OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: International DNS compromise?

billdit-inc.us
Date: Fri Aug 06 2004 - 15:05:09 CDT

In-Reply-To: <20040805192243.7826e6b9.johnpond-weed.com>

This is from China's "Great Firewall" sniffering their 54Gbps International traffic.

I presented some detailes at the HOPE conference in NYC last month. I posted the presentaion here: http://www.dit-inc.us/report/hope2004/cover.htm (click on the image to get in)

Regarding this DNS hijacking thing, it is worth mentioning that root DNS server in China may hijack query from neighbouring countries as well.

The black list for DNS hijacking is very small. TCP session hijacking list is longer, IP blocking blacklist is the longest.

Bill

>Received: (qmail 28891 invoked from network); 5 Aug 2004 18:45:36 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
> by mail.securityfocus.com with SMTP; 5 Aug 2004 18:45:36 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 03627236F36; Thu, 5 Aug 2004 12:47:21 -0600 (MDT)
>Mailing-List: contact bugtraq-helpsecurityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraqsecurityfocus.com>
>List-Help: <mailto:bugtraq-helpsecurityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribesecurityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribesecurityfocus.com>
>Delivered-To: mailing list bugtraqsecurityfocus.com
>Delivered-To: moderator for bugtraqsecurityfocus.com
>Received: (qmail 28021 invoked from network); 5 Aug 2004 12:14:21 -0000
>Date: Thu, 5 Aug 2004 19:22:43 +0100
>From: john <johnpond-weed.com>
>To: bugtraqsecurityfocus.com
>Subject: Re: International DNS compromise?
>Message-Id: <20040805192243.7826e6b9.johnpond-weed.com>
>In-Reply-To: <20040805051101.18767.qmailweb13702.mail.yahoo.com>
>References: <Pine.LNX.4.58.0407232020010.3889pluto.physik.uni-wuerzburg.de>
> <20040805051101.18767.qmailweb13702.mail.yahoo.com>
>X-Mailer: Sylpheed version 0.8.11claws (GTK+ 1.2.10; i686-pc-linux-gnu)
>Mime-Version: 1.0
>Content-Type: text/plain; charset=US-ASCII
>Content-Transfer-Encoding: 7bit
>
>On Wed, 4 Aug 2004 22:11:01 -0700 (PDT)
>Zhen Shi <zhenshi99yahoo.com> wrote:
>
>> Dear all,
>> Recently I noticed something fishy in the DNS system
>> between US and China.
>> First, any IPs, dead or live, in China will respond
>> to your DNS query for some domains. For example
>> (screen shot with some clean-up and comments):
>>
>> C:\>nslookup
>>
>> > server 210.77.0.0 <=== pick a random IP in
>> China
>> Default Server: [210.77.0.0]
>> Address: 210.77.0.0
>>
>> > www.rfa.org
>> Server: [210.77.0.0]
>> Address: 210.77.0.0
>>
>> Non-authoritative answer:
>> Name: www.rfa.org
>> Address: 203.105.1.21 <=== you got response!!!!
>>
>> Second, every time the response is different:
>>
>> > www.rfa.org
>> Server: [210.77.0.0]
>> Address: 210.77.0.0
>>
>> Non-authoritative answer:
>> Name: www.rfa.org
>> Address: 64.66.163.251
>
>> <snip>
>
>It looks like it all works OK with most domain names. But rfa.org is the
>sort of site the Chinese would want to censor. Evidently this is part of
>their strategy for doing that.
>
>This has the side-effect that you could discover the list of sites being
>censored by systematically comparing DNS replies from a server in China
>with those from an uncompromised server.
>
>John
>