[11508] in North American Network Operators' Group
Re: how to protect name servers against cache corruption
daemon@ATHENA.MIT.EDU (Thomas H. Ptacek)
Thu Jul 31 01:44:29 1997
From: "Thomas H. Ptacek" <tqbf@enteract.com>
To: jra@scfn.thpl.lib.fl.us (Jay R. Ashworth)
Date: Thu, 31 Jul 1997 00:20:26 -0500 (CDT)
Cc: tqbf@enteract.com, vixie@vix.com, nanog@merit.edu
Reply-To: tqbf@enteract.com
In-Reply-To: <19970730233557.03170@scfn.thpl.lib.fl.us> from "Jay R. Ashworth" at Jul 30, 97 11:35:57 pm
> What, exactly, does Bind 8.1 do?
BIND 8.1.1 does not appear to have an easy mechanism to match a query ID
to the question-section details of an open query. Currently, BIND
increments a counter, prints a debugging log line, and drops the packet;
it does not invalidate the open query.
> > Netcom's nameservers. They will no longer be able to resolve NETSOL.COM,
> > since every query they open up will be immediately invalidated by a fake
> > response.
> Well, one could make observations about comparisons of IP source
> addresses here...
All of the attacks being discussed assume the attacker has the ability to
inject completely forged packets onto the network. All of my suggestions
are given under the assumption that this is a situation that we do not
have a reasonable expectation of being able to prevent in IPv4.
> I don't see that the problem you describe affects the people
> _answering_. You'd have to nail _every_ _inquirer_. Ok, yes, hitting
This is true. However, remember that this thread occurred in response to
an attack by Eugene Kashpureff, who used a far more primitive attack and
made national news by effectively disabling NSI's home page. I don't think
the operation community wants to think about the implications of someone
with both malice and BRAINS trying to utilize the same security problems.
----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com]
----------------
"If you're so special, why aren't you dead?"
