DNS attacks evolve
Leo Bicknell
bicknell at ufp.org
Mon Aug 11 15:20:07 UTC 2008
In a message written on Mon, Aug 11, 2008 at 09:41:54AM -0500, Jack Bates wrote:
> >7) Have someone explain to me the repeated claims I've seen that djbdns and
> > Nominum's server are not vulnerable to this, and why that is.
>
> PowerDNS has this to say about their non-vulnerability status:
>
> http://mailman.powerdns.com/pipermail/pdns-users/2008-July/005536.html
>
> I know some very happy providers that haven't had to patch. I hope to be
> one of them on the next round.
It's not that they are immune to the attack, and I think a few
people deserve to be smacked around for the language they use.....
Let's be perfectly clear, without DNSSEC or an alteration to the
DNS Protocol THERE IS NO WAY TO PREVENT THIS ATTACK. There are
only ways to make the attack harder.
So what PowerDNS, DJB and others are telling you is not that you
are immune, it is that you're not the low hanging fruit. A more
direct way of stating their press releases would be:
Everyone else figured out it took 3 minutes to hack their servers
and implemented patches to make it take 2 hours. Our server always
had the logic to make it take 2 hours, so we were ahead of the game.
Great.
If your vendor told you that you are not at risk they are wrong,
and need to go re-read the Kaminski paper. EVERYONE is vunerable,
the only question is if the attack takes 1 second, 1 minute, 1 hour
or 1 day. While possibly interesting for short term problem
management none of those are long term fixes. I'm not sure your
customers care when .COM is poisoned if it took the attacker 1
second or 1 day.
--
Leo Bicknell - bicknell at ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20080811/51506e98/attachment.sig>
More information about the NANOG
mailing list