Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: DNS Vulnerability Found by a GSEC Student Three Years Ago! - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DNS Vulnerability Found by a GSEC Student Three Years Ago!

Kudos to Ian Green!  In January 2005 he submitted a paper for his GSEC certification that lays out in wonderful detail the very same vulnerability that is the subject of today's patching frenzy.  Here is what Ian told us in an email today:

The DNS Spoofing vulnerability was discovered and reported to SANS during research for GSEC in January 2005.  http://www.sans.org/reading_room/whitepapers/dns/1567.php

Extract:
By observing these values of DNS queries over a period of time, the following patterns were noted:
- The DNS transaction ID always begins at 1 and is incremented by 1 for each subsequent DNS query; and
- The UDP source port of the query (which becomes the UDP destination port of the response) remains static for the entirety of a session (from startup to shutdown).

Like they say, "what is old is new, what is new is old"

Marcus H. Sachs
Director, SANS Internet Storm Center

Marcus

301 Posts
ISC Handler
This isn't the same vulnerability. In modern DNS (XP SP3 as an example), the client doesn't use the same static UDP port... the UDP port increments with each subsequent request.
Tyler

1 Posts
Interesting comments on this subject:

"It is not feasible to think that the world's DNS vendors would have patched and announced in unison for no reason."

By day's end, Kaminsky had even turned his most vocal critic, Matasano's Ptacek, who issued a retraction on this blog after Kaminsky explained the details of his research over the telephone. "He has the goods," Ptacek said afterward. While the attack builds on previous DNS research, it makes cache poisoning attacks extremely easy to pull off. "He's pretty much taken it to point and click to an extent that we didn't see coming."

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9108518&source=rss_topic82
Anonymous
Interesting comments on this subject:

"It is not feasible to think that the world's DNS vendors would have patched and announced in unison for no reason."

By day's end, Kaminsky had even turned his most vocal critic, Matasano's Ptacek, who issued a retraction on this blog after Kaminsky explained the details of his research over the telephone. "He has the goods," Ptacek said afterward. While the attack builds on previous DNS research, it makes cache poisoning attacks extremely easy to pull off. "He's pretty much taken it to point and click to an extent that we didn't see coming."

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9108518&source=rss_topic82
Anonymous

Sign Up for Free or Log In to start participating in the conversation!