On Jul 9, 2008, at 12:19 PM, Ted Unangst wrote:
n front). something like,
nat on egress proto udp from (self) to any port 53 -> (self)
I don't think this actually accomplishes much. It still lets poisoned
replies back in on the previous port number.
But does it allow a poisoned reply from the spoofed address?
As I understand the threat, based on the limited information:
1. Attacker sends valid user a www.badman.com link to click on
2. Resolver queries to badman.com NS from port 55555 for
www.badman.com, which is a CNAME to www.ebay.com
3. New query for www.ebay.com to ebay.com NS originates from udp port
54321
4. A spoofed UDP packet from the badman.com NS using 55555 shouldn't
match the ebay query, and the poisoning shouldn't work.
If I'm missing something, I welcome any corrections.
Thanks,
Steve
