[Fwd: Re: DNS attacks evolve]

Mike Leber mleber at he.net
Thu Aug 14 12:07:30 CDT 2008


FYI.  There was some question here about whether PowerDNS was vulnerable 
or not and what it was doing, so I asked Bert Hubert about it.  Here is 
his answer:

-------- Original Message --------
Subject: Re: [Fwd: Re: DNS attacks evolve]
Date: Wed, 13 Aug 2008 21:29:50 +0200
From: bert hubert <bert.hubert at netherlabs.nl>
To: Mike Leber <mleber at he.net>
References: <48A08113.6010801 at he.net>

On Mon, Aug 11, 2008 at 11:12:35AM -0700, Mike Leber wrote:
> Is there any post anywhere that provides more technical detail about how 
> the PowerDNS cache is not vulnerable?

Mike, very briefly, PowerDNS implements two things: source port
randomization + near miss detection.

Near miss detection is documented here:

http://doc.powerdns.com/built-in-recursor.html
spoof-nearmiss-max

     If set to non-zero, PowerDNS will assume it is being spoofed after
seeing this many answers with the wrong id. Defaults to 20.

Some more is in:
http://doc.powerdns.com/recursor-details.html

> I'll post a link to it and provide other operators a better answer than 
> the equivalent of "because I say so".  The answer could be anything such 
> as "we reject updates to glue when", or "it takes 10 years based on 
> these calculations...".

Calculations on how long it will take are on
http://blog.netherlabs.nl/articles/2008/08/05/calculating-the-chance-of-spoofing-an-agile-source-port-randomised-resolver

These calculations go beyond what powerdns 3.1.7 does however.

> 
> If your vendor told you that you are not at risk they are wrong,
> and need to go re-read the Kaminski paper.  EVERYONE is vunerable,
> the only question is if the attack takes 1 second, 1 minute, 1 hour
> or 1 day.  While possibly interesting for short term problem

Or 1 year, or 2 years or a century.

	Bert



-- 
http://www.PowerDNS.com      Open source, database driven DNS Software
http://netherlabs.nl              Open and Closed source services


-- 
+---------------- H U R R I C A N E - E L E C T R I C ----------------+
| Mike Leber        Wholesale IPv4 and IPv6 Transit      510 580 4100 |
| Hurricane Electric                                           AS6939 |
| mleber at he.net     Internet Backbone & Colocation      http://he.net |
+---------------------------------------------------------------------+




More information about the NANOG mailing list