nanog mailing list archives
Re: how to protect name servers against cache corruption
From: "Thomas H. Ptacek" <tqbf () enteract com>
Date: Wed, 30 Jul 1997 18:38:31 -0500 (CDT)
Wouldn't a behavior like this be able to be used to bring name servers down by simply killing CPU time?
Yes, and it's easier than killing CPU time; there's a targetted attack wherein I can pick a resource record and continuously throw forged responses for it, with bad query IDs, at a nameserver - that server is now unable to resolve requests for that record. And, of course, this ties in nicely with other unfixed servers, since, right now, any problem that allows me to prevent a BIND server from responding to queries will allow me to spoof anything it's authoritative for. Attack detection is a tool, not an answer. I'm curious as to why it hasn't been discussed further; it's certainly not MY idea, and it's certainly been talked about on other forums. There are other tools available as well. I suppose the point (right now) is that there are things that can be done to strengthen the current DNS protocol (as well as it's implementations) that won't break naieve servers and will make attacks far harder, even in the absence of DNSSEC. What do you think the timeline is on global deployment of DNSSEC? It's surprising to me that people aren't more concerned, in light of the fact that you've just been told flat out, by myself as well as by Mr. Vixie, that there are exploitable problems that can't be entirely fixed until the entire protocol is modified. I suppose the operations context to this is, "hey, you realize DNS is COMPLETELY BROKEN? What are your plans for dealing with the possibility of someone posting exploits?" Do we simply stop using DNS? ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com] ---------------- "If you're so special, why aren't you dead?"
Current thread:
- Re: how to protect name servers against cache corruption, (continued)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Christopher Masto (Jul 29)
- Re: how to protect name servers against cache corruption tqbf (Jul 29)
- Re: how to protect name servers against cache corruption Jay R. Ashworth (Jul 30)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 30)
- Re: how to protect name servers against cache corruption tqbf (Jul 30)
- Re: how to protect name servers against cache corruption Deepak Jain (Jul 30)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 30)
- Message not available
- Re: how to protect name servers against cache corruption Jay R. Ashworth (Jul 30)
- Re: how to protect name servers against cache corruption Ben Black (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Ben Black (Jul 29)
- off-topic (Re: how to protect name servers against cache corruption ) Paul A Vixie (Jul 29)
- Re: off-topic (Re: how to protect name servers against cache corruption ) Larry Vaden (Jul 29)
- Re: off-topic (Re: how to protect name servers against cache corruption ) Ben Black (Jul 30)
- Re: how to protect name servers against cache corruption Lon R. Stockton, Jr. (Jul 29)
- Re: how to protect name servers against cache corruption Ben Black (Jul 29)
- Re: how to protect name servers against cache corruption tqbf (Jul 29)