Tuesday, November 15, 2005

Using Cache Snooping to Estimate Code Spread

I've stayed out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole Sony DRM affair because I felt Windows guru Mark Russinovich has forgotten more about Windows internals than I will ever know. I try to avoid commenting on issues out of my league, and Windows rootkits are generally not something I know how to analyze at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host level.

However, today I learned of a Wired story that incorporates new Dan Kaminski research. Dan has provided a conservative estimate of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of systems on which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sony DRM software is installed, based on Luis Grangeia's cache snooping methodology.

Essentially Dan used his Deluvian Scanning Platform -- DoxPara Infrastructure Validation Project (DIVP) to ask name servers if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had cached results for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hosts associated with Sony's DRM. For example, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following I query a name server to see if it knows how to resolve www.bejtlich.net. The key is to tell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name server not to perform recursion; if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name server can't answer my request on its own, it has to report cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 authoritative name servers for .net:

orr:/home/richard$ dig @kis.visi.com www.bejtlich.net A +norecurse

; <<>> DiG 9.3.1 <<>> @kis.visi.com www.bejtlich.net A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29658
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14

;; QUESTION SECTION:
;www.bejtlich.net. IN A

;; AUTHORITY SECTION:
net. 44802 IN NS k.gtld-servers.net.
net. 44802 IN NS l.gtld-servers.net.
net. 44802 IN NS m.gtld-servers.net.
net. 44802 IN NS a.gtld-servers.net.
net. 44802 IN NS c.gtld-servers.net.
net. 44802 IN NS d.gtld-servers.net.
net. 44802 IN NS e.gtld-servers.net.
net. 44802 IN NS f.gtld-servers.net.
net. 44802 IN NS g.gtld-servers.net.
net. 44802 IN NS h.gtld-servers.net.
net. 44802 IN NS i.gtld-servers.net.
net. 44802 IN NS j.gtld-servers.net.

;; ADDITIONAL SECTION:
a.gtld-servers.net. 155541 IN A 192.5.6.30
a.gtld-servers.net. 159964 IN AAAA 2001:503:a83e::2:30
b.gtld-servers.net. 156332 IN A 192.33.14.30
b.gtld-servers.net. 159476 IN AAAA 2001:503:231d::2:30
c.gtld-servers.net. 156283 IN A 192.26.92.30
d.gtld-servers.net. 156283 IN A 192.31.80.30
e.gtld-servers.net. 156283 IN A 192.12.94.30
f.gtld-servers.net. 156283 IN A 192.35.51.30
g.gtld-servers.net. 156283 IN A 192.42.93.30
h.gtld-servers.net. 156283 IN A 192.54.112.30
i.gtld-servers.net. 156299 IN A 192.43.172.30
j.gtld-servers.net. 156299 IN A 192.48.79.30
k.gtld-servers.net. 156299 IN A 192.52.178.30
l.gtld-servers.net. 156299 IN A 192.41.162.30

;; Query time: 49 msec
;; SERVER: 209.98.98.98#53(209.98.98.98)
;; WHEN: Tue Nov 15 16:12:49 2005
;; MSG SIZE rcvd: 503

As you can see, kis.visi.com did not know how to resolve www.bejtlich.net, so it gave cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .net generic top level domain server list.

Next I ask kis.visi.com to resolve www.bejtlich.net, but I just use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host command and I allow kis.visi.com to ask a name server that knows how to resolve www.bejtlich.net:

orr:/home/richard$ host www.bejtlich.net kis.visi.com
Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:

www.bejtlich.net has address 66.93.110.10
Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:

Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:

I get a response -- www.bejtlich.net is 66.93.110.10. Now when I use dig again and specify no recursion, kis.visi.com responds with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP -- it has been cached.

orr:/home/richard$ dig @kis.visi.com www.bejtlich.net A +norecurse

; <<>> DiG 9.3.1 <<>> @kis.visi.com www.bejtlich.net A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42310
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.bejtlich.net. IN A

;; ANSWER SECTION:
www.bejtlich.net. 7194 IN A 66.93.110.10

;; AUTHORITY SECTION:
bejtlich.net. 7194 IN NS ns18.zoneedit.com.
bejtlich.net. 7194 IN NS ns8.zoneedit.com.

;; ADDITIONAL SECTION:
ns8.zoneedit.com. 704 IN A 206.55.124.4
ns18.zoneedit.com. 384 IN A 72.9.106.68

;; Query time: 49 msec
;; SERVER: 209.98.98.98#53(209.98.98.98)
;; WHEN: Tue Nov 15 16:13:20 2005
;; MSG SIZE rcvd: 131

Dan used this technique to ask as many name servers as possible to resolve connected.sonymusic.com, updates.xcp-aurora.com and license.suncom2.com. When I asked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kis.visi.com name server about connected.sonymusic.com, I got cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se results:

orr:/home/richard$ dig @kis.visi.com connected.sonymusic.com A +norecurse

; <<>> DiG 9.3.1 <<>> @kis.visi.com connected.sonymusic.com A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10447
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;connected.sonymusic.com. IN A

;; AUTHORITY SECTION:
sonymusic.com. 1255 IN NS udns2.ultradns.net.
sonymusic.com. 1255 IN NS udns1.ultradns.net.

;; ADDITIONAL SECTION:
udns1.ultradns.net. 155728 IN A 204.69.234.1
udns2.ultradns.net. 155944 IN A 204.74.101.1

;; Query time: 53 msec
;; SERVER: 209.98.98.98#53(209.98.98.98)
;; WHEN: Tue Nov 15 16:29:38 2005
;; MSG SIZE rcvd: 125

This means some system has asked kis.visi.com to resolve an unspecified sonymusic.com host before I did. There is no result for connected.sonymusic.com, however. Compare that result with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following for www.sonymusic.com:

orr:/home/richard$ dig @kis.visi.com www.sonymusic.com A +norecurse

; <<>> DiG 9.3.1 <<>> @kis.visi.com www.sonymusic.com A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37716
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.sonymusic.com. IN A

;; ANSWER SECTION:
www.sonymusic.com. 211 IN A 64.14.39.200

;; AUTHORITY SECTION:
sonymusic.com. 211 IN NS udns2.ultradns.net.
sonymusic.com. 211 IN NS udns1.ultradns.net.

;; ADDITIONAL SECTION:
udns1.ultradns.net. 147104 IN A 204.69.234.1
udns2.ultradns.net. 147320 IN A 204.74.101.1

;; Query time: 53 msec
;; SERVER: 209.98.98.98#53(209.98.98.98)
;; WHEN: Tue Nov 15 18:53:23 2005
;; MSG SIZE rcvd: 135

Notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answer?

Next I try querying for connected.sonymusic.com, and we check cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dig results again:

orr:/home/richard$ host connected.sonymusic.com kis.visi.com
Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:

connected.sonymusic.com has address 64.14.39.158
Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:

Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:

orr:/home/richard$ dig @kis.visi.com connected.sonymusic.com A +norecurse

; <<>> DiG 9.3.1 <<>> @kis.visi.com connected.sonymusic.com A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 284
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;connected.sonymusic.com. IN A

;; ANSWER SECTION:
connected.sonymusic.com. 3592 IN A 64.14.39.158

;; AUTHORITY SECTION:
sonymusic.com. 87 IN NS udns1.ultradns.net.
sonymusic.com. 87 IN NS udns2.ultradns.net.

;; ADDITIONAL SECTION:
udns1.ultradns.net. 146980 IN A 204.69.234.1
udns2.ultradns.net. 147196 IN A 204.74.101.1

;; Query time: 53 msec
;; SERVER: 209.98.98.98#53(209.98.98.98)
;; WHEN: Tue Nov 15 18:55:26 2005
;; MSG SIZE rcvd: 141

The ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r two domains returned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gtld name servers. That means no one else asked kis.visi.com about those domains or hostnames recently.

Nice work Dan -- cool stuff.

5 comments:

Anonymous said...

I think you may be mistaken on your results. It looks like someone has looked up something in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sony.com domain, but "connected.sony.com" was not cached.

Or maybe I'm not reading it right.

Richard Bejtlich said...

John M -- you are right. I missed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 missing ANSWER section. I added material to point out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 difference. Thank you!

John Ward said...

Thats not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time youve impressed me with dig. I really should heed your advice some day and learn more about DNS fundementals. Pretty interesting.

Earl Crane said...
This comment has been removed by a blog administrator.
Anonymous said...

Rich, thanks for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very helpful demo! I was curious so tried this out on my old school account - and was suprized to find out that nobody at CMU had queried cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 domain! (I went against several of CMU's domain servers) I guess CMU students stick to MP3s and don't bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r with CD's - an interesting comment as to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issues of putting "untrusted media" in your machine - but that's already been made.

/afs/andrew.cmu.edu/crane % dig @128.2.1.11 connected.sonymusic.com A +norecurse

; <<>> DiG 9.2.1 <<>> @128.2.1.11 connected.sonymusic.com A +norecurse
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51716
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;connected.sonymusic.com. IN A

;; AUTHORITY SECTION:
com. 167038 IN NS e.gtld-servers.net.
com. 167038 IN NS f.gtld-servers.net.
com. 167038 IN NS g.gtld-servers.net.
com. 167038 IN NS h.gtld-servers.net.
com. 167038 IN NS i.gtld-servers.net.
com. 167038 IN NS j.gtld-servers.net.
com. 167038 IN NS k.gtld-servers.net.
com. 167038 IN NS l.gtld-servers.net.
com. 167038 IN NS m.gtld-servers.net.
com. 167038 IN NS a.gtld-servers.net.
com. 167038 IN NS b.gtld-servers.net.
com. 167038 IN NS c.gtld-servers.net.
com. 167038 IN NS d.gtld-servers.net.

;; Query time: 4 msec
;; SERVER: 128.2.1.11#53(128.2.1.11)
;; WHEN: Wed Nov 16 20:46:47 2005
;; MSG SIZE rcvd: 265

ps. first time posting on Blogger - don't know if this will come out quite right