Attacking networks using DHCP, DNS - probably kills DNSSEC
Somebody did an interesting attack on a cable network's customers.
They cracked the cable company's DHCP server, got it to provide a
"Connection-specific DNS suffic" pointing to a machine they owned,
and also told it to use their DNS server.
This meant that when your machine wanted to look up yahoo.com,
it would look up yahoo.com.attackersdomain.com instead.
This looks like it has the ability to work around DNSSEC.
Somebody trying to verify that they'd correctly reached yahoo.com
would instead verify that they'd correctly reached
yahoo.com.attackersdomain.com, which can provide all the signatures
it needs to make this convincing.
So if you're depending on DNSSEC to secure your IPSEC connection,
do make sure your DNS server doesn't have a suffix of echelon.nsa.gov...
------------------------------
RISKS-LIST: Risks-Forum Digest Saturday 17 June 2003 Volume 22 : Issue 78
http://catless.ncl.ac.uk/Risks/22.78.html
------------------------------
Date: Fri, 20 Jun 2003 15:33:15 -0400
From: Tom Van Vleck
participants (1)
-
Bill Stewart