nanog mailing list archives
Re: how to protect name servers against cache corruption
From: "Thomas H. Ptacek" <tqbf () enteract com>
Date: Thu, 31 Jul 1997 00:20:26 -0500 (CDT)
What, exactly, does Bind 8.1 do?
BIND 8.1.1 does not appear to have an easy mechanism to match a query ID to the question-section details of an open query. Currently, BIND increments a counter, prints a debugging log line, and drops the packet; it does not invalidate the open query.
Netcom's nameservers. They will no longer be able to resolve NETSOL.COM, since every query they open up will be immediately invalidated by a fake response.
Well, one could make observations about comparisons of IP source addresses here...
All of the attacks being discussed assume the attacker has the ability to inject completely forged packets onto the network. All of my suggestions are given under the assumption that this is a situation that we do not have a reasonable expectation of being able to prevent in IPv4.
I don't see that the problem you describe affects the people _answering_. You'd have to nail _every_ _inquirer_. Ok, yes, hitting
This is true. However, remember that this thread occurred in response to an attack by Eugene Kashpureff, who used a far more primitive attack and made national news by effectively disabling NSI's home page. I don't think the operation community wants to think about the implications of someone with both malice and BRAINS trying to utilize the same security problems. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com] ---------------- "If you're so special, why aren't you dead?"
Current thread:
- Re: how to protect name servers against cache corruption, (continued)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Paul A Vixie (Jul 29)
- Re: how to protect name servers against cache corruption Jay R. Ashworth (Jul 30)
- Re: how to protect name servers against cache corruption Randy Bush (Jul 29)
- Re: how to protect name servers against cache corruption Francois Beauregard (Jul 29)
- RE: how to protect name servers against cache corruption Dan Dale (Jul 30)
- Re: how to protect name servers against cache corruption James R. Cutler (Jul 30)
- Re: how to protect name servers against cache corruption Paul A Vixie (Jul 30)
- Re: how to protect name servers against cache corruption Systems Engineer (Jul 30)
- Message not available
- Re: how to protect name servers against cache corruption Jay R. Ashworth (Jul 30)
- Re: how to protect name servers against cache corruption Michael Dillon (Jul 30)
- Re: how to protect name servers against cache corruption Alexander O. Yuriev (Jul 31)