diff options
Diffstat (limited to 'informationals/teso-i0006.txt')
| -rw-r--r-- | informationals/teso-i0006.txt | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/informationals/teso-i0006.txt b/informationals/teso-i0006.txt new file mode 100644 index 0000000..0825ad8 --- /dev/null +++ b/informationals/teso-i0006.txt | |||
| @@ -0,0 +1,84 @@ | |||
| 1 | 0006 2000/01/23 Nameserver traffic amplify (x 10-30) and NS route discovery | ||
| 2 | |||
| 3 | ==== TESO Informational ======================================================= | ||
| 4 | This piece of information is to be kept confidential. | ||
| 5 | =============================================================================== | ||
| 6 | |||
| 7 | Description ..........: NS traffic amplify (x 10-30) and NS route discovery | ||
| 8 | Date .................: 2000/01/23 11:15 | ||
| 9 | Author ...............: scut | ||
| 10 | Publicity level ......: unknown | ||
| 11 | Affected .............: Nameservers | ||
| 12 | Type of entity .......: Protocol | ||
| 13 | Type of discovery ....: interesting information, denial of service attack | ||
| 14 | Severity/Importance ..: medium | ||
| 15 | Found by .............: scut | ||
| 16 | |||
| 17 | Information =================================================================== | ||
| 18 | |||
| 19 | When a nameserver receives a query, most nameservers usually just start | ||
| 20 | forwarding the query to some other nameserver. There can be quite a long path | ||
| 21 | of forwarding queries. However if the query is not resolvable because there | ||
| 22 | is no nameserver listening on the remote host every forwarding nameserver will | ||
| 23 | start to resolve it on their own, by querying the authoritative nameserver | ||
| 24 | themselves. In the default configuration each nameserver will send the query | ||
| 25 | three times, after 0, 12 and 24 seconds, ymmv. | ||
| 26 | |||
| 27 | This can be used to discover the path of nameservers. To do this an attacker | ||
| 28 | would query the first nameserver for a domain he can see the packets on, at | ||
| 29 | best the domain points to the query host itself. Then he would record all | ||
| 30 | nameservers that send out a packet to himself. After having done this he would | ||
| 31 | try with another nameserver of the ones he got queries from. In the best case | ||
| 32 | he will receive a queries from all hosts but one missing. The missing one is | ||
| 33 | the first host in the route. After having reduced the list by one he will | ||
| 34 | start over with the reduced list until there is only one nameserver remaining, | ||
| 35 | which is the last in the querying chain. | ||
| 36 | |||
| 37 | Through seeking especially long paths, where a lot of nameservers are queried, | ||
| 38 | this can be abused then as a traffic amplify bandwidth attack, as shown below. | ||
| 39 | Since the important entries such as the NS entry is in the cache of each | ||
| 40 | nameserver after the first query, the attack is very fast pacing after the | ||
| 41 | first query, since no additional packets to the attacker are send and the | ||
| 42 | attacker can spoof the UDP query packets. If the attacker is clever he would | ||
| 43 | use a very short lifetime for his NS entry, while using a long lifetime for | ||
| 44 | the victim subdomain. After the first query succeeded he will just shut his | ||
| 45 | nameserver down and send out spoofed query packets at a very fast rate. | ||
| 46 | |||
| 47 | In this case a query was issued to ns1 asking about a host within a domain that | ||
| 48 | host "victim" has an NS entry for. But there is no nameserver running on victim, | ||
| 49 | therefore all queries remain unanswered, and after a short time all nameservers | ||
| 50 | that indirectly received the query are starting to query on their own. The host | ||
| 51 | "victim" is in this case the victim host which gets the whole traffic load. To | ||
| 52 | use this to attack someone you just have to create an NS entry for the victim | ||
| 53 | host, for example you own the NS for the domain "foobar.org", then you have to | ||
| 54 | create a NS entry "bla.foobar.org" that points to the victim host. After that, | ||
| 55 | you query as much nameservers as possible for "<random>.bla.foobar.org". | ||
| 56 | |||
| 57 | 08:07:24.943598 ns2.domain > victim.domain: 15121 (35) | ||
| 58 | 08:07:32.747253 ns3.domain > victim.domain: 8536 (35) | ||
| 59 | 08:07:32.832604 ns2.domain > victim.domain: 15121 (35) | ||
| 60 | 08:07:39.819289 ns3.domain > victim.domain: 8536 (35) | ||
| 61 | 08:07:40.670228 ns1.1025 > victim.domain: 56483 (35) | ||
| 62 | 08:07:44.405556 ns4.domain > victim.domain: 5306 (35) (DF) | ||
| 63 | 08:07:48.928981 ns2.domain > victim.domain: 15121 (35) | ||
| 64 | 08:07:52.669825 ns1.1025 > victim.domain: 56483 (35) | ||
| 65 | 08:07:56.107063 ns3.domain > victim.domain: 8536 (35) | ||
| 66 | 08:07:56.471586 ns4.domain > victim.domain: 5306 (35) (DF) | ||
| 67 | 08:08:04.938187 ns6.domain > victim.domain: 26706 (35) | ||
| 68 | 08:08:12.372097 ns5.2187 > victim.domain: 2352 (35) | ||
| 69 | 08:08:13.826464 ns6.domain > victim.domain: 26706 (35) | ||
| 70 | 08:08:16.669021 ns1.1025 > victim.domain: 56483 (35) | ||
| 71 | 08:08:20.603050 ns4.domain > victim.domain: 5306 (35) (DF) | ||
| 72 | 08:08:24.365990 ns5.2187 > victim.domain: 2352 (35) | ||
| 73 | 08:08:30.873233 ns6.domain > victim.domain: 26706 (35) | ||
| 74 | 08:08:32.658479 ns1.domain > victim.1025: 298 ServFail 0/0/0 (35) | ||
| 75 | 08:08:48.369725 ns5.2187 > victim.domain: 2352 (35) | ||
| 76 | |||
| 77 | As you can see there are five nameservers who indirectly got the query. "ns1" | ||
| 78 | is the nameserver that got the original query which was 35 bytes in length. Now | ||
| 79 | all nameservers started to send out queries, three per nameserver. Since six | ||
| 80 | nameservers have done this, the amplify ratio is about 18 (35 * 6 * 3 = 630) | ||
| 81 | in this case. | ||
| 82 | |||
| 83 | =============================================================================== | ||
| 84 | |||