Logic in list messages WAS: Re: Odd log messages from ISC BIND named

Thomas Charron twaffle at gmail.com
Wed Feb 4 11:15:26 EST 2009 

On Wed, Feb 4, 2009 at 10:38 AM,  <VirginSnow at vfemail.net> wrote:
>> Date: Wed, 4 Feb 2009 09:44:28 -0500
>> From: Thomas Charron <twaffle at gmail.com>
>> Cc: gnhlug-discuss at mail.gnhlug.org
>> your saying, but how you got there is an awfully rocky road.  For
>> instance, you logic is flawed when it comes to it being perfectly
>> logical that it would move to a different host after 100 packets.
> If you're looking through a printed dictionary for a three-letter
> word, you don't have to search through the whole dictionary.  You can
> stop when you reach "act", then go on and do something else.

  This is true, however, the conclusion that this is indeed what
actually happened is based on a multitude of assumptions that the
original cool idea was correct.

>> If it where indeed attempting that, it wouldn't cycle IPs at 100.
>> To get a full sweep it would have done 256 queries.
> Twiddling bits in the destination address wouldn't direct 256 packets
> at liberty, because liberty (presumably) only has one public IP
> address.  Packets in which the IP is *constant* (ie, that of liberty)
> and bits are being twiddled in the *domain name* are the only packets
> which would reach liberty.  That's exactly what Ben observed.
> Besides, even if IP octets were being scanned as you seem to suggest,
> the network and broadcast addresses (0 and 255 in the last octet)
> wouldn't be searched.  So, even then, there would only be 254
> requests.
> You might consider examining your logic before accusing others of
> being illogical. ;)

  You suggested that logic with your whole 'notice the daddr on a 32
bit boundry' theory.  The number of 256 I mentioned has nothing to do
with networking, but of the cryptographic attack you suggested.  The
entire purpose for the attack potentials you meantioned would have
NOTHING to do with attacking liberty.

  To break it down, the sort of attack you are infering would be
utilized when an entity was able to observe some form of encrypted
traffic, where it has knowledge of the data which WAS encrypted.  In
this scenerio, an attacker would, say, transmit said known packets
over an ethernet network, and then observe the encrypted packets, and
record.  Who the packets are destined to isn't of any importance.  As
part of that data collection, it would make more sense to take 64,
128, 256, etc samples, which could potentially give you data of
cryptographic significance.

-- 
-- Thomas

More information about the gnhlug-discuss mailing list