On Tue, 8 Jul 2008 13:48:57 -0700 "Buhrmaster, Gary" <gtb@slac.stanford.edu> wrote:
Multiple DNS implementations vulnerable to cache poisoning:
http://www.kb.cert.org/vuls/id/800113
(A widely coordinated vendor announcement. As always, check with your vendor(s) for patch status.)
It's worth noting that the basic idea of the attack isn't new. Paul Vixie described it in 1995 at the Usenix Security Conference (http://www.usenix.org/publications/library/proceedings/security95/vixie.html) -- in a section titled "What We Cannot Fix", he wrote: With only 16 bits worth of query ID and 16 bits worth of UDP port number, it's hard not to be predictable. A determined attacker can try all the numbers in a very short time and can use patterns derived from examination of the freely available BIND code. Even if we had a white noise generator to help randomize our numbers, it's just too easy to try them all. The ISC web page on the attack notes "DNSSEC is the only definitive solution for this issue. Understanding that immediate DNSSEC deployment is not a realistic expectation..." I wonder what NANOG folk can do about the second part of that quote... --Steve Bellovin, http://www.cs.columbia.edu/~smb