Multiple DNS implementations vulnerable to cache poisoning

Fernando Gont fernando at
Wed Jul 9 20:07:38 UTC 2008

At 12:41 p.m. 09/07/2008, Steven M. Bellovin wrote:

>It's worth noting that the basic idea of the attack isn't new.  Paul
>Vixie described it in 1995 at the Usenix Security Conference
>-- in a section titled "What We Cannot Fix", he wrote:
>         With only 16 bits worth of query ID and 16 bits worth of UDP
>         port number, it's hard not to be predictable.  A determined
>         attacker can try all the numbers in a very short time and can
>         use patterns derived from examination of the freely available
>         BIND code. Even if we had a white noise generator to help
>         randomize our numbers, it's just too easy to try them all.

We have one IETF ID on port randomization for years:

While this does not make the attack impossible, it does make it much harder.

The same thing applies to those RST attacks circa 2004.

Most of these blind attacks assume the source port numbers are easy 
to guess. But... why should they?

Kind regards,

Fernando Gont
e-mail: fernando at || fgont at
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

More information about the NANOG mailing list