On Sun, 2008-07-13 at 20:09 -0700, piggly wiggly wrote:
> Basically it has to do with ICMP packets (spoofed ICMP unreachables sent
> in response to DNS packets the attacker can't see, but can guess - thanks
> to non-random port selection).
Or ICMP redirect messages for that matter (although I'd hope most sane
distributions are shipping with accept_redirects off by default
nowadays).
> The biggest problem with spoofing DNS at the moment is that you need
> to silence the real nameservers in order to get your fake replies in.
>
> For an ICMP response to be valid, it must contain the IP header of the
> packet it is a reponse too, but it also must contain 64bits of the data
> payload. The reason for requiring 64bits of the payload is to prevent
> people from spoofing ICMP replies to packets they have not received. In
> the case of a DNS packet, that payload is the first 64 bits of the UDP
> header.
>
> What is in the first 64bits of the UDP header? The source and destination
> ports of the DNS servers. If these are easily predictable then you can
> spoof an ICMP unreachable response to a dns query or reply without
> actually receiving it.
The first 8 bytes of the UDP header may be predictable but you're
forgetting the IP header that must be included in the ICMP response
message as well. The IP header of course contains the 16-bit IP ID
field which is randomly generated on many platforms.
So the attacker would have to guess the 16-bit IP ID correctly to have
his ICMP unreachable accepted which would be just as difficult as
guessing the DNS TXID. Stacks that still use incremental IP ID
generation could be affected, however.
Regards,
Jon Oberheide
--
Jon Oberheide <jon_at_oberheide.org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Received on Jul 14 2008
Intro
