Odd log messages from ISC BIND named
VirginSnow at vfemail.net
VirginSnow at vfemail.net
Tue Feb 3 18:29:45 EST 2009
> Date: Tue, 3 Feb 2009 16:52:01 -0500
> From: Ben Scott <dragonhawk at gmail.com>
> On Tue, Feb 3, 2009 at 3:08 PM, <VirginSnow at vfemail.net> wrote:
> > But judging by the differences between the queries, this is
> > more likely a known-plaintext attack on a WEP, a VPN,
> > or similar.
>
> Okay, I might buy that, but what's it doing on our DNS server?
If the payload space being searched included the destination IP field,
the destination IP could just coincidentally have been that of
liberty. After you got 100 or so packets, the algorithm moved on to a
different IP. If the destination IP field *wasn't* part of the
algorithm's workspace, the programmer could simply have randomized the
destination IP so that all the packets wouldn't be going to the same
set of DNS server(s) (which would obviously attract attention).
Likely, there are many other DNS servers that received similar
queries. There are likely also many hosts that got a UDP packet on
port 53, didn't have a name server running, and simply ignored it.
DNS is a good candidate for known plaintext cryptanalysis. It's UDP
so you don't have to worry about state, the packet format is simple,
and it'll blend right in with all the other traffic on the LAN.
More information about the gnhlug-discuss
mailing list