Odd log messages from ISC BIND named

[Thomas Charron]

On Wed, Feb 4, 2009 at 12:11 AM,  <VirginSnow at vfemail.net> wrote:
> Close.  Known plaintext is when you know the plaintext P1 for a
> corresponding ciphertext C1 and want to know the plaintext P2 for
> another ciphertext C2.  There are many ways of achieving that, but the
> most *general* is finding the key because with the key, you can find
> Pn for *any* Cn.  Technically, any attack which uses P1, C1, and C2 to
> reveal P2 would be known a plaintext attack.

  Are you seriously high?  Do you even have any idea what your talking
about, or are you just going cut and paste happy?

>>   I'm having trouble envisioning a scenario where the above attack
>> would find it useful to send a flood of DNS packets for bogus names to
>> an arbitrary IP address.  We're trying to crack an encrypted network.
> A DNS IP packet has the structure:
> In your case, len = 32 and name = all those strange domain names.
> Note that daddr occurs on a 32-bit boundary and that the domain name
> comes last.  Since most modern block ciphers use 128 or 256 bit
> blocks, twiddling bits in daddr and/or name could reveal important
> information about the cryptosystem.

  WHAT Cryptosystem?  How do you jump from '100 oddball DNS requests'
to 'cryptosystem'?

>> Presumably, the attacker doesn't have full access to the encrypted
>> network, or he wouldn't need to do this.
> In practice, if an attacker was able to change the daddr of DNS
> packets, he would also likely be able view/change the WEP key.

  Now this is just annoying the fug out of me.  You HAVE to be copying
and pasting this.  *ANY* shmuck with low level access can set the
daddr.  IT'S THE DESTINATION ADDRESS YOU IDIOT.  If I craft an IP
packet destined to server A, guess what daddr is going to be....
*SUPRISE!*  And no, no one from the outside world can CHANGE a daddr
without BEING the router which routes it.

> But
> suppose he had a laptop say, on his employer's LAN and his employer's
> LAN was connected to the company's WAN via VPN (which all too many
> tech staff think solves everything), he wouldn't have access to the
> key but would be able to generate any packets desired.

  And of course, the logical conclusion to this would be, 'At which
point he'd obviously craft packets directed to Bens servers'.

> This is less likely to be the case with WiFi, because WEP usually
> terminates at hosts.  If any kind of wireless bridge between two wired
> networks were used (the "wireless ethernet cable"), however, such an
> attack against the wireless link would be possible.

  Usually.

  Reeeaaaaaallly.

  I'm suddenly so much more educated.  I never realized programs
logging into google could be becouse my WEP key wasn't terminating at
the host.  Obviously, my ethernet had run out of tokens.

>> That would be even harder to spot in the traffic, and might make the
>> cryptanalysis easier, since the domain name wouldn't be changing
>> every packet.
> Actually, fiddling with the end of a plaintext is often the best place
> to start.  If, for example, the message is encrypted with a CBC mode
> cipher, all the preceeding blocks in the ciphertext would remain the
> same.

  I'm literally staring blank at the screen at the moment.  State your
point.  At this point, I'm convienced you've got stark raving mad and
starting cutting and pasting from random web sites.  You believe in
UFOs as well?

>> And why not send the packets to some zombie, so you can get the full
>> plaintext datagram (ports, sequence numbers, etc.), rather than just
>> the domain name?  And if they're not interested in knowing more than
>> the domain name, why not vary the IP address each each and every
>> packet?
> I'm not sure what you mean by that...

  Wow, then you and the majority of the list I suspect have something in common.

-- 
-- Thomas