dig source port patch
Simon Waters
Simon at wretched.demon.co.uk
Mon Sep 1 13:53:53 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jim Reid wrote:
>
... SNIP stuff about if attacker can see query...
> Even if the attacker can't see the
> name server's queries -- nobody should assume that -- the name spaces
> for both source port numbers and query IDs is only 64k each. So this
> is easily overcome with a brute force flood attack, except for the
> script kiddies who don't have ready access to the bandwidth to pump
> out 64k * 64k spoof responses in less than (say) 5 seconds.
The limitation also applies to the pipe the machine being atacked is on,
even assuming said attacker has an army of machines to attack the DNS
server with any arbitarily large amount of traffic.
64,000 x 128 bytes (approximate packet size) x 8 bits/byte / 5 second
gives a result ~10Mbps. Or about what many hosted servers might be able
to receive.
64,000 x 10Mbps is substantially more bandwidth than most DNS servers
have (or can handle) in my experience.
Although obviously the anonymous port range is much smaller that the
total number of possible ports, and if you can fingerprint the OS you
may be able to predict the range much more accurately. Other factors
will also reduce the bandwidth needed, like flooding out the genuine
answers.
It isn't clear to me the technique is without merit, but then I haven't
actually tried spoofing anyones DNS this way - yet ;-).
Have you successfuly spoofed DNS cache blind?
> TSIG or DNSSEC are the only viable ways of preventing DNS spoofing.
I agree the method is not THE solution, I was merely pointing out that
fixing the source port to 53, is entirely the opposite security approach
to that taken by others. I think the OP should appreciate that, and can
make up his own mind on the merits. It may be his firewall would defeat
such a strategy if say it utilised NAT and allocated Internet facing
ports predictably.
Either way a firewall, or network monitoring (the BIND log file if all
else fails!?) smart enough to report something odd is happening is
probably the only response most sites will have in place in the event of
an attempted spoof.
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/U09tGFXfHI9FVgYRAvYcAJ9fcbP1wzXG1EeKr+1uPoXFZAPLCwCdH9sx
1PorHqbWn61TWMc0YPJRM5M=
=+ZIM
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list