Cert Vulnerability 734644

trusted linux tcimpl2005 at yahoo.com
Mon Jun 27 21:17:37 UTC 2005


I have a question about the CERT 734644. If this is a
problem, we have to do a major upgrade. However, it
does not really convince me that this is a real
threat. Can anybody help clarify it? 


per 734644, 

 Several versions of the BIND 8 name server are
vulnerable to cache poisoning via negative responses.
To exploit this vulnerability, an attacker must
configure a name server to return authoritative
negative responses for a given target domain. Then,
the attacker must convince a victim user to query the
attacker's maliciously configured name server. When
the attacker's name server receives the query, it will
reply with an authoritative negative response
containing a large TTL (time-to-live) value. If the
victim's site runs a vulnerable version of BIND 8, it
will cache the negative response and render the target
domain unreachable until the TTL expires. 
    Assume the victim dns is ns.victim.net, the target
domain is xyz.com, 
    If I interpret this correctly, to run the attack,
the attacker has to do the followings:
    1. create and configure a dns server to server as
the authoritative DNS for xyz.com domain, called
dnsxyz.attack.com (or just a IP) - fine. 
    2. convince ns.victim.net to query
dnsxyz.attack.com for any queries for xyz.com (i.e.
www.xyz.com) - how? 
    3. dnsxyz.attack.com replies with negative
response with a big TTL.
    The problem is #2. How is it possible? Actually,
without preset trust, this is equivalent to say that
the attacker has already controlled the ns.victim.net.
So, why does he bother to run this attack? 
    I understand that birthday attack and space
searching can break the random query ID without
requiring the trust. However this CERT vulnerability
does not seem to rely on these techniques. 

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the bind-users mailing list