DNS/キャッシュサーバ毒盛/Kaminskyの攻撃手法/unixwiz.netについて、ここに記述してください。

1. www.unixwiz.netの説明

http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

2. Shenanigans, Version 1

In this illustration, we'll attempt to poison a particular nameserver with a fraudulent IP for a legitimate banking website, www.BankOfSteve.com. The bad guy's intention is to get all of the ISP's customers to visit his own malicious site instead of the real one operated by the Bank.

2.1. Simple Poisoning (うまくいきそうもない)

Step 1 — Bad guy sends a DNS query to the victim nameserver for the hostname it wishes to hijack.

Step 2a — Knowing that the victim will shortly be asking ns1.bankofsteve.com

Steps 2b & 3 — Root/GTLD servers provide referral to ns1.bankofsteve.com.

Step 4 — victim nameserver asks ns1.bankofsteve.com for the IP address of www.bankofsteve.com,

Step 5 — the real nameserver provides a legitimate response to this query, with QID=1001.

Step 6 — With the bogus IP address (of the bad guy's webserver) in cache

Step 7 (not illustrated) —

3. Dan's Shenanigans

Step 1 — bad guy client requests a random name within the target domain (www12345678.bankofsteve.com),

Step 2a — As before, the bad guy sends a stream of forged packets to the victim,

The authority data may well contain the "real" bankofsteve.com nameserver hostnames,
but the glue points those nameservers at badguy IPs.
This is the crucial poisoning,
because a Query ID match means that the victim believes that
badguy's nameservers are authoritative for bankofsteve.com.

The bad guy now owns the entire zone.

Curiously, the rest of the steps don't matter: the point of this process was to fake out the victim into thinking that badguy runs the domain in question, and that would have been successful in this step.

Once one of the victim's queries has been poisoned — it could be any in the chain — all the rest are directed to badguy's servers.

4. コメント

こんなに簡単に入るのを確認できたのなら、その時のbindには不良があったはずだ。 -- ToshinoriMaeno 2011-08-20 10:32:04