[127718] in cryptography@c2.net mail archive
Re: Kaminsky finds DNS exploit
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Jul 9 11:32:04 2008
Date: Wed, 9 Jul 2008 11:18:10 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Udhay Shankar N <udhay@pobox.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <4874523A.5090402@pobox.com>
On Wed, 09 Jul 2008 11:22:58 +0530
Udhay Shankar N <udhay@pobox.com> wrote:
> I think Dan Kaminsky is on this list. Any other tidbits you can add
> prior to Black Hat?
>
> Udhay
>
> http://www.liquidmatrix.org/blog/2008/07/08/kaminsky-breaks-dns/
>
I'm curious about the details of the attack. Paul Vixie published the
basic idea in 1995 at Usenix Security
(http://www.usenix.org/publications/library/proceedings/security95/vixie.html)
-- in a section titled "What We Cannot Fix", he wrote:
With only 16 bits worth of query ID and 16 bits worth of UDP port
number, it's hard not to be predictable. A determined attacker
can try all the numbers in a very short time and can use patterns
derived from examination of the freely available BIND code. Even
if we had a white noise generator to help randomize our numbers,
it's just too easy to try them all.
Obligatory crypto: the ISC web page on the attack notes "DNSSEC is the
only definitive solution for this issue. Understanding that immediate
DNSSEC deployment is not a realistic expectation..."
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
