funsec mailing list archives

Re: Leaks in Patch for Web Security Hole

From: Paul Vixie <vixie () isc org>
Date: Mon, 11 Aug 2008 03:17:27 +0000

Well then we're completely screwed because nothing is going to get
DNSSEC implemented quickly, and the 10 hour number is going to get
shorter with improvements in hardware and increased parallelism.


this ain't like that.  rate limiting is a simple fix, if your RDNS happens
to have a GigE path all the way back to the attacker population, you can put
in a software firewall rule limiting ingres to 10Mbit per source IP and this
attack recedes.  note that most RDNS' are connected by a lot less than GigE
on their full path toward possible attackers, so this is largely theoretical.

so while Polyakov's attack is another reason to invest in DNSSEC for the long
term, it is NOT a reason to panic again in the immediate/short/medium term.
-- 
Paul Vixie

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Leaks in Patch for Web Security Hole Richard M. Smith (Aug 09)
- Re: Leaks in Patch for Web Security Hole Valdis . Kletnieks (Aug 09)
  - Re: Leaks in Patch for Web Security Hole Larry Seltzer (Aug 10)
    - Re: Leaks in Patch for Web Security Hole Gadi Evron (Aug 10)
    - Re: Leaks in Patch for Web Security Hole Åke Nordin (Aug 10)
    - Re: Leaks in Patch for Web Security Hole Paul Vixie (Aug 10)