how to protect name servers against cache corruption
Deepak Jain
deepak at jain.com
Wed Jul 30 20:02:04 UTC 1997
Wouldn't a behavior like this be able to be used to bring name servers
down by simply killing CPU time?
-Deepak.
On 30 Jul 1997 tqbf at smtp.enteract.com wrote:
> In article <19970730001246.22933 at netmonger.net>, you wrote:
> >_details_. Paul has written papers on DNS security, along with BIND
> >itself, and I'm inclined to believe him when he says there are no more
> >trivial fixes. If you know of one, why don't you share it? I'm not
>
> Fair enough.
>
> Here's a simple piece of input. If BIND 8.1.1 receives a DNS query
> response with an invalid query ID, it logs it and drops the packet.
> However, the invalid query ID is evidence of an attack in progress. Why
> doesn't BIND parse the packet, find out what question is being answered,
> and immediately re-issue the query with a different ID?
>
> In other words, it's possible for BIND to detect that it is under attack
> (in a response-forged query-ID guessing situation). BIND doesn't do
> anything about this. Why?
>
> Just the simplest suggestion I can come up with (without having this go
> into multiple pages) to convey the idea that I am trying to be
> constructive here.
>
> I'm not sure this is the appropriate forum for this discussion
> (*copout*Ididn'tstartthisthread*copout*), but if you want further details
> as to my harebrained suggestions, I'm happy to give them!
>
> --
> ----------------
> Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf at enteract.com]
> ----------------
> exit(main(kfp->kargc, argv, environ));
>
>
More information about the NANOG
mailing list