3 edits | Linux's BIND still susceptible to DNS Cache PoisoningSuccessfully poisoned the latest BIND with fully randomized ports!
Exploit required to send more than 130 thousand of requests for the fake records like 131737-4795-15081.blah.com to be able to match port and ID and insert poisoned entry for the poisoned_dns.blah.com.
»tservice.net.ru/~s0mbre/blog/dev···_08.html
# dig @localhost www.blah.com +norecurse
; <<>> DiG 9.5.0-P2 <<>> @localhost www.blah.com +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6950
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.blah.com. IN A
;; AUTHORITY SECTION:
www.blah.com. 73557 IN NS poisoned_dns.blah.com.
;; ADDITIONAL SECTION:
poisoned_dns.blah.com. 73557 IN A 1.2.3.4
# named -v
BIND 9.5.0-P2
BIND used fully randomized source port range, i.e. around 64000 ports. Two attacking servers, connected to the attacked one via GigE link, were used, each one attacked 1-2 ports with full ID range. Usually attacking server is able to send about 40-50 thousands fake replies before remote server returns the correct one, so if port was matched probability of the successful poisoning is more than 60%.
Attack took about half of the day, i.e. a bit less than 10 hours.
So, if you have a GigE lan, any trojaned machine can poison your DNS during one night... |
|
 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5
1 edit | I can see why people find these things tiring, but I'll reply with information, not epithets:
* It's not "Linux's" BIND, it's just "BIND". This is a protocol problem, not a software problem (BIND runs on Windows, too)
* Everybody knows that the source-port randomization has not fixed the problem, just made it harder to exploit.
* The same attack would work on any DNS server, including Microsoft's DNS server or even DJBDNS
* This attack is very very noisy
Edit - If you have a trojaned machine inside your LAN, I'm not sure that DNS is your major worry...
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to matunga
Hmmm, read a bit more: they claim "fully randomized source port range, around 64000 ports": this is probably ~15 bits of entropy, compared with ~12 bits of entropy on Microsoft's DNS server. This makes Microsoft's DNS server ~8 times easier to exploit via this method.
You're not really even trying, are you?
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
 nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7
 ·AT&T U-Verse
| reply to matunga
Attack took about half of the day, i.e. a bit less than 10 hours.
That's a lot of effort, for very little result.
I currently force a cache expire after 12 hours
max-cache-ttl 43200 ;
If I thought this were much of a risk, I would lower that to 3 hours, so that the bad data would not stay around for too long. I doubt it is worth that much effort for the hacker to steal my dslreports login cookie.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1 |
|
| reply to Steve
said by Steve:* It's not "Linux's" BIND, it's just "BIND". BIND is the default DNS on Linux. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | So what? This discussion is about a design defect in a protocol, and it's disingenuous to attribute this to any particular software.
To further carry the stink being implied to the underlying platform is either intention deception, or ignorance.
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
 BeesTeaNetwork JanitorPremium,VIP
join:2003-03-08
00000 | reply to Tux789
Re: Linux's BIND still susceptible to DNS Cache Poisoning said by Tux789 :
BIND is the default DNS on Linux.
On *some* distributions of Linux. "Linux" has no default DNS software outside of the standard glibc stub resolver. Even then there's variation in version between distributions.
An accurate statement might be that ISC BIND is the default DNS server for the RedHat Linux distribution. However Linux, has no "default" anything. Some distributions use BIND, some use DJB, etc etc.
--
Overpower, overcome. |
|
 CabalPremium
join:2007-01-21
Austin, TX
 ·Suddenlink
2 edits | reply to matunga
Matunga, you neglected to read the blog you linked to. This is a protocol issue, not an implementation problem.
quote:
Article says, that DJBDNS does not suffer from this attack. It does. Everyone does. With some tweaks it can take longer than BIND, but overall problem is there.
Microsoft DNS is vulnerable.
--
Interested in open source engine management for your Subaru? |
|
4 edits | reply to Steve
said by Steve:this is probably ~15 bits of entropy, compared with ~12 bits of entropy on Microsoft's DNS server. This makes Microsoft's DNS server ~8 times easier to exploit via this method. WRONG!
In Windows XP and Windows 2003 the entropy is 28 bits. In Windows Vista is 30 bits.
»www.trusteer.com/files/Microsoft···ning.pdf
"the total entropy�from an attacker’s�point of view is 32 bits, and practically in�Windows�XP�and�Windows�2003 �log2(3976*2^16)�which�is�almost�28 bits.�In�Windows�Vista,�the�default dynamic port range is 49152-65535, so�the�practical�entropy�can�be�as�high�as�30�bits" |
|
BeesTeaNetwork JanitorPremium,VIP
join:2003-03-08
00000
1 edit | reply to Cabal
said by Cabal:This is a protocol issue, not an implementation problem. Excellent point Cabal  . It's very important for everyone to understand that part. The *protocol* itself is broken, regardless of the software used. These patches are just making the task of exploitation more difficult. They don't remove the vulnerability. Only reimplementing how DNS works can accomplish that, aka DNSSec, etc.
--
Overpower, overcome. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to matunga
said by matunga:WRONG! In Windows XP and Windows 2003 the entropy is 28 bit. In Windows Vista is 30 bit. Sigh.
I was referring to the entropy of just the source-port IDs when I mentioned 12 and 15; it's assumed this is in addition to the everybody-knows-it entropy of the transaction ID of 16 bits.
This means that:
BIND = 16 + 15 = 31 bits
2003 = 16 + 12 = 28 bits
... which is what I said.
Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5
2 edits | Re: Linux's BIND still susceptible to DNS Cache Poisoning It's obvious that he has his own agenda, but this is all about information; even though the posted link had technically correct information, they don't even remotely warrant the conclusion he's trying to lead us to.
* Information is usually trivial to rebut.
* Conclusions are much more work to rebut.
Most of these things he posts do have reasonable discussion points, and this technical discussion we're having now allows onlookers who don't know that much about DNS or security (which, it turns out, includes the OP) to follow the logic from A to Z and make their own conclusions.
I'd rather be correct than right.
Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
| Re: Linux's BIND still susceptible to DNS Cache Poisoning No  |
|
