Attacking networks using DHCP, DNS - probably kills DNSSEC

Bill Stewart bill.stewart at pobox.com
Sat Jun 28 13:06:03 PDT 2003


Somebody did an interesting attack on a cable network's customers.
They cracked the cable company's DHCP server, got it to provide a
"Connection-specific DNS suffic" pointing to a machine they owned,
and also told it to use their DNS server.
This meant that when your machine wanted to look up yahoo.com,
it would look up yahoo.com.attackersdomain.com instead.

This looks like it has the ability to work around DNSSEC.
Somebody trying to verify that they'd correctly reached yahoo.com
would instead verify that they'd correctly reached
yahoo.com.attackersdomain.com, which can provide all the signatures
it needs to make this convincing.

So if you're depending on DNSSEC to secure your IPSEC connection,
do make sure your DNS server doesn't have a suffix of echelon.nsa.gov...


------------------------------
RISKS-LIST: Risks-Forum Digest  Saturday 17 June 2003  Volume 22 : Issue 78
http://catless.ncl.ac.uk/Risks/22.78.html
------------------------------
Date: Fri, 20 Jun 2003 15:33:15 -0400
From: Tom Van Vleck <thvv at multicians.org>
Subject: ISP's DHCP servers infiltrated

http://ask.slashdot.org/article.pl?sid=03/06/19/2325235&mode=thread&tid=126&tid=172&tid=95

"... It turns out, Charter Communications' DHCP servers were
infiltrated and were providing p5115.tdko.com as the
'Connection-specific DNS suffix', causing all non-hardened Windows
(whatever that means in a Windows context) machines to get lookups
from a hijacked subdomain DNS server which simply responded to every
query with a set of 3 addresses (66.220.17.45, 66.220.17.46,
66.220.17.47).

On these IPs were some phantom services. There were proxying Web
servers (presumably collecting cookies and username/password combos),
as well as an ssh server where the perpetrators were most likely
hoping people would simply say 'yes' to the key differences and enter
in their username/password..."

Hmm, my cable ISP was down this morning.  Maybe coincidence.



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com





More information about the cypherpunks-legacy mailing list