On 15.04.13 09:44, Jamie Ostrowski wrote:
But that is the point of my question. Since it is relying on it's cached entry for the auth. nameserver for mydomain.com, the attacker, once the auth. nameserver for mydomain.com was cached, would have to wait until that cached NS entry for mydomain.com expires from the resolver's cache before they can make another attempt to send a forged NS record for mydomain.com, correct?
no... the attacker simply send bunch of replies with spoofed source address of authoritative nameserver. The victim sees packets coming from authoritative nameserver and does not know if they were sent really by the server (source address is spoofed). It's quite easy to spoof 65535 reponses with different query ID in a few seconds nowadays. That is why random source ports are used now (it's not easy to spoof ~4 billions of replies) and that is why securedns is the only way to avoid this attack. Once the spoofed answer with guessed ID and containing NS records of attacker's servers is accepted, the attacker owns the domain at least within your nameserver. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0... _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
