[conspire] (forw) Re: [OT] Monash University controls the Roman Catholic Church in Ukraine

Rick Moen rick at linuxmafia.com
Thu Apr 27 12:01:27 PDT 2006

The DNS survey Keith refers to is described at
http://www.cs.cornell.edu/people/egs/beehive/dnssurvey.html .

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Thu, 27 Apr 2006 11:57:44 -0700
To: luv-main at luv.asn.au
From: Rick Moen <rick at linuxmafia.com>
Subject: Re: [OT] Monash University controls the Roman Catholic Church in Ukraine

Quoting Keith Owens (kaos at ocs.com.au):

> A survey of DNS security[1] has this lovely quote
>   "A cracker that controls a nameserver at Monash University in
>   Australia can end up controlling the resolution of the web site for
>   the Roman Catholic Church in Ukraine. Legacy DNS creates a small
>   world after all".
> It is scary to see how [potentially] insecure the DNS mesh is.

Dan Kaminsky gave an amazingly entertaining and enlightening lecture at
the LISA 2005 conference, in part about his own studies of the global
DNS, to determine among other things how vulnerable to cache poisoning 
it is:  Answer: a great deal.  There are way, way too many vulnerable 
BIND8, BIND4 and other (e.g., Microsoft) vulnerable nameservers out there.

Dan was able to set up a machine with sufficient bandwidth and
horsepower that it's been able to conduct scans of all IP space,
everywhere, doing various tests and mapping out all responding
nameservers.  He says he "got calls from some very scary places" in so
doing (since such scans normally precede a large-scale network attack),
but he's been able to placate them.  (The IP reverse-resolves to 
"infrastructure-audit-1.see-port-80.doxpara.com", the Web pages on
which explain his probes when they're active, and include his cellular
number for any inquiries.)

Also, if you do a "whois" on his netblock, you get return values that
include these lines:

  Comment:    This is a security research project, please send all
  Comment:    abuse and alert requests to dan at doxpara.com.

His summary results (from 50GB of collected data) included:

o  He profiled 2.5M verified nameservers.  (There may be up to 9M 
   total, but 2.5M responded.)
o  Almost 10% of them, 230 thousand, forwarded queries to BIND8.  Eek!
o  At least 13 thousand Windows nameservers forward to BIND8.
o  He found probable evidence of large-scale cache poisoning already
   in progress, but isn't yet ready to discuss details.

As an afterthought, he realised that his test harness also enabled him
to estimate the penetration of Sony's infamous Windows rootkit, as
measured by its effect on the world's nameservers:  All infected
machines' rootkit software feeds data back to connected.sonymusic.com,
reached by hostname (thus entailing resolution at some local nameserver,
which thus loads its cache).  Dan thus used his census of the world's
nameservers to send each a non-recursive "A" query:  This returned the
matching IP if and only if the value was already cached.

Result:  He found 556 thousand nameserver hosts with the cached value -- 
a quarter of the world.  (This is _after_ massive publicity and
large-scale attempts to purge the rootkit.)  Oddly, these were across
165 countries, and suggests this reflects bootlegging of USA-labelled
music CDs.

Interesting remaining questions include estimating (through
traffic-level studies) how many infected Windows clients this result

...and he's working on other ways to further exploit his DNS data.

Dan's a maniac.  At the _prior_ LISA conference, he'd demonstrated
streaming audio over DNS packets -- to illustrate exactly how porous
most people's "firewall" strategies are.  Because he heard that many
people had dismissed that as "Well, that's just low bitrate; couldn't be
significant", _this_ year, he demonstrated streaming _video_ over DNS.

You can get the slides and complete MP3 of this talk from USENIX, at 
http://www.usenix.org/events/lisa05/tech/  It was called 
"Network Black Ops: Extracting Unexpected Functionality from Existing
Networks".  Recommended.

> http://beehive.cs.cornell.edu:9000/dependences?q=<your site name>.
> Mine comes out at 282 name servers!

22 for linuxmafia.com, and only the ones that need to be there.  ;->

----- End forwarded message -----

More information about the conspire mailing list