ibm.com> <20080810.093718.74690983.sthaug@nethelp.no>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>


--On 10 August 2008 09:37:18 +0200 sthaug@nethelp.no wrote:

> The attacker needs to spoof a *specific* source IP. The 1M node botnet
> doesn't help here. As Paul Vixie said on bind-users today:

Let's suppose the attacker /does/ spoof a specific source IP (or a small
group thereof), and uses it to target servers configured like this...

>> note that any dns server with a host based firewall can implement a 100%
>> effective mitigation for the Polyakov attack, and it's possible that an
>> upstream/outboard firewall could also be made to do it.  in freebsd ipfw
>> it looks like this:
>>
>> add     pipe 1  udp     from any 53 to 204.152.188.20 in
>> pipe 1  config  mask src-ip 0xffffffff buckets 32768 bw 56Kbit/s queue 1
>
> which is exactly what I was thinking of.

...I think we've just succeeded in converting a poisoning attack into
a DoS vector. Just spoof the IPs of the root nameservers, or NS for
google.com or whatever. I realise DoS of root nameserver access is probably
less dangerous that poisoning then, but...

Alex

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email