[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: [IP] Re: weakness in the DNS protocol
________________________________________
From: Steven M. Bellovin [smb@cs.columbia.edu]
Sent: Wednesday, July 09, 2008 11:43 AM
To: David Farber
Cc: ip
Subject: Re: [IP] weakness in the DNS protocol
On Wed, 9 Jul 2008 09:05:44 -0400
David Farber <dave@farber.net> wrote:
>
> http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php
>
> A weakness in the DNS protocol may enable the poisoning of caching
> recursive resolvers with spoofed data. DNSSEC is the only full
> solution. New versions of BIND provide increased resilience to the
> attack.
>
It's worth noting that Paul Vixie published the basic idea behind this
attack in 1995 at Usenix Security
(http://www.usenix.org/publications/library/proceedings/security95/vixie.html)
-- in a section titled "What We Cannot Fix", he wrote:
With only 16 bits worth of query ID and 16 bits worth of UDP
port number, it's hard not to be predictable. A determined
attacker can try all the numbers in a very short time and can
use patterns derived from examination of the freely available
BIND code. Even if we had a white noise generator to help
randomize our numbers, it's just too easy to try them all.
As ISC notes, DNSSEC is really the path we need to follow.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
-------------------------------------------
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC