nanog mailing list archives
Re: how to protect name servers against cache corruption
From: "Perry E. Metzger" <perry () piermont com>
Date: Tue, 29 Jul 1997 22:47:35 -0400
"Thomas H. Ptacek" writes:
No, it *is* immune to all variants on *THAT* attack. It isn't immune to other sorts of attacks.I think you are speaking in fairly blatant factual error here, or we are in micommunication with respect to the meaning of the word "variant".
No, my facts here are more or less accurate. Eugene's attack was very crude. He just put some bogus NS records into his alternic.net zone so that queries for www.alternic.net would pick up those bogus servers and their associated A records. His "sophisticated hack" consisted of typing "dig @victim -t a www.alternic.net", or something like it. I did tcpdumps of his "attack" in progress when he hit my machines so I have logs of what he did, not that they are very interesting. An attack like this, done just by putting bogus data into your DNS boot files in a similar manner, isn't going to work against the latest versions of BIND -- indeed, none of the reasonable "variants" on the attack would work, either. There *are* attacks that will work against the BIND 8.1.1, but they require that you actually learn how to program in C and do something active, and they won't do for you what one of Eugene's hacks did. I'm sure our friends at 2600 will be publishing them any day, but really, there isn't much to be done about them other than implementing DNSSEC. Perry
Current thread:
- Re: how to protect name servers against cache corruption, (continued)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Paul A Vixie (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Paul A Vixie (Jul 29)
- Re: how to protect name servers against cache corruption Ben Black (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Paul A Vixie (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Christopher Masto (Jul 29)
- Re: how to protect name servers against cache corruption tqbf (Jul 29)
- Re: how to protect name servers against cache corruption Jay R. Ashworth (Jul 30)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 30)
- Re: how to protect name servers against cache corruption tqbf (Jul 30)
- Re: how to protect name servers against cache corruption Deepak Jain (Jul 30)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 30)
- Message not available
- Re: how to protect name servers against cache corruption Jay R. Ashworth (Jul 30)
- Re: how to protect name servers against cache corruption Ben Black (Jul 29)