Great Circle Associates Firewalls
(March 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Firewall performance.
From: dorian @ oxygen . house . gov (Dorian Deane)
Date: Fri, 31 Mar 1995 10:51:30 -0500 (EST)
To: JOHNSON @ neu . edu
Cc: firewalls @ GreatCircle . COM
In-reply-to: <01HOQLXLQ6SY8WW9AS @ neu . edu> from "JOHNSON @ neu . edu" at Mar 30, 95 07:32:13 am 
> 
>      Ok.  No one seems to want to talk about whether the DNS running on 
> a firewall can have be information deliberately injected into it from 
> out side thereby rerouting e-mail and everything else that uses the DNS. 
> Am I missing something here or does this seem to be a potential problem?

I never saw this question.

Here's my fear and I'd like someone to tell me why this scenario
can't work:

1.  Pick a target site DNS host.

2.  Hit it with a gentle stream of UDP DNS replies giving
a false IP address for a well-known ftp site such as ftp.uu.net.
This should be easy because a.) UDP doesn't even use sequence
numbers and b.) replies usually go back to UDP port 53.

A complication here is that the reply would probably have to appear
to come back from the root name server that was actually queried.  The
way around this would be to hit the DNS host with replies from
_all_ the root servers.  (All you really have to do is send back a
false SOA record, and in fact, once you've succeeded in this, that
record will be cached for the default time-out, which could be quite
some time.)

3.  Eventually, an actual request from the victim site will go out and
the victim DNS host will accept the next response back.  There is
a good (though not 100%) chance that it will be the false response.

4.  The false address is, of course, a cracker site carefully
set up to look like the real one.

5.  Supply same software, but with malicious code inserted.

Now, how do you predict what software someone is going to get from
a particular site?

Well, April 5th comes to mind.  In our bids to be the first to get SATAN,
many of us will be ftp'ing like crazy to just one of a few sites and
most will try ftp.win.tue.nl.  That makes prediction really easy.

Now perhaps more experienced beings will tell me why this can't work.

By the way, if I am right, you should ftp to the SATAN site by IP
address after having confirmed it in some reasonable way.  And its
address is 137.18.128.254...  Just kidding! a DNS lookup tells me
it is 131.155.70.19 and a whois confirms that it is at least the
right Class B.

dorian
References:
Indexed By Date Previous: Re: Foreign intrusion
From: Carl Jolley <cjolley @ iac . net>
Next: Re: Encryption packages
From: bmanning @ ISI . EDU
Indexed By Thread Previous: Re: Firewall performance.
From: "Joakim B. Berglund" <job @ xinit . se>
Next: Re: Firewall performance.
From: Quentin Fennessy <Quentin . Fennessy @ SEMATECH . Org>
Google
 
Search Internet Search www.greatcircle.com