[5052] in bugtraq
Re: BIND Nuking
daemon@ATHENA.MIT.EDU (Thomas H. Ptacek)
Tue Jul 29 22:49:48 1997
Date: Tue, 29 Jul 1997 20:38:04 -0500
Reply-To: tqbf@enteract.com
From: "Thomas H. Ptacek" <tqbf@ENTERACT.COM>
X-To: MoNoLiTH+@CMU.EDU
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Ynq31dC00iWQ08Ml00@andrew.cmu.edu> from "Aveek Datta" at Jul 25,
97 00:49:45 am
> when executed as "bind_nuke bogus.org" on a host, that bogus.org's
> primary NS is configured to accept updates from, will cause named
> to silently die. Nothing in the logs, nothing on the console.
... and of course, we all realize that there is no such thing as a BIND
denial-of-service-only attack. Anything that can cause an arbitrary
nameserver to die, or even not answer queries for a significant amount of
time, allows for trivial brute-force ID-guessing attacks.
Until DNSSEC is fully deployed on the net, or the BIND maintainers
integrate real ID-guessing countermeasures, the stability of the BIND
named service is security-critical.
Just some food for thought.
----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com]
----------------
"If you're so special, why aren't you dead?"
