Re: SNI-12: BIND Vulnerabilities and Solutions

[deraadt () CVS OPENBSD ORG (Theo de Raadt)]

> It attempts to make the query ID unpredictable, but fails -- the "random"
> numbers it generates are still predictable (after a trivial 2^16 offline
> trials).

Did you include all the details included in res_random.c such as the
code which causes the entire system is reset with whole new seeds
after a fixed period of time (300 seconds is it)?  You can predict a
sequence and feed it the next few numbers before the generator reseeds
itself?

Hmm.  I'll let Niels comment further ;-)

> And the seeding is terrible -- two years ago Netscape used
> timeofday and pid to seed their PRNG, too, and look what happened to them.

Hey, I make no apologies for operating systems that ship without a
source of strong(ish) random numbers in their libc!

If res_random.c is compiled on a machine that #defines __OpenBSD__ the
source patch does not supply a fake arc4random() routine; instead the
OpenBSD version of the routine is used which uses an RC4 generator
seeded from a source of stronger random data supplied by the kernel.

(OpenBSD also uses this random in a number of other ... interesting
places ;-)

I supplied the arc4random() routine and well, it sucks; I was writing
it as quick as I could.  I think it's clear that anyone who wanted to
use the code should replace that part with something a bit better.
I'd invite anyone else who comes up with something better to make it
available.  Remember it goes into libc of every program that calls
gethostby*....

I don't think there is a "solution" to the problem.  We're talking
bandaids.  I've never felt the raw power of a T3, but I suppose they'd
be able to bombard fast enough to still get in via brute force.  I
hope what we worked on makes it hard, perhaps someone else can make it
better.