Re: NT DNS hacked ... ?

From: bobk (bobkat_private)
Date: Fri Nov 13 1998 - 15:24:30 PST

Next message: G23: "crashing wingates"

Previous message: net.ikon: "Sendmail DoS (was: Re: various *lame* DoS attacks)"
Maybe in reply to: Sam R. Akhtar: "NT DNS hacked ... ?"
Next in thread: Roberto Jung Drebes: "Re: NT DNS hacked ... ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 13 Nov 1998, Marc Slemko wrote:

> On Thu, 12 Nov 1998, John Fraizer wrote:
>
> > You weren't hacked.  It was NetSol/InterNIC showing us just how lame they
> > are again by corrupting root servers.
> >
> > http://www.news.com/News/Item/0,4,28664,00.html?st.ne.fd.mdh
>
> The above is unrelated to the below, AFAIK.
>
> > At 11:47 AM 11/11/98 -0500, you wrote:
> > >Anyone running MS's DNS notice, overnite or so, their cache files
> > >(specifically the root name servers) replaced with a handful of entries for
> > >allegro.net ... ?
>
>
> The only thing that the Internic being idiots would have done, as far as I
> have any evidence of, is claim that .com domains do not exist.
>
> If your nameserver's cache was corrupted to think that allegro.net is
> authoritative for .com (or .), then that is NOT related.  While I would
> need exact output from sample queries to the server to tell for sure, it
> would appear that, if what the poster above said is true, the software
> they are running is vulnerable to cache pollution, just like old versions
> of BIND are.  This is quite bad, both because someone with malicious
> intent can do evil things and because there are an increasing number of
> accidental situations where people somehow misconfigure their servers to
> claim false authority.

For some reason, my first message on this topic was not accepted by
Aleph1. Hence, I will attempt to repeat what I sent upon the first report
of this problem to this list:

Microsoft's DNS server is vulnerable to two different types of
cache-poisoning attacks, while the latest versions of BIND are only known
to be vulnerable to one type:

"cache corruption through attachment of unrelated additional records" is
the simpler of the two methods, and is the one most likely used to corrupt
your server. As far as I know, there is no Microsoft fix for this. BIND
used to be vulnerable to this, but the latest versions of it are not.

"cache corruption through sequence ID prediction" is a more complex
attack. Both Microsoft and BIND are vulnerable to this. Luckily, there
aren't many crackers attempting to use this, as far as I can tell. There
is no complete protection for this attack, even though vendors of DNS
software have known about the vulnerability for years.

Next message: G23: "crashing wingates"
Previous message: net.ikon: "Sendmail DoS (was: Re: various *lame* DoS attacks)"
Maybe in reply to: Sam R. Akhtar: "NT DNS hacked ... ?"
Next in thread: Roberto Jung Drebes: "Re: NT DNS hacked ... ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:10 PDT