[106727] in North American Network Operators' Group
Re: DNS attacks evolve
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Mon Aug 11 11:20:25 2008
Date: Mon, 11 Aug 2008 11:20:07 -0400
From: Leo Bicknell <bicknell@ufp.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <48A04FB2.4040602@brightok.net>
Errors-To: nanog-bounces@nanog.org
--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Mon, Aug 11, 2008 at 09:41:54AM -0500, Jack Bates w=
rote:
> >7) Have someone explain to me the repeated claims I've seen that djbdns =
and
> > Nominum's server are not vulnerable to this, and why that is.
>=20
> PowerDNS has this to say about their non-vulnerability status:
>=20
> http://mailman.powerdns.com/pipermail/pdns-users/2008-July/005536.html
>=20
> I know some very happy providers that haven't had to patch. I hope to be=
=20
> one of them on the next round.
It's not that they are immune to the attack, and I think a few
people deserve to be smacked around for the language they use.....
Let's be perfectly clear, without DNSSEC or an alteration to the
DNS Protocol THERE IS NO WAY TO PREVENT THIS ATTACK. There are
only ways to make the attack harder.
So what PowerDNS, DJB and others are telling you is not that you
are immune, it is that you're not the low hanging fruit. A more
direct way of stating their press releases would be:
Everyone else figured out it took 3 minutes to hack their servers
and implemented patches to make it take 2 hours. Our server always
had the logic to make it take 2 hours, so we were ahead of the game.
Great.
If your vendor told you that you are not at risk they are wrong,
and need to go re-read the Kaminski paper. EVERYONE is vunerable,
the only question is if the attack takes 1 second, 1 minute, 1 hour
or 1 day. While possibly interesting for short term problem
management none of those are long term fixes. I'm not sure your
customers care when .COM is poisoned if it took the attacker 1
second or 1 day.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--PNTmBPCT7hxwcZjr
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
iD8DBQFIoFiiNh6mMG5yMTYRAkSKAJ917B99RoPilTkBU3E45eqBjPFDeQCfbDpM
e5clRs049+HpmvA49wHCaBM=
=yVww
-----END PGP SIGNATURE-----
--PNTmBPCT7hxwcZjr--
