[11463] in North American Network Operators' Group
Re: how to protect name servers against cache corruption
daemon@ATHENA.MIT.EDU (Paul A Vixie)
Wed Jul 30 14:32:29 1997
To: nanog@merit.edu
Date: Wed, 30 Jul 1997 11:09:24 -0700
From: Paul A Vixie <vixie@vix.com>
someone asked me a question in private e-mail that deserves a public answer.
> 1) How exactly did Eugene Kashperuff propogate this "RR poisoning" across
> the Internet? From NANOG's previous mailings I can deduce that it was along
> the lines of dig @victim -t ns www.alternic.net. Where www.alternic.net had
> duff A records.
yes.
> 2) What were/are the symptoms of this attack? www.internic.net resolving to
> www.alternic.net?
yes.
> 3) If it was that easy to do, why hasn't it happened again?
because that particular attack only works if you are willing to get caught.
since eugene did this as a publicity stunt (which, i understand, has now
begun to backfire on him since his victims didn't interpret it that way),
he _needed_ to be caught.
> 3a) What measures were taken (other than discussion of DNSSEC, or lack of
> it) to 'cure' affected servers?
upgrade to bind-4.9.6 or bind-8.1.1.
> 4) How can I check for cache corruption?
"dig @0 www.netsol.com a" and "dig @cache00.ns.uu.net www.netsol.com a" and
check for differences.
> Apologies if any of the above sound moronic or ill-informed; extracting
> facts from reams of "what is a backhoe" mail list is a painfully slow task.
> Time for some filters I think...
no apologia needed. public explainations of this attack have been poor, even
and especially by me. i'm grateful for the opportunity to improve on that.
