New ZeroConf Spec
Micah J. Cowan
micah at cowan.name
Tue Jul 11 21:23:18 BST 2006
On Tue, Jul 11, 2006 at 03:03:36PM +0100, Scott James Remnant wrote:
> On Mon, 2006-07-10 at 14:24 -0700, Micah J. Cowan wrote:
>
> > On Mon, Jul 10, 2006 at 09:58:58AM +0100, Scott James Remnant wrote:
> > > DNS uses UDP which does NOT have this prevention, while the daemon is
> > > waiting for a reply, it can receive packets from ANYWHERE.
> >
> > This depends a lot on how the programmer does his UDP listening.
> >
> Not really; even if you use decent filtering, it's still boringly easy
> to forge UDP packets and inject them into the listening application --
> there being no sequence number, etc. in the UDP header.
Excellent point.
However, unless I'm missing something, taking advantage of such a thing
in the case of DNS and similar protocols would still require (a)
knowing, more or less, what the original packet's request was (so that
you can duplicate it in the "question" section), and (b) flooding all
UDP ports with your answer, repeatedly, unless you have other means of
ascertaining what the source port number was. (b) would probably be
detected too quickly to be used practically.
(a) might be discountable, as in practice it may depend on how stupid
the DNS implementation is. But (b) would probably result in detection
and elimination of the attack, I'm guessing.
No idea whether any of that applies to mDNS, with which I'm not
familiar. At any rate, I'm sure I'm against leaving a port open over a
significant length of time by default, which is pretty different from
the normal DNS model.
--
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer...
http://micah.cowan.name/
More information about the ubuntu-devel
mailing list