[106193] in North American Network Operators' Group
Re: Exploit for DNS Cache Poisoning - RELEASED
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu Jul 24 10:44:25 2008
Date: Thu, 24 Jul 2008 10:43:14 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: "Jorge Amodio" <jmamodio@gmail.com>
In-Reply-To: <202705b0807240710u111677dex481c51eb675fe7fb@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On Thu, 24 Jul 2008 09:10:13 -0500
"Jorge Amodio" <jmamodio@gmail.com> wrote:
> >
> > Sure, I can empathize, to a certain extent. But this issue has
> > been known for 2+ weeks now.
> >
>
> Well we knew about the DNS issues since long time ago (20+yrs
> perhaps?), so the issue is not new, just the exploit is more easy to
> put together and chances for it to succeed are much higher.
>
This is important. Kaminsky took a known concept and did the hard
engineering work to make it feasible. To slightly misuse a quote
that's more often applied to crypto, "amateurs worry about algorithms;
pros worry about economics". The economics of the attack have now
changed. (And we need to get DNSSEC deployed before they change even
further.)
--Steve Bellovin, http://www.cs.columbia.edu/~smb
