diff options
| author | Camil Staps | 2015-10-13 20:59:20 +0200 |
|---|---|---|
| committer | Camil Staps | 2015-10-13 20:59:20 +0200 |
| commit | 5667cc3df79242093f6fe56521785b7b28b45005 (patch) | |
| tree | 4c7340b4a16f2b2960e6d6480cdfd82e29d072c4 /netsec-assignment5-S4498062/exercise3 | |
| parent | Finish assignment 4 (diff) | |
Diffstat (limited to 'netsec-assignment5-S4498062/exercise3')
| -rw-r--r-- | netsec-assignment5-S4498062/exercise3/exercise3a | 26 | ||||
| -rw-r--r-- | netsec-assignment5-S4498062/exercise3/exercise3b | 6 | ||||
| -rw-r--r-- | netsec-assignment5-S4498062/exercise3/exercise3c | 3 | ||||
| -rw-r--r-- | netsec-assignment5-S4498062/exercise3/exercise3d | 3 | ||||
| -rw-r--r-- | netsec-assignment5-S4498062/exercise3/exercise3e | 3 |
5 files changed, 41 insertions, 0 deletions
diff --git a/netsec-assignment5-S4498062/exercise3/exercise3a b/netsec-assignment5-S4498062/exercise3/exercise3a new file mode 100644 index 0000000..fd9364a --- /dev/null +++ b/netsec-assignment5-S4498062/exercise3/exercise3a @@ -0,0 +1,26 @@ +We query a non-existing domain which likely isn't in the cache already (that is, +a random string as subdomain). For example, we might query for: + +$ dig eWVwLCB0aGlzIGlzIGJhc2U2NC4u.blackboard.ru.nl + +Then we race the actual DNS server to provide this response: + + ;; ANSWER SECTION: + eWVwLCB0aGlzIGlzIGJhc2U2NC4u.blackboard.ru.nl. 120 IN A 10.10.10.10 + + ;; AUTHORITY SECTION: + blackboard.ru.nl. 86400 IN NS ourns.blackboard.ru.nl. + + ;; ADDITIONAL SECTION: + ourns.blackboard.ru.nl. 604800 IN A 10.10.10.20 + +Here, 10.10.10.20 would be our address. The cache will now ask stuff about +blackboard.ru.nl to our nameserver which he thinks is at ourns.blackboard.ru.nl. + +Thus by simply requesting + +$ dig blackboard.ru.nl + +and sending back an incorrect A record for blackboard.ru.nl from 10.10.10.20, we +have spoofed the cache. + diff --git a/netsec-assignment5-S4498062/exercise3/exercise3b b/netsec-assignment5-S4498062/exercise3/exercise3b new file mode 100644 index 0000000..34d75bf --- /dev/null +++ b/netsec-assignment5-S4498062/exercise3/exercise3b @@ -0,0 +1,6 @@ +The QID is a 16-bit random string, so we have a chance of 1 over 2^16 to guess +it correctly. + +If we also use port randomisation, we have to guess 16+16=32 bits, giving us a +1 over 2^32 chance. + diff --git a/netsec-assignment5-S4498062/exercise3/exercise3c b/netsec-assignment5-S4498062/exercise3/exercise3c new file mode 100644 index 0000000..35ca2b0 --- /dev/null +++ b/netsec-assignment5-S4498062/exercise3/exercise3c @@ -0,0 +1,3 @@ +We have to guess 14 extra bits, that is, 46 bits, giving us a 1 over 2^46 +probability to guess correctly. + diff --git a/netsec-assignment5-S4498062/exercise3/exercise3d b/netsec-assignment5-S4498062/exercise3/exercise3d new file mode 100644 index 0000000..d4e9ff0 --- /dev/null +++ b/netsec-assignment5-S4498062/exercise3/exercise3d @@ -0,0 +1,3 @@ +Using a birthday attack, sending many the same queries increases our odds of +getting one right. + diff --git a/netsec-assignment5-S4498062/exercise3/exercise3e b/netsec-assignment5-S4498062/exercise3/exercise3e new file mode 100644 index 0000000..99abf57 --- /dev/null +++ b/netsec-assignment5-S4498062/exercise3/exercise3e @@ -0,0 +1,3 @@ +If you're in the middle anyway you can change everything. You don't have to +guess anything, because you only modify the relevant section(s). + |