Re: Multiple DNS implementations vulnerable to cache poisoning

["Steven M. Bellovin" <smb () cs columbia edu>]

On Tue, 8 Jul 2008 13:48:57 -0700
"Buhrmaster, Gary" <gtb () slac stanford edu> wrote:

> Multiple DNS implementations vulnerable to cache poisoning:
>
> http://www.kb.cert.org/vuls/id/800113
>
> (A widely coordinated vendor announcement.  As always,
> check with your vendor(s) for patch status.)
It's worth noting that the basic idea of the attack isn't new.  Paul
Vixie described it in 1995 at the Usenix Security Conference
(http://www.usenix.org/publications/library/proceedings/security95/vixie.html)
-- in a section titled "What We Cannot Fix", he wrote:

        With only 16 bits worth of query ID and 16 bits worth of UDP
        port number, it's hard not to be predictable.  A determined
        attacker can try all the numbers in a very short time and can
        use patterns derived from examination of the freely available
        BIND code. Even if we had a white noise generator to help
        randomize our numbers, it's just too easy to try them all.

The ISC web page on the attack notes "DNSSEC is the only definitive
solution for this issue. Understanding that immediate DNSSEC deployment
is not a realistic expectation..."  I wonder what NANOG folk can do
about the second part of that quote...


                --Steve Bellovin, http://www.cs.columbia.edu/~smb