Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning- RELEASED

Gadi Evron wrote: On Thu, 24 Jul 2008, Martin Hannigan wrote: I personally know several folks from within and wayyy from outside the DNS world who discovered this very out there and obvious issue and worked hard to try and contact the operators. Those that haven't fixed it yet, likely won't if

Re: Exploit for DNS Cache Poisoning - RELEASED

* Paul Vixie: > in > we see this text: > > The DNS attacks are starting!!! > > Below is a snippet of a logwatch from last night. Be sure all DNS > servers are updated if at all possible. The spooks are out in

RE: Exploit for DNS Cache Poisoning - RELEASED

10:54 AM > To: David Conrad > Cc: [EMAIL PROTECTED] > Subject: Re: Exploit for DNS Cache Poisoning - RELEASED > > In what way is the EU's governance model the same as, or > anything similar, to the UN's or ITU's? This argument gets > increasingly silly. Hell, w

Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

On Fri, Jul 25, 2008 at 5:52 PM, Matthew Petach <[EMAIL PROTECTED]> wrote: > I'm sure when Gmail gets close to the same number of users > as Yahoo, they will discover how challenging and painful it is > to support that many simultaneous short-lived SSL connections. True, however GMail has the adva

Re: Exploit for DNS Cache Poisoning - RELEASED

On Fri, 2008-07-25 at 23:25 +0100, Graeme Fowler wrote: > I saw this earlier in the week, along with queries for a domain name > which happens to have been registered by Dan Kaminsky, so I emailed him > about it. The addresses in question at Georgia Tech appear to be in use > as part of Doxpara's s

Re: Exploit for DNS Cache Poisoning - RELEASED

On Fri, 2008-07-25 at 18:14 -0400, Pete Carah wrote: > I saw much more than this *from the same address* starting two days ago, > and from several other blocks belonging to the same university starting > last week, to my home router and another server. So far my better > connected servers haven

Re: Exploit for DNS Cache Poisoning - RELEASED

Paul Vixie wrote: in we see this text: The DNS attacks are starting!!! Below is a snippet of a logwatch from last night. Be sure all DNS servers are updated if at all possible. The spooks are out in

Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

On 7/24/08, Hank Nussbacher <[EMAIL PROTECTED]> wrote: > On Thu, 24 Jul 2008, Jeffrey Ollie wrote: > > > Interestingly enough, Google just added a feature to GMail to force > > secure connections: > > > http://googlesystem.blogspot.com/2008/07/force-gmail-to-use-secure-connection.html > > > > Jeff

Re: Exploit for DNS Cache Poisoning - RELEASED

in we see this text: The DNS attacks are starting!!! Below is a snippet of a logwatch from last night. Be sure all DNS servers are updated if at all possible. The spooks are out in full on this

Re: Exploit for DNS Cache Poisoning - RELEASED

In what way is the EU's governance model the same as, or anything similar, to the UN's or ITU's? This argument gets increasingly silly. Hell, when did ITU last let someone randomly take over a chunk of the e164 name space? On Fri, Jul 25, 2008 at 4:06 PM, David Conrad <[EMAIL PROTECTED]> wrote: >

Re: Exploit for DNS Cache Poisoning - RELEASED

Valdis, On Jul 24, 2008, at 6:05 PM, [EMAIL PROTECTED] wrote: On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said: On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote: The problem is, once the ICANNt root is self-signed, the hope of ever revoking that dysfunctional mess as authority is gone.

Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

On Thu, Jul 24, 2008 at 11:24 PM, Hank Nussbacher <[EMAIL PROTECTED]> wrote: > I wish Yahoo and Hotmail even had the ability of *reading* email via https: > http://www.interall.co.il/hotmail-yahoo-https.html Hah! It was only a year ago that Yahoo even added SSL capabilities for login. Six months

Re: Exploit for DNS Cache Poisoning - RELEASED

> > On Thu, Jul 24, 2008 at 10:32 AM, Tuc at T-B-O-H.NET <[EMAIL PROTECTED]> > wrote: > > > > - -- "Robert D. Scott" <[EMAIL PROTECTED]> wrote: > > > > > > >Now, there is an exploit for it. > > > > > > > >http://www.caughq.org/exploits/CAU-EX-2008-0002.txt > > > > > > Now also (mirrored) here: >

Re: Exploit for DNS Cache Poisoning - RELEASED

On Thu, Jul 24, 2008 at 10:32 AM, Tuc at T-B-O-H.NET <[EMAIL PROTECTED]> wrote: > > - -- "Robert D. Scott" <[EMAIL PROTECTED]> wrote: > > > > >Now, there is an exploit for it. > > > > > >http://www.caughq.org/exploits/CAU-EX-2008-0002.txt > > > > Now also (mirrored) here: > > > > http://www.milw0

Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

On Thu, 24 Jul 2008, Jeffrey Ollie wrote: Interestingly enough, Google just added a feature to GMail to force secure connections: http://googlesystem.blogspot.com/2008/07/force-gmail-to-use-secure-connection.html Jeff I wish Yahoo and Hotmail even had the ability of *reading* email via http

Re: Exploit for DNS Cache Poisoning - RELEASED

"Tomas L. Byrnes" <[EMAIL PROTECTED]> wrote: > The problem is, once the ICANNt root is self-signed, the hope of ever > revoking that dysfunctional mess as authority is gone. that sounds like the kind of foot-dragging that could be holding this up. > Perhaps the IETF or DoC should sign the root, t

Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning- RELEASED

On Thu, 24 Jul 2008, Steve Bertrand wrote: Gadi Evron wrote: On Thu, 24 Jul 2008, Martin Hannigan wrote: I personally know several folks from within and wayyy from outside the DNS world who discovered this very out there and obvious issue and worked hard to try and contact the operators. Thos

Re: Exploit for DNS Cache Poisoning - RELEASED

On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said: > On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote: >> The problem is, once the ICANNt root is self-signed, the hope of ever >> revoking that dysfunctional mess as authority is gone. > As far as I'm aware, as long as the KSK isn't compromised,

Re: Exploit for DNS Cache Poisoning - RELEASED

On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote: The problem is, once the ICANNt root is self-signed, the hope of ever revoking that dysfunctional mess as authority is gone. Sorry, I don't follow -- sounds like FUD to me. Care to explain this? As far as I'm aware, as long as the KSK isn't

Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

On Thu, Jul 24, 2008 at 3:05 AM, Steven M. Bellovin <[EMAIL PROTECTED]> wrote: > > The round trip issue affects latency, which in turn affects perceived > responsiveness. This is quite definitely the reason why gmail doesn't > always use https (though it, unlike some other web sites, doesn't > ref

RE: Exploit for DNS Cache Poisoning - RELEASED

xie [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 24, 2008 9:13 AM > To: [EMAIL PROTECTED] > Subject: Re: Exploit for DNS Cache Poisoning - RELEASED > > [EMAIL PROTECTED] ("Jorge Amodio") writes: > > > As I mentioned in another message, perhaps its time to g

Re: Exploit for DNS Cache Poisoning - RELEASED

Neil Suryakant Patel is the nominee for AS for Communications and Information at DoC. If he's in the loop, even "advisory pending ...", and as a Cheney staffer (intially staff secretary, now as a domestic and economic policy adviser), that's possible, then adjust expectations accordingly. Pau

Re: Exploit for DNS Cache Poisoning - RELEASED

[EMAIL PROTECTED] ("Jorge Amodio") writes: > As I mentioned in another message, perhaps its time to get serious about > DNSSEC, where are we on this front ? Still waiting for US-DoC to give ICANN/IANA permission to sign the root zone. -- Paul Vixie -- This message has been scanned for viruses

Re: Exploit for DNS Cache Poisoning - RELEASED

[EMAIL PROTECTED] ("Jorge Amodio") writes: > As I mentioned in another message, perhaps its time to get serious about > DNSSEC, where are we on this front ? still waiting for US-DoC to give ICANN permission to sign the root zone. -- Paul Vixie -- This message has been scanned for viruses and d

Re: Exploit for DNS Cache Poisoning - RELEASED

> > ... economics of the attack have now > changed. (And we need to get DNSSEC deployed before they change even > further.) > Amen.

Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning- RELEASED

On Thu, 24 Jul 2008 15:50:15 - "Martin Hannigan" <[EMAIL PROTECTED]> wrote: > > I don't know that a failure to act immediately is indicative of > ignoring the problem. Not to defend AT&T or any other provider, but > it's not as simple as rolling out a patch. > Right. What scares me is all

RE: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning- RELEASED

On Thu, 24 Jul 2008, Martin Hannigan wrote: I personally know several folks from within and wayyy from outside the DNS world who discovered this very out there and obvious issue and worked hard to try and contact the operators. Those that haven't fixed it yet, likely won't if all thing remain

RE: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning- RELEASED

> > I personally know several folks from within and wayyy from outside the > DNS > world who discovered this very out there and obvious issue and worked > hard > to try and contact the operators. Those that haven't fixed it yet, > likely > won't if all thing remain even. > I don't know that a

Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - RELEASED

On Thu, 24 Jul 2008, Gadi Evron wrote: But sticking to the point, TLD servers should (under most circumstances) be Should NEVER, oops.

Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - RELEASED

On Thu, 24 Jul 2008, John Kristoff wrote: On Thu, 24 Jul 2008 10:06:25 +0100 Simon Waters <[EMAIL PROTECTED]> wrote: I checked last night, and noticed TLD servers for .VA and .MUSEUM are still offering recursion amongst a load of less popular top level domains. Indeed just under 10% of the aut

Re: Exploit for DNS Cache Poisoning - RELEASED

On Thu, 24 Jul 2008 09:10:13 -0500 "Jorge Amodio" <[EMAIL PROTECTED]> wrote: > > > > Sure, I can empathize, to a certain extent. But this issue has > > been known for 2+ weeks now. > > > > Well we knew about the DNS issues since long time ago (20+yrs > perhaps?), so the issue is not new, just the

Re: Exploit for DNS Cache Poisoning - RELEASED

On Thu, 24 Jul 2008, Paul Ferguson wrote: Let's hope some very large service providers get their act together real soon now. There is always a tension between discovery, changing, testing and finally deployment. Sure, I can empathize, to a certain extent. But this issue has been known for

Re: Exploit for DNS Cache Poisoning - RELEASED

> > Sure, I can empathize, to a certain extent. But this issue has > been known for 2+ weeks now. > Well we knew about the DNS issues since long time ago (20+yrs perhaps?), so the issue is not new, just the exploit is more easy to put together and chances for it to succeed are much higher. As I m

Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - RELEASED

On Thu, 24 Jul 2008 10:06:25 +0100 Simon Waters <[EMAIL PROTECTED]> wrote: > I checked last night, and noticed TLD servers for .VA and .MUSEUM are > still offering recursion amongst a load of less popular top level > domains. > > Indeed just under 10% of the authoritative name servers mentioned i

Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

Once upon a time, Robert Kisteleki <[EMAIL PROTECTED]> said: > I understand this is a huge can of worms, but maybe it's time to change the > default behavior of browsers from http to https...? This is a _DNS_ vulnerability. The Internet is more than HTTP(S). Think about email (how many MTAs do

Re: Exploit for DNS Cache Poisoning - RELEASED

On Wed, 23 Jul 2008, Kevin Day wrote: > > The new way is slightly more sneaky. You get the victim to try to > resolve an otherwise invalid and uncached hostname like 1.gmail.com, > and try to beat the real response with spoofed replies. Except this time > your reply comes with an additional rec

Re: Exploit for DNS Cache Poisoning - RELEASED

> On Wed, Jul 23, 2008 at 9:44 PM, Joe Greco <[EMAIL PROTECTED]> wrote: > >> Except this time your reply comes with an additional record > >> containing the IP for www.gmail.com to the one you want to redirect it > >> to. > > > > Thought that was the normal technique for cache poisoning. I'm prett

TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - RELEASED

On Thursday 24 July 2008 05:17:59 Paul Ferguson wrote: > > Let's hope some very large service providers get their act together > real soon now. > > http://www.hackerfactor.com/blog/index.php?/archives/204-Poor-DNS.html It isn't going to happen without BIG political pressure, either from users, or

Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

On Thu, 2008-07-24 at 09:51 +0200, Robert Kisteleki wrote: > Patrick W. Gilmore wrote: > > Anyone have a foolproof way to get grandma to always put "https://"; in > > front of "www"? > > I understand this is a huge can of worms, but maybe it's time to change the > default behavior of browsers fr

Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

On Thu, 2008-07-24 at 09:51 +0200, Robert Kisteleki wrote: > Patrick W. Gilmore wrote: > > Anyone have a foolproof way to get grandma to always put "https://"; in > > front of "www"? > > I understand this is a huge can of worms, but maybe it's time to change the > default behavior of browsers fr

Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

On Thu, 24 Jul 2008 09:51:40 +0200 Robert Kisteleki <[EMAIL PROTECTED]> wrote: > Patrick W. Gilmore wrote: > > Anyone have a foolproof way to get grandma to always put "https://"; > > in front of "www"? > > I understand this is a huge can of worms, but maybe it's time to > change the default beha

https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

Patrick W. Gilmore wrote: Anyone have a foolproof way to get grandma to always put "https://"; in front of "www"? I understand this is a huge can of worms, but maybe it's time to change the default behavior of browsers from http to https...? I'm sure it's doable in FF with a simple plugin, o

Re: Exploit for DNS Cache Poisoning - RELEASED

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Sean Donelan <[EMAIL PROTECTED]> wrote: >> >> Let's hope some very large service providers get their act together >> real soon now. > >There is always a tension between discovery, changing, testing and finally deployment. > Sure, I can empathiz

Re: Exploit for DNS Cache Poisoning - RELEASED

On Thu, 24 Jul 2008, Paul Ferguson wrote: If your nameservers have not been upgraded or you did not enable the proper flags, eg: dnssec-enable and/or dnssec-validation as applicable, I hope you will take another look. Let's hope some very large service providers get their act together real soon

Re: Exploit for DNS Cache Poisoning - RELEASED

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Jared Mauch <[EMAIL PROTECTED]> wrote: >If your nameservers have not been upgraded or you did >not enable the proper flags, eg: dnssec-enable and/or dnssec-validation >as applicable, I hope you will take another look. Let's hope some very large

Re: Exploit for DNS Cache Poisoning - RELEASED

Skywing wrote: Bookmarks or favorites or whatever your browser of choice wishes to call them, for the https URLs. That, or remember to type in the https:// prefix. - S Which works great until you run into something like Washington Mutual (of which you have no doubt heard)... http://www.w

RE: Exploit for DNS Cache Poisoning - RELEASED

] Subject: Re: Exploit for DNS Cache Poisoning - RELEASED On Jul 23, 2008, at 9:27 PM, Jasper Bryant-Greene wrote: > On Wed, 2008-07-23 at 21:17 -0400, Joe Abley wrote: >> Luckily we have the SSL/CA architecture in place to protect any web >> page served over SSL. It's a go

Re: Exploit for DNS Cache Poisoning - RELEASED

Patrick W. Gilmore wrote: Anyone have a foolproof way to get grandma to always put "https://"; in front of "www"? Some tests from my home Comcast connection tonight showed less than desirable results from their resolvers. The first thing I did was to double check that the bookmarks I use wh

Re: Exploit for DNS Cache Poisoning - RELEASED

On Wed, Jul 23, 2008 at 11:01:11PM -0400, Patrick W. Gilmore wrote: >> https://www.paypal.com/ > > That did not even occur to me. > > Anyone have a foolproof way to get grandma to always put "https://"; in > front of "www"? > > Seriously, I was explaining the problem to someone saying "never clic

Re: Exploit for DNS Cache Poisoning - RELEASED

On Jul 23, 2008, at 9:27 PM, Jasper Bryant-Greene wrote: On Wed, 2008-07-23 at 21:17 -0400, Joe Abley wrote: Luckily we have the SSL/CA architecture in place to protect any web page served over SSL. It's a good job users are not conditioned to click "OK" when told "the certificate for this site

Re: Exploit for DNS Cache Poisoning - RELEASED

On Wed, Jul 23, 2008 at 9:44 PM, Joe Greco <[EMAIL PROTECTED]> wrote: >> Except this time your reply comes with an additional record >> containing the IP for www.gmail.com to the one you want to redirect it >> to. > > Thought that was the normal technique for cache poisoning. I'm pretty > sure tha

Re: Exploit for DNS Cache Poisoning - RELEASED

> - -- "Robert D. Scott" <[EMAIL PROTECTED]> wrote: > > >Now, there is an exploit for it. > > > >http://www.caughq.org/exploits/CAU-EX-2008-0002.txt > > Now also (mirrored) here: > > http://www.milw0rm.com/exploits/6122 > > ...and probably a slew of other places, too. ;-) > The change

Re: Exploit for DNS Cache Poisoning - RELEASED

> Before, if you wanted to poison a cache for www.gmail.com, you get the > victim name server to try to look up www.gmail.com and spoof flood the > server trying to beat the real reply by guessing the correct ID. if > you fail, you may need to wait for the victim name server to expire > the

Re: Exploit for DNS Cache Poisoning - RELEASED

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "Robert D. Scott" <[EMAIL PROTECTED]> wrote: >Now, there is an exploit for it. > >http://www.caughq.org/exploits/CAU-EX-2008-0002.txt Now also (mirrored) here: http://www.milw0rm.com/exploits/6122 ...and probably a slew of other places, too.

Re: Exploit for DNS Cache Poisoning - RELEASED

On Wed, 2008-07-23 at 21:17 -0400, Joe Abley wrote: > Luckily we have the SSL/CA architecture in place to protect any web > page served over SSL. It's a good job users are not conditioned to > click "OK" when told "the certificate for this site is invalid". 'course, as well as relying on users

Re: Exploit for DNS Cache Poisoning - RELEASED

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Joe Abley <[EMAIL PROTECTED]> wrote: >It's a good job users are not conditioned to click "OK" when >told "the certificate for this site is invalid". I appreciate your sense of humor. ;-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desk

Re: Exploit for DNS Cache Poisoning - RELEASED

On 23 Jul 2008, at 18:30, Joe Greco wrote: So, I have to assume that I'm missing some unusual aspect to this attack. I guess I'm getting older, and that's not too shocking. Anybody see it? Perhaps what you're missing can be found in the punchline to the transient post on the Matasano Se

Re: Exploit for DNS Cache Poisoning - RELEASED

On Jul 23, 2008, at 5:30 PM, Joe Greco wrote: Maybe I'm missing it, but this looks like a fairly standard DNS exploit. Keep asking questions and sending fake answers until one gets lucky. It certainly matches closely with my memory of discussions of the weaknesses in the DNS protocol from

Re: Exploit for DNS Cache Poisoning - RELEASED

> > Now, there is an exploit for it. > > http://www.caughq.org/exploits/CAU-EX-2008-0002.txt > For anyone looking to use it, you MUST update the frameworks libraries. Some of the code only came out ~5 hours ago that it needs. Tuc/TBOH

Re: Exploit for DNS Cache Poisoning - RELEASED

Hi, On Jul 23, 2008, at 3:51 PM, Robert D. Scott wrote: Actually you are not missing anything. It is a brute force attack. I haven't looked at the exploit code, but the vulnerability Kaminsky found is a bit more than a brute force attack. As has been pointed out in various venues, it takes

Re: Exploit for DNS Cache Poisoning - RELEASED

Joe Greco wrote: So, I have to assume that I'm missing some unusual aspect to this attack. I guess I'm getting older, and that's not too shocking. Anybody see it? AFAIK, the main novelty is the ease with which bogus NS records can be inserted. It may be hard to get a specific A record (www.

RE: Exploit for DNS Cache Poisoning - RELEASED

Cc: [EMAIL PROTECTED] Subject: Re: Exploit for DNS Cache Poisoning - RELEASED > Now, there is an exploit for it. > > http://www.caughq.org/exploits/CAU-EX-2008-0002.txt Maybe I'm missing it, but this looks like a fairly standard DNS exploit. Keep asking questions and sending fake answ

Re: Exploit for DNS Cache Poisoning - RELEASED

> Now, there is an exploit for it. > > http://www.caughq.org/exploits/CAU-EX-2008-0002.txt Maybe I'm missing it, but this looks like a fairly standard DNS exploit. Keep asking questions and sending fake answers until one gets lucky. It certainly matches closely with my memory of discussions of