Cert Vulnerability 734644
peter at peter-dambier.de
Thu Jun 30 05:06:28 UTC 2005
Kevin Darcy wrote:
> trusted linux wrote:
>>I have a question about the CERT 734644. If this is a
>>problem, we have to do a major upgrade. However, it
>>does not really convince me that this is a real
>>threat. Can anybody help clarify it?
>>Several versions of the BIND 8 name server are
>>vulnerable to cache poisoning via negative responses.
>>To exploit this vulnerability, an attacker must
>>configure a name server to return authoritative
>>negative responses for a given target domain. Then,
>>the attacker must convince a victim user to query the
>>attacker's maliciously configured name server. When
>>the attacker's name server receives the query, it will
>>reply with an authoritative negative response
>>containing a large TTL (time-to-live) value. If the
>>victim's site runs a vulnerable version of BIND 8, it
>>will cache the negative response and render the target
>>domain unreachable until the TTL expires.
In my case the attacker was my ISP!
They disconnect me once every 24 hours to prevent me from
running a server. Bind 8 is a server.
After disconnect Bind stored only begative answers. Even
when I reconnected automatically the negative answers
prevented me from reaching anybody outside my lan.
With Bind 9 the problem is gone.
>> Assume the victim dns is ns.victim.net, the target
>>domain is xyz.com,
>> If I interpret this correctly, to run the attack,
>>the attacker has to do the followings:
>> 1. create and configure a dns server to server as
>>the authoritative DNS for xyz.com domain, called
>>dnsxyz.attack.com (or just a IP) - fine.
>> 2. convince ns.victim.net to query
>>dnsxyz.attack.com for any queries for xyz.com (i.e.
>>www.xyz.com) - how?
If I can see your server:
"dig €your_server www.xyz.com"
>> 3. dnsxyz.attack.com replies with negative
>>response with a big TTL.
>> The problem is #2. How is it possible? Actually,
>>without preset trust, this is equivalent to say that
>>the attacker has already controlled the ns.victim.net.
>>So, why does he bother to run this attack?
>> I understand that birthday attack and space
>>searching can break the random query ID without
>>requiring the trust. However this CERT vulnerability
>>does not seem to rely on these techniques.
> Well, I don't know the specifics of this particular vulnerability, but
> maybe BIND 8 was accepting xyz.com negative cache entries in response to
> attack.com queries, under certain circumstances...
> - Kevin
You do not need a negative answer from someboy. No answer from anybody
is a negative answer too.
If I prevent you from receiving an answer then I have got you. DOS attack
on your server will do. So will DOS attack on the nameservers. A temporary
loss of connectivity will do too.
Peter and Karin Dambier
+49-6252-750308 (VOiP: sipgate.de)
+49-179-108-3978 (O2 Genion)
mail: peter at peter-dambier.de
More information about the bind-users