Re: first succesful (lab) spoof of a fully source port randomized server reported
Jeroen Massar <jeroen@unfix.org> Fri, 08 August 2008 11:52 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F411F3A6D51; Fri, 8 Aug 2008 04:52:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lvV7mW5S1UGi; Fri, 8 Aug 2008 04:52:46 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0D0863A6CB4; Fri, 8 Aug 2008 04:52:46 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KRQRP-0004qU-Fl for namedroppers-data@psg.com; Fri, 08 Aug 2008 11:47:31 +0000
Received: from [2001:41e0:ff00:0:216:3eff:fe00:4] (helo=abaddon.unfix.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <jeroen@unfix.org>) id 1KRQRJ-0004pa-5S for namedroppers@ops.ietf.org; Fri, 08 Aug 2008 11:47:29 +0000
Received: from [IPv6:2001:620:20:1000:216:d3ff:fe25:14da] (spaghetti.zurich.ibm.com [IPv6:2001:620:20:1000:216:d3ff:fe25:14da]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jeroen) by abaddon.unfix.org (Postfix) with ESMTPSA id 6E3C235A525; Fri, 8 Aug 2008 13:47:23 +0200 (CEST)
Message-ID: <489C324B.1090603@spaghetti.zurich.ibm.com>
Date: Fri, 08 Aug 2008 13:47:23 +0200
From: Jeroen Massar <jeroen@unfix.org>
Organization: Unfix
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.16) Gecko/20080708 Lightning/0.8 Thunderbird/2.0.0.16 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: sthaug@nethelp.no
CC: namedroppers@ops.ietf.org
Subject: Re: first succesful (lab) spoof of a fully source port randomized server reported
References: <20080808111242.GI6566@outpost.ds9a.nl> <20080808.132607.41660169.sthaug@nethelp.no>
In-Reply-To: <20080808.132607.41660169.sthaug@nethelp.no>
X-Enigmail-Version: 0.95.6
OpenPGP: id=333E7C23
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="------------enig36D8B2929DAB60542EAD7BE7"
X-Virus-Scanned: ClamAV version 0.93.1, clamav-milter version 0.93.1 on abaddon.unfix.org
X-Virus-Status: Clean
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
sthaug@nethelp.no wrote: >> http://tservice.net.ru/~s0mbre/blog//devel/networking/dns/2008_08_08 >> >> "Attack took about half of the day, i.e. a bit less than 10 hours. >> So, if you have a GigE lan, any trojaned machine can poison your DNS during >> one night... " >> >> Congratulations are due to Evgeniy Polyakov! He includes the source of his >> exploit. > > Interesting enough. Meanwhile, if I have a recursive name server where > the total traffic from the authoritative servers is in the range of > 2 - 3 Mbps, I believe I could safely rate limit the traffic from each > individual IP (representing a possibly spoofed authoritative server) to > 100 - 200 kbps. This should raise the bar somewhat. /me reconfigures the 1M-node botnets to only send 100 packets/s per bot. Isn't distributed^Wcloud computing amazing? Unfortunately, as long as one can try all the combinations in one way or another the problem keeps on existing. And if people can send 1G for 12 hours without nobody noticing, you have worse problems in your network. Bad part is that one can most likely also crack dnssec or tls in this method, it basically is the infinite monkeys typing problem, they will produce the answer that you expected. If you work against it, eg "the monkeys send me X fake responses lets ratelimit" you might be blocking service (denial of service) to something legit again. Nice and annoying problem, thanks Dan* :) Greets, Jeroen * = do the dictionaries already contain a proper definition for "to pull a Kaminsky on someone"? :)
- first succesful (lab) spoof of a fully source por… bert hubert
- Re: first succesful (lab) spoof of a fully source… sthaug
- Re: first succesful (lab) spoof of a fully source… Jeroen Massar
- Re: first succesful (lab) spoof of a fully source… Ondřej Surý
- Re: first succesful (lab) spoof of a fully source… Jeroen Massar
- Re: first succesful (lab) spoof of a fully source… sthaug
- Re: first succesful (lab) spoof of a fully source… Alex Bligh
- Re: first succesful (lab) spoof of a fully source… Paul Vixie