Re: how to protect name servers against cache corruption

[Deepak Jain <deepak () jain com>]

Wouldn't a behavior like this be able to be used to bring name servers 
down by simply killing CPU time? 

-Deepak.

On 30 Jul 1997 tqbf () smtp enteract com wrote:

> In article <19970730001246.22933 () netmonger net>, you wrote:
> > _details_.  Paul has written papers on DNS security, along with BIND
> > itself, and I'm inclined to believe him when he says there are no more
> > trivial fixes.  If you know of one, why don't you share it?  I'm not
>
> Fair enough.
>
> Here's a simple piece of input. If BIND 8.1.1 receives a DNS query
> response with an invalid query ID, it logs it and drops the packet.
> However, the invalid query ID is evidence of an attack in progress. Why
> doesn't BIND parse the packet, find out what question is being answered,
> and immediately re-issue the query with a different ID?
>
> In other words, it's possible for BIND to detect that it is under attack
> (in a response-forged query-ID guessing situation). BIND doesn't do
> anything about this. Why?
>
> Just the simplest suggestion I can come up with (without having this go
> into multiple pages) to convey the idea that I am trying to be
> constructive here. 
>
> I'm not sure this is the appropriate forum for this discussion 
> (*copout*Ididn'tstartthisthread*copout*), but if you want further details
> as to my harebrained suggestions, I'm happy to give them!
>
> -- 
> ----------------
> Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com]
> ----------------
> exit(main(kfp->kargc, argv, environ));