Multiple DNS implementations vulnerable to cache poisoning

Steven M. Bellovin smb at cs.columbia.edu
Wed Jul 9 10:41:43 CDT 2008


On Tue, 8 Jul 2008 13:48:57 -0700
"Buhrmaster, Gary" <gtb at slac.stanford.edu> wrote:

> 
> Multiple DNS implementations vulnerable to cache poisoning:
> 
> http://www.kb.cert.org/vuls/id/800113
> 
> (A widely coordinated vendor announcement.  As always,
> check with your vendor(s) for patch status.)
> 
It's worth noting that the basic idea of the attack isn't new.  Paul
Vixie described it in 1995 at the Usenix Security Conference
(http://www.usenix.org/publications/library/proceedings/security95/vixie.html)
-- in a section titled "What We Cannot Fix", he wrote:

	With only 16 bits worth of query ID and 16 bits worth of UDP
	port number, it's hard not to be predictable.  A determined
	attacker can try all the numbers in a very short time and can
	use patterns derived from examination of the freely available
	BIND code. Even if we had a white noise generator to help
	randomize our numbers, it's just too easy to try them all.

The ISC web page on the attack notes "DNSSEC is the only definitive
solution for this issue. Understanding that immediate DNSSEC deployment
is not a realistic expectation..."  I wonder what NANOG folk can do
about the second part of that quote...


		--Steve Bellovin, http://www.cs.columbia.edu/~smb




More information about the NANOG mailing list