Dan Kaminsky

Tue Aug 4 18:40:34 UTC 2009

> There is NO fix. There never will be as the problem is architectural
> to the most fundamental operation of DNS. Other than replacing DNS  
> (not
> feasible), the only way to prevent this form of attack is DNSSEC. The
> "fix" only makes it much harder to exploit.

Randomizing source ports and QIDs simply increases entropy, making it  
harder to spoof an answer.  If this is not a "fix", then DNSSEC is not  
a fix either, as it only increases entropy as well.

Admitted, DNSSEC increases it a great deal more, but by your  
definition, it is not a "fix".

-- 
TTFN,
patrick

On Aug 4, 2009, at 2:32 PM, Kevin Oberman wrote:

>> Date: Tue, 04 Aug 2009 13:32:42 -0400
>> From: Curtis Maurand <cmaurand at xyonet.com>
>>
>> andrew.wallace wrote:
>>> On Thu, Jul 30, 2009 at 11:48 PM, Dragos Ruiu<dr at kyx.net> wrote:
>>>
>>>> at the risk of adding to the metadiscussion. what does any of  
>>>> this have to
>>>> do with nanog?
>>>> (sorry I'm kinda irritable about character slander being spammed  
>>>> out
>>>> unnecessarily to unrelated public lists lately ;-P )
>>>>
>>>>
>>>
>>> What does this have to do with Nanog, the guy found a critical
>>> security bug on DNS last year.
>>>
>> He didn't find it.  He only publicized it.  the guy who wrote djbdns
>> fount it years ago.  Powerdns was patched for the flaw a year and a  
>> half
>> before Kaminsky published his article.
>>
>> http://blog.netherlabs.nl/articles/2008/07/09/some-thoughts-on-the-recent-dns-vulnerability
>>
>> "However - the parties involved aren't to be lauded for their current
>> fix. Far from it. It has been known since 1999 that all nameserver
>> implementations were vulnerable for issues like the one we are facing
>> now. In 1999, Dan J. Bernstein <http://cr.yp.to/djb.html> released  
>> his
>> nameserver (djbdns <http://cr.yp.to/djbdns.html>), which already
>> contained the countermeasures being rushed into service now. Let me
>> repeat this. Wise people already saw this one coming 9 years ago, and
>> had a fix in place."
>
> Dan K. has never claimed to have "discovered' the vulnerability. As  
> the
> article says, it's been know for years and djb did suggest a means to
> MINIMIZE this vulnerability.
>
> There is NO fix. There never will be as the problem is architectural
> to the most fundamental operation of DNS. Other than replacing DNS  
> (not
> feasible), the only way to prevent this form of attack is DNSSEC. The
> "fix" only makes it much harder to exploit.
>
> What Dan K. did was to discover a very clever way to exploit the  
> design
> flaw in DNS that allowed the attack. What had been a known problem  
> that
> was not believed to be generally exploitable became a real threat to  
> the
> Internet. Suddenly people realized that an attack of this sort was not
> only possible, but quick and easy (relatively). Dan K. did what a
> security professional should do...he talked to the folks who were
> responsible for most DNS implementations that did caching and a
> work-around was developed before the attack mechanism was made public.
>
> He was given credit for finding the attack method, but the press  
> seemed
> to get it wrong (as they often do) and lots of stories credited him  
> with
> finding the vulnerability.
>
> By the way, I know that Paul Vixie noted this vulnerability quite some
> years ago, but I don't know if his report was before or after djb's.
>
> Now, rather then argue about the history of this problem
> (non-operational), can we stick to operational issues like  
> implementing
> DNSSEC to really fix it (operational)? Is your DNS data signed? (No,
> mine is not and probably won't be for another week or two.)
> -- 
> R. Kevin Oberman, Network Engineer
> Energy Sciences Network (ESnet)
> Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
> E-mail: oberman at es.net			Phone: +1 510 486-8634
> Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
>