Re: After 6 months - fix available for Microsoft DNS cache poisoning attack

[Amit Klein <aksecurity () gmail com>]

rick.a.cook () gmail com wrote:
> After implementing this patch on a large scale network, it was discovered that this patch caused a dns memory leak. Microsoft has since corrected this issue with a private fix. 

Amusing. They pulled the fix from being released in October at the last 
minute, quoting memory leaks. I guess they didn't fully address it after 
all...

> Even worse, in my large enterprise, this patch caused the exact spoofing that it intended to prevent. Somehow the code to 
> increase the entropy has caused random xid's to cross and spoof randomly, poisioning the cache through normal usage without 
> the use of extracurricular programs. I've reported this to Microsoft and have been working with them in fixing this issue, 
> which to date has not been fixed.
>   

Sounds like they just draw a random number each time, regardless of the 
history (i.e. of previously drawn numbers), which can cause collisions 
(I think that's the phenomenon you describe). BIND 9 has a mechanism 
that ensures that collisions are discarded. OpenBSD retains history of 
the last 32K (IIRC) numbers used, and does not re-use those numbers. 
PowerDNS randomizes UDP source ports, so it considerably reduces 
collision likelihood. I guess MS didn't implement any such mechanism (I 
don't know for sure because I never reviewed their solution - I didn't 
get a preview version from MS).

Thanks,
-Amit