So the internet as we know it is extremely broken.  And for some reason know one seems to know about it.  Except us g33ks who run it.  Seriously it’s so broken, that it should be headlining on CNN.  But nothing.

A few months back we got notification from the US Govt that Dan Kaminsky had identified a major hole in the protocol spec for DNS.  It had to do with DNS only usuing a very limited amount of source ports for sending out it’s requests.  Along with this limited number of source ports it uses a 16 bit transaction ID on each of the packets.

Kaminsky had identified that you could force a remote DNS server to do a query for 1.cian.ca, then 2.cian.ca then 3.cian.ca, etc.  Then, while it’s waiting for the real cian.ca to respond, you flood it with a whole bunch of packets to that limited number of ports, each packet guessing the 16 bit transaction ID.  Given the limitations DNS had before, you could have a 60% chance of getting it right considering how many packets you were sending.

The real trick was to respond with the information telling it what 3.cian.ca was, but then adding (as in the DNS spec) “Additional Information” which had authoritative records for the NAMESERVERS for cian.ca.  So even if your target had cached the nameservers for cian.ca already, you can re-point that domain to any IP you wish, for whatever target nameserver you wish.

So think about targeting AOL customers.  Then think about overwriting microsoft.com, or cnn.com, or how about royalbank.com.  Now it’s getting scary.  And up until we all patched, that really wouldn’t be very hard to do.

So everyone patches.  It’s the biggest co-ordinated upgrade in history.  And we were all pretty quiet about it.

Now what is happening is the source port is being randomized for queries.  So now you have about 64 thousand ports to guess in addition to the 16 bit number.  This is about 2 to the 27 ish possibilities.

Dan Kaminsky has now also sucessfully demonstrated that with a Gig connection, and two attacking hosts, he can redirect nameservers within about 10 hours (instead of seconds) now.  That’s only using 2 hosts.

What would happen if you say…had a botnet of a couple million?  Divide them up, assign a couple per port, and have them co-ordinate an attack on a nameserver?  You could literally redirect at will.

And I’m sure it’s being done right now.  Think it will be a while before I log into paypay, ebay, gmail, banking…..oh shit….how the hell can I do that?!?!?

Now…CNN, CBC, all you guys, WHERE THE FUCK IS THE NEWS ABOUT THIS?!?!?!?!?!?!?!

(Visited 3 times, 1 visits today)