Bugtraq mailing list archives

Re: tcpd -DPARANOID doesn't work, and never did

From: djb () CR YP TO (D. J. Bernstein)
Date: Tue, 10 Nov 1998 01:07:14 -0000


The subject line is correct exactly as stated. -DPARANOID does not
improve your computer's security. It has never improved anybody's
computer security.

System administrators who thought that they were protecting themselves
with -DPARANOID were actually deceiving themselves. As I said before,
all of those systems were vulnerable until the vendors fixed the
hostname lookups in rshd and rlogind.

Wietse Venema writes:

First of all, whether or not the attack fails depends on the BIND
version being used; for example, the once widely-used BIND 4.8
forces the TTL to be at least five minutes, stopping the attack.


No, it does not stop the attack. Let's go back to the videotape:

   0:00 Attacker connects to tcpd/rshd. ``Heh, heh, heh.''
   0:01 Local DNS server asks for PTR result.
   0:02 Attacker sends back untrusted.badguy.com, 5-minute TTL.
   0:03 Local DNS server asks for A records.
   0:10 Attacker pours a cup of coffee, laughs at the tcpd code.
   4:55 Attacker connects to tcpd/rshd again.
   4:56 Local DNS server asks for A records.
   5:04 Attacker sends back his IP address. ``That's me!''
   5:05 Local DNS server asks for PTR result. ``I love caches.''
   5:06 Attacker sends back trusted.toast.edu.
   5:07 rshd accepts connection. ``Elementary, my dear Wietse.''

Exercise for the reader: Find two faster solutions.

Secondly, it depends on what native naming service the system uses.
Naming services such as NIS have their own cacheing mechanisms,
stopping the attack.


No, they do not stop the attack. You're making a fool of yourself.

You can immunize BIND against this and other short TTL attacks by
patching the source or the executable file so that min_cache_ttl
is, for example, 300 seconds. That is sufficient to stop the attack.


No, that does not stop the attack. See above.

Lastly, I'm responsible only for bugs in my own code.


You told system administrators, wrongly, that you were protecting them.
You're responsible for that false claim. How many people relaxed after
installing tcpd -DPARANOID, instead of pestering their vendors for a
real fix?

You've done enough damage. Admit your mistake and turn off -DPARANOID.

---Dan
1000 recipients, 28.8 modem, 10 seconds. http://pobox.com/~djb/qmail/mini.html

Current thread:

Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 09)
- <Possible follow-ups>
- Re: tcpd -DPARANOID doesn't work, and never did Dave Barr (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did D. J. Bernstein (Nov 09)
  - Re: Several new CGI vulnerabilities Randal Schwartz (Nov 09)
  - Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 09)
  - Re: tcpd -DPARANOID doesn't work, and never did Darren Reed (Nov 10)
  - Re: tcpd -DPARANOID doesn't work, and never did Greg A. Woods (Nov 10)
- Re: tcpd -DPARANOID doesn't work, and never did Jim Dennis (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did D. J. Bernstein (Nov 10)
  - Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 11)