Multiple DNS implementations vulnerable to cache poisoning

Patrick W. Gilmore patrick at
Wed Jul 9 20:15:20 UTC 2008

On Jul 9, 2008, at 4:07 PM, Fernando Gont wrote:
> At 12:41 p.m. 09/07/2008, Steven M. Bellovin wrote:
>> It's worth noting that the basic idea of the attack isn't new.  Paul
>> Vixie described it in 1995 at the Usenix Security Conference
>> ( 
>> )
>> -- in a section titled "What We Cannot Fix", he wrote:
>>        With only 16 bits worth of query ID and 16 bits worth of UDP
>>        port number, it's hard not to be predictable.  A determined
>>        attacker can try all the numbers in a very short time and can
>>        use patterns derived from examination of the freely available
>>        BIND code. Even if we had a white noise generator to help
>>        randomize our numbers, it's just too easy to try them all.
> We have one IETF ID on port randomization for years:
> While this does not make the attack impossible, it does make it much  
> harder.
> The same thing applies to those RST attacks circa 2004.
> Most of these blind attacks assume the source port numbers are easy  
> to guess. But... why should they?

Because many name servers use one port, or easily guessable sequence  
of ports?


More information about the NANOG mailing list