lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040806200509.26600.qmail@www.securityfocus.com>
Date: 6 Aug 2004 20:05:09 -0000
From: <bill@...-inc.us>
To: bugtraq@...urityfocus.com
Subject: Re: International DNS compromise?


In-Reply-To: <20040805192243.7826e6b9.john@...d-weed.com>

This is from China's "Great Firewall" sniffering their 54Gbps International traffic. 

I presented some detailes at the HOPE conference in NYC last month. I posted the presentaion here: http://www.dit-inc.us/report/hope2004/cover.htm (click on the image to get in)

Regarding this DNS hijacking thing, it is worth mentioning that root DNS server in China may hijack query from neighbouring countries as well.

The black list for DNS hijacking is very small. TCP session hijacking list is longer, IP blocking blacklist is the longest.

Bill

>Received: (qmail 28891 invoked from network); 5 Aug 2004 18:45:36 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 5 Aug 2004 18:45:36 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>	by outgoing3.securityfocus.com (Postfix) with QMQP
>	id 03627236F36; Thu,  5 Aug 2004 12:47:21 -0600 (MDT)
>Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@...urityfocus.com>
>List-Help: <mailto:bugtraq-help@...urityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>Delivered-To: mailing list bugtraq@...urityfocus.com
>Delivered-To: moderator for bugtraq@...urityfocus.com
>Received: (qmail 28021 invoked from network); 5 Aug 2004 12:14:21 -0000
>Date: Thu, 5 Aug 2004 19:22:43 +0100
>From: john <john@...d-weed.com>
>To: bugtraq@...urityfocus.com
>Subject: Re: International DNS compromise?
>Message-Id: <20040805192243.7826e6b9.john@...d-weed.com>
>In-Reply-To: <20040805051101.18767.qmail@...13702.mail.yahoo.com>
>References: <Pine.LNX.4.58.0407232020010.3889@...to.physik.uni-wuerzburg.de>
>	<20040805051101.18767.qmail@...13702.mail.yahoo.com>
>X-Mailer: Sylpheed version 0.8.11claws (GTK+ 1.2.10; i686-pc-linux-gnu)
>Mime-Version: 1.0
>Content-Type: text/plain; charset=US-ASCII
>Content-Transfer-Encoding: 7bit
>
>On Wed, 4 Aug 2004 22:11:01 -0700 (PDT)
>Zhen Shi <zhenshi99@...oo.com> wrote:
>
>> Dear all,
>>   Recently I noticed something fishy in the DNS system
>> between US and China. 
>>   First, any IPs, dead or live, in China will respond
>> to your DNS query for some domains. For example
>> (screen shot with some clean-up and comments): 
>> 
>> C:\>nslookup
>> 
>> > server 210.77.0.0     <=== pick a random IP     in
>> China 
>> Default Server:  [210.77.0.0]
>> Address:  210.77.0.0
>> 
>> > www.rfa.org
>> Server:  [210.77.0.0]
>> Address:  210.77.0.0
>> 
>> Non-authoritative answer:
>> Name:    www.rfa.org
>> Address:  203.105.1.21  <=== you got response!!!!
>> 
>>   Second, every time the response is different: 
>> 
>> > www.rfa.org
>> Server:  [210.77.0.0]
>> Address:  210.77.0.0
>> 
>> Non-authoritative answer:
>> Name:    www.rfa.org
>> Address:  64.66.163.251
>
>> <snip>
>
>It looks like it all works OK with most domain names. But rfa.org is the
>sort of site the Chinese would want to censor. Evidently this is part of
>their strategy for doing that.
>
>This has the side-effect that you could discover the list of sites being
>censored by systematically comparing DNS replies from a server in China
>with those from an uncompromised server.
>
>John
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ