[11474] in North American Network Operators' Group
Re: how to protect name servers against cache corruption
daemon@ATHENA.MIT.EDU (Deepak Jain)
Wed Jul 30 16:25:22 1997
Date: Wed, 30 Jul 1997 16:02:04 -0400 (EDT)
From: Deepak Jain <deepak@jain.com>
To: tqbf@enteract.com
cc: chris@netmonger.net, nanog@merit.edu
In-Reply-To: <19970730043859.20924.qmail@smtp.enteract.com>
Wouldn't a behavior like this be able to be used to bring name servers
down by simply killing CPU time?
-Deepak.
On 30 Jul 1997 tqbf@smtp.enteract.com wrote:
> In article <19970730001246.22933@netmonger.net>, you wrote:
> >_details_. Paul has written papers on DNS security, along with BIND
> >itself, and I'm inclined to believe him when he says there are no more
> >trivial fixes. If you know of one, why don't you share it? I'm not
>
> Fair enough.
>
> Here's a simple piece of input. If BIND 8.1.1 receives a DNS query
> response with an invalid query ID, it logs it and drops the packet.
> However, the invalid query ID is evidence of an attack in progress. Why
> doesn't BIND parse the packet, find out what question is being answered,
> and immediately re-issue the query with a different ID?
>
> In other words, it's possible for BIND to detect that it is under attack
> (in a response-forged query-ID guessing situation). BIND doesn't do
> anything about this. Why?
>
> Just the simplest suggestion I can come up with (without having this go
> into multiple pages) to convey the idea that I am trying to be
> constructive here.
>
> I'm not sure this is the appropriate forum for this discussion
> (*copout*Ididn'tstartthisthread*copout*), but if you want further details
> as to my harebrained suggestions, I'm happy to give them!
>
> --
> ----------------
> Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com]
> ----------------
> exit(main(kfp->kargc, argv, environ));
>
>
