North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Exploit for DNS Cache Poisoning - RELEASED
On Wed, 23 Jul 2008, Kevin Day wrote: > > The new way is slightly more sneaky. You get the victim to try to > resolve an otherwise invalid and uncached hostname like 00001.gmail.com, > and try to beat the real response with spoofed replies. Except this time > your reply comes with an additional record containing the IP for > www.gmail.com to the one you want to redirect it to. If you win the race > and the victim accepts your spoof for 00001.gmail.com, it will also > accept (and overwrite any cached value) for your additional record for > www.gmail.com as well. RFC 2181 says the resolver should not overwrite authoritative data with additional data in this manner. I believe the Matasano description is wrong. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ FORTIES CROMARTY FORTH TYNE DOGGER: EAST OR SOUTHEAST 3 OR 4, INCREASING 5 OR 6 LATER. SLIGHT OR MODERATE. FOG PATCHES. GOOD, OCCASIONALLY VERY POOR.
|