Anonymous   [08.01.07 11:36 AM]

The URL to Dan Kaminsky's site is broken, it should be: http://www.doxpara.com

dave mcclure   [08.02.07 01:15 AM]

hmmm... if i didn't know any better, i'd swear that headline was ripped off from a John Mayer tune...

;)

Thor Larholm   [08.02.07 11:33 AM]

The technique itself is nothing new, but the slirpie tool itself is new.

I would love to combine slirpie with a web-based Tor interface. In short, "Add this script include to your site and your visitors automatically expand our anonymous Tor network".

Just think of all those spare sockets doing nothing while they are reading your latest blog entry or article :)

Leo Dirac   [08.02.07 11:34 AM]

Wouldn't client-side DNS caching make this attack unreliable if not completely ineffective? OS's keep DNS caches, as do many browsers.

Once you connect to attacker.com, I don't think there would be another DNS lookup for a while.

Valentino Vaschetto   [08.02.07 12:00 PM]

Regarding DNS caching:

http://en.wikipedia.org/wiki/Time_to_live. Read up on "Time to live of DNS records".

Unless the OS and the Browser (the browser doesn't cache dns, but I'll entertain anyway) do not follow the standard, you can set the time to live of your DNS record to something like 5 seconds. After 5 seconds of being on the site, your dns server changes the ip to something useful (192.168.1.1?) and the website launches its attack. Absolutely brilliant.

Bind9 Guy   [08.02.07 01:55 PM]

Actually, Valentino is correct. This is all do to with something called Time-To-Live (TTL). However, what they don't tell you is that you can't do this to multiple people on a large scale with a 1 second TTL alone, since new visitors would just get (or most likely if you were to say alternate it) the 192.168.X.X IP.

What you would need to use is iptables in linux for example to take each IP that connects the first time, and then redirect each subsequent DNS query to an alternate port running another view in DNS. (A view is just a way for one DNS server to show different answers depending on clients IP's among other things) Or even just bind9 running on a seperate port with a seperate set of configs.

Actually, this attack vector I would think is commonly used. Say I were CSIS (Candian CIA) and I was ordered to take over your machine. One thing I could do if you were an avid user of one of a million different "phone home" apps is take over your dns or proxy your connection to a site and alter all occurences of MD5 checksums or whatever, and trick any program on your machine with weak authentication into thinking an update is available.

Verify any checksum you want, cause without at least encryption, there is no way you can prove it. This is about what is done except theres no man-in-the-middle here, just you blindly accepting the "truth" that your computer has been served.

World of Warcraft updates anyone? pwn 8million+ FTW!

Bind9 Guy   [08.02.07 06:35 PM]

Artur,

True. And I am sure you could even just hack up bind a tad as well (hey, why reinvent the wheel). I just figure its easier to not write any code and just use pre-existing tools, such as the iptables+bind setup.

Although I suppose you could consider the act of writing a config file a bit of minor programming as well depending on how you look at things, no?

Anyways, fun as usual to point out to the less technically inclined people out there, just how insecure public technology really is. It's a shame that we only keep the general online population feeling safe through lies and pretending things are something that they aren't, and that is honest and secure.

Mind you, I guess sometimes you gotta lower yourself to such a level to catch the real criminals who think the internet is going to help them further destroy society.

kL   [08.03.07 09:28 AM]

It's easy to protect against by using 'virtualhosts' (requiring HTTP/1.1 Host header to be correct).

urgeay   [10.26.07 02:28 PM]

well i think that all you have to do is not care so much about the internet.