RE: Multiple DNS implementations vulnerable to cache poisoning

["Eric Davis" <eric () mail rockefeller edu>]

Anyone using Infoblox DNSOne?  They claimed to have fixed their BIND version
but I still see issues with source ports staying the same.

Eric Davis
Sr. Network Technician
Rockefeller University IT Dept.
212-327-7508
646-772-4667(cell)

-----Original Message-----
From: Patrick W. Gilmore [mailto:patrick () ianai net] 
Sent: Wednesday, July 09, 2008 4:15 PM
To: nanog () merit edu
Subject: Re: Multiple DNS implementations vulnerable to cache poisoning

On Jul 9, 2008, at 4:07 PM, Fernando Gont wrote:
> At 12:41 p.m. 09/07/2008, Steven M. Bellovin wrote:
>
> > It's worth noting that the basic idea of the attack isn't new.  Paul
> > Vixie described it in 1995 at the Usenix Security Conference
(http://www.usenix.org/publications/library/proceedings/security95/vixie.htm
l 
> > )
> > -- in a section titled "What We Cannot Fix", he wrote:
> >
> >        With only 16 bits worth of query ID and 16 bits worth of UDP
> >        port number, it's hard not to be predictable.  A determined
> >        attacker can try all the numbers in a very short time and can
> >        use patterns derived from examination of the freely available
> >        BIND code. Even if we had a white noise generator to help
> >        randomize our numbers, it's just too easy to try them all.
>
> We have one IETF ID on port randomization for years:
http://www.gont.com.ar/drafts/port-randomization/index.html
> While this does not make the attack impossible, it does make it much  
> harder.
>
> The same thing applies to those RST attacks circa 2004.
>
> Most of these blind attacks assume the source port numbers are easy  
> to guess. But... why should they?

Because many name servers use one port, or easily guessable sequence  
of ports?

-- 
TTFN,
patrick