Multiple DNS implementations vulnerable to cache poisoning
Steven M. Bellovin
smb at cs.columbia.edu
Wed Jul 9 15:41:43 UTC 2008
On Tue, 8 Jul 2008 13:48:57 -0700
"Buhrmaster, Gary" <gtb at slac.stanford.edu> wrote:
>
> Multiple DNS implementations vulnerable to cache poisoning:
>
> http://www.kb.cert.org/vuls/id/800113
>
> (A widely coordinated vendor announcement. As always,
> check with your vendor(s) for patch status.)
>
It's worth noting that the basic idea of the attack isn't new. Paul
Vixie described it in 1995 at the Usenix Security Conference
(http://www.usenix.org/publications/library/proceedings/security95/vixie.html)
-- in a section titled "What We Cannot Fix", he wrote:
With only 16 bits worth of query ID and 16 bits worth of UDP
port number, it's hard not to be predictable. A determined
attacker can try all the numbers in a very short time and can
use patterns derived from examination of the freely available
BIND code. Even if we had a white noise generator to help
randomize our numbers, it's just too easy to try them all.
The ISC web page on the attack notes "DNSSEC is the only definitive
solution for this issue. Understanding that immediate DNSSEC deployment
is not a realistic expectation..." I wonder what NANOG folk can do
about the second part of that quote...
--Steve Bellovin, http://www.cs.columbia.edu/~smb
More information about the NANOG
mailing list