DNS Vulnerability Found by a GSEC Student Three Years Ago!

Published: 2008-07-09
Last Updated: 2008-07-09 01:26:01 UTC
by Marcus Sachs (Version: 1)
3 comment(s)

Kudos to Ian Green!  In January 2005 he submitted a paper for his GSEC certification that lays out in wonderful detail the very same vulnerability that is the subject of today's patching frenzy.  Here is what Ian told us in an email today:

The DNS Spoofing vulnerability was discovered and reported to SANS during research for GSEC in January 2005.  http://www.sans.org/reading_room/whitepapers/dns/1567.php

Extract:
By observing these values of DNS queries over a period of time, the following patterns were noted:
- The DNS transaction ID always begins at 1 and is incremented by 1 for each subsequent DNS query; and
- The UDP source port of the query (which becomes the UDP destination port of the response) remains static for the entirety of a session (from startup to shutdown).

Like they say, "what is old is new, what is new is old"

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: dns
3 comment(s)

Comments

This isn't the same vulnerability. In modern DNS (XP SP3 as an example), the client doesn't use the same static UDP port... the UDP port increments with each subsequent request.
Interesting comments on this subject:

"It is not feasible to think that the world's DNS vendors would have patched and announced in unison for no reason."

By day's end, Kaminsky had even turned his most vocal critic, Matasano's Ptacek, who issued a retraction on this blog after Kaminsky explained the details of his research over the telephone. "He has the goods," Ptacek said afterward. While the attack builds on previous DNS research, it makes cache poisoning attacks extremely easy to pull off. "He's pretty much taken it to point and click to an extent that we didn't see coming."

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9108518&source=rss_topic82
Interesting comments on this subject:

"It is not feasible to think that the world's DNS vendors would have patched and announced in unison for no reason."

By day's end, Kaminsky had even turned his most vocal critic, Matasano's Ptacek, who issued a retraction on this blog after Kaminsky explained the details of his research over the telephone. "He has the goods," Ptacek said afterward. While the attack builds on previous DNS research, it makes cache poisoning attacks extremely easy to pull off. "He's pretty much taken it to point and click to an extent that we didn't see coming."

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9108518&source=rss_topic82

Diary Archives