From: Lee Brotherston (leenerds.org.uk)
Date: Mon Jul 14 2008 - 07:13:54 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Jul 13, 2008 at 08:09:57PM -0700, piggly wiggly wrote:
> If you can spoof ICMP; You can prevent the recursor from communicating
> with the real nameserver. This will make it very very easy to spoof DNS as
> it removes the biggest hurdle; that of silencing the real nameservers. It
> only takes about 2min on a 10mbit/s connection to run through all 65536
> possible sequence numbers so if you can prevent the recursor from talking
> to the real nameservers it really is easy as pie.

I'm afraid I disagree with you there Piggly Wiggly.

If we break the possible times you can transmit this spoofed ICMP
packet into two categories:

- Transmitted before the "real" response. If an ICMP host unreachable
  (or some other error) is transmitted before the real DNS response is
  sent it will probably be ignored as the error will refer to a packet
  which has never been sent.

- Transmitted after the "real" response. If the ICMP packet is
  transmitted after the response it is too late. Whilst it's true
  that a TCP connection can be disrupted in this way, in the case of
  UDP the packet has been sent and there is no additional handshaking,
  etc. An error cannot cause the original sender to retract the
  packet in some way, and so the response will make it back to the
  original requester.

Unless of course, I have misunderstood something, in which case, flame
away :)

Thanks

  Lee

--
Lee Brotherston - <leenerds.org.uk>
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]