DNS Vulnerability Found by a GSEC Student Three Years Ago!

Published: 2008-07-09
Last Updated: 2008-07-09 01:26:01 UTC
by Marcus Sachs (Version: 1)
3 comment(s)

Kudos to Ian Green!  In January 2005 he submitted a paper for his GSEC certification that lays out in wonderful detail the very same vulnerability that is the subject of today's patching frenzy.  Here is what Ian told us in an email today:

The DNS Spoofing vulnerability was discovered and reported to SANS during research for GSEC in January 2005.  http://www.sans.org/reading_room/whitepapers/dns/1567.php

By observing these values of DNS queries over a period of time, the following patterns were noted:
- The DNS transaction ID always begins at 1 and is incremented by 1 for each subsequent DNS query; and
- The UDP source port of the query (which becomes the UDP destination port of the response) remains static for the entirety of a session (from startup to shutdown).

Like they say, "what is old is new, what is new is old"

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: dns
3 comment(s)
Diary Archives