[ISN] Researcher's hypothesis may expose uber-secret DNS flaw

From: InfoSec News <alerts_at_private>
Date: Wed, 23 Jul 2008 02:39:17 -0500 (CDT)

By Dan Goodin in San Francisco
The Register
21st July 2008

Two weeks ago, when security researcher Dan Kaminsky announced a 
devastating flaw in the internet's address lookup system, he took the 
unusual step of admonishing his peers not to publicly speculate on the 
specifics. The concern, he said, was that online discussions about how 
the vulnerability worked could teach black hat hackers how to exploit it 
before overlords of the domain name system had a chance to fix it.

That hasn't stopped researcher Halvar Flake from posting a hypothesis 
[1] that several researchers say is highly plausible. It describes a 
simple method for tampering with DNS name servers that get queried when 
a user tries to visit a specific website. As a result, attackers would 
redirect someone trying to visit a site such as bankofamerica.com to an 
impostor site that steals their credentials.

The recipe calls for the attacker to flood a DNS server with multiple 
requests for domain names, for instance www.ulam00001.com, 
www.ulam00002.com and so on. Since the name server hasn't seen these 
requests before, it queries a root server for the name server that 
handles lookups for domains ending in .com. The attacker then uses the 
information to send fraudulent lookup information to the DNS server and 
make it appear as if it came from the authoritative .com name server. 
With enough requests, eventually one of the spoofed requests will match 
and the IP address for a requested domain will be falsified.

[1] http://addxorrol.blogspot.com/


Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com
Received on Wed Jul 23 2008 - 00:39:17 PDT

This archive was generated by hypermail 2.2.0 : Wed Jul 23 2008 - 00:53:01 PDT