Logic in list messages WAS: Re: Odd log messages from ISC BIND named

Thomas Charron twaffle at gmail.com
Wed Feb 4 13:16:15 EST 2009 

On Wed, Feb 4, 2009 at 1:00 PM,  <VirginSnow at vfemail.net> wrote:
>> Date: Wed, 4 Feb 2009 11:15:26 -0500
>> From: Thomas Charron <twaffle at gmail.com>
>> Cc: gnhlug-discuss at mail.gnhlug.org
>>   To break it down, the sort of attack you are infering would be
>> utilized when an entity was able to observe some form of encrypted
>> traffic, where it has knowledge of the data which WAS encrypted.  In
>> this scenerio, an attacker would, say, transmit said known packets
>> over an ethernet network, and then observe the encrypted packets,
>> and record.
> Yes.  That's basically what's called a "known plaintext" attack.

  Then you should have cleanly stated that when Ben asked, 'Hey, why
would they do that'?  Intentionally or not, the data you responded
with wasn't clear, and appeared, from the outside, as if you where
simply using long words for the sake of using them.

>> Who the packets are destined to isn't of any importance.
> As I tried to show by listing header fields, the destination IP
> address *is* important because it appears toward the begining of the
> packet.

  Well, yea...  This IS an IP network.  It WOULD be there.

> Depending on the cipher mode used to encrypt the packet, this
> could ===>> change the rest of the ciphertext even if the rest of the
> plaintext was identical <<===.  That's why it's most useful to twiddle
> bits at the end of the packet: most messages, whatever cipher mode is
> used to encrypt them, are encrypted from front to back.

  However, they could have sent that packet to the zimbabua
international kangaroo federations DNS servers just as easily.  Or
even a UDB packet to a host that *DIDNT EXIST*.  The daddr isn't
important, JUSt that it remains the same.

  Now, in summary, I'd like to say that much of the assumptions are
dependent on data we don't have, including the time span of the
queries, the source IP, etc.  It could have simply been something
checking the security of the host itself by looking at serial numbers.
 It COULD have been someone trying to break into a wireless network at
MV.  It also could have been someone of something trying to poison the
server.  We don't have enough information to say WHAT it was.
Personally, I think it was UFOs trying to get at Ben's p0rn stash.
You see, they where enumerating the rotating cyphernecronomicalistic
probability based on the squigee therum.

-- 
-- Thomas

More information about the gnhlug-discuss mailing list