[105920] in North American Network Operators' Group
Re: Multiple DNS implementations vulnerable to cache poisoning
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Wed Jul 9 16:15:33 2008
From: "Patrick W. Gilmore" <patrick@ianai.net>
To: nanog@merit.edu
In-Reply-To: <200807092010.m69KAp25004011@venus.xmundo.net>
Date: Wed, 9 Jul 2008 16:15:20 -0400
Errors-To: nanog-bounces@nanog.org
On Jul 9, 2008, at 4:07 PM, Fernando Gont wrote:
> At 12:41 p.m. 09/07/2008, Steven M. Bellovin wrote:
>
>> It's worth noting that the basic idea of the attack isn't new. Paul
>> Vixie described it in 1995 at the Usenix Security Conference
>> (http://www.usenix.org/publications/library/proceedings/security95/vixie.html
>> )
>> -- in a section titled "What We Cannot Fix", he wrote:
>>
>> With only 16 bits worth of query ID and 16 bits worth of UDP
>> port number, it's hard not to be predictable. A determined
>> attacker can try all the numbers in a very short time and can
>> use patterns derived from examination of the freely available
>> BIND code. Even if we had a white noise generator to help
>> randomize our numbers, it's just too easy to try them all.
>
> We have one IETF ID on port randomization for years: http://www.gont.com.ar/drafts/port-randomization/index.html
>
> While this does not make the attack impossible, it does make it much
> harder.
>
> The same thing applies to those RST attacks circa 2004.
>
> Most of these blind attacks assume the source port numbers are easy
> to guess. But... why should they?
Because many name servers use one port, or easily guessable sequence
of ports?
--
TTFN,
patrick
