At 20:48 06/06/01 +1000, ks Quah wrote:
>Hi
> Does anyone know who does source routing and DNS spoofing work.
{Ben, I'm including you cos' I'm citing you. sorry if this is undesirable}
[source routing]
I understand that you're talking about IP source routing option.
If so, take a look at Stevens book(s) or similar IP books.
In short, IP packets have a header that may contain options. one of the
option is source routing,
which may be either strict or lose. the former means the option header
contains the whole list
of gateways, while the latter means only some of the gateways are included.
The purpose was to enable a system to define the route the packet takes.
The problem is that this introduces a problem with IP filtering. IP
filtering is mostly based
on the standard header, so it will use the source and dest addresses found
in the standard IP header.
now if a packet is going to a destination allowed by the filter, it will be
allowed by the filter, but
it may still be routed through a protected network if it contains a source
route saying it should go
there. The risk is that the packet may be "absorbed" by the gateway in
question if it has been configured
by a malicious insider, or can harm the gateway if it contains IP based bad
things. so one does not
want such packets to go inside even if their final destination is allowed.
In my opinion, IP options should be made obsolete...
[dns spoofing]
one of these is that you can configure your network to be "gnac.net".
nothing prevents this. you just
say that 1.2.3.4 (which is an address managed by you) is doudou.gnac.net.
when 1.2.3.4 makes a connection
outside, the server (or FW) may then try to find the corresponding
hostname. It will take the address
1.2.3.4 and determine who's responsible of this. Someone will tell him that
it's a host in your network,
say 1.2.3.53. It will then contact this host and ask "what is the name of
1.2.3.4?". If you configured 1.2.3.53
to say that 1.2.3.4 is doudou.gnac.net, then it will say that. At this
point, this is legitimate and you have
the right to do whatever you want in your network! The problem is that if
the server/W were basing
his filtering on names, then the response would mislead him and he might
take the bad decision.
So what people generally do is that once they get the answer
(doudou.gnac.net), they do a double
lookup, that is, they then try to get the address of "doudou.gnac.net". To
this end, they check the
domain (gnac.net) and ask "what is the address of doudou.gna.net".
Hopefully, the server who answers
this question is not yours, so it will give say "7.8.9.1", which is
different from "1.2.3.4". as a result,
the server will suspect your initial answer and won't allow your request.
Another reason people do the double dns check is that this automatically
rejects "unofficial"
people, that is people who did not take the efforts to correctly register
their addresses. so a
hacker wanting to harm the server will need to go therough the registration
process and do it
correctly, which takes time, resources, energy, ... This is why some mail
servers automatically
do the double lookup.
However, this introduces a problem when you have a silly ISP (like me!). I
got unsubscribed from some
mailinglists just because my ISP changed things in a way that the DNS
responses from my domain
were so slow... so, servers end up rejecting legitimate (well I think I
am:) people...
Since a discusion with Ben, I now think that the double dns lookup is not
the "good" thing. People
should not base their permissions on DNS.
hope this helps.
cheers
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
