Re: how to protect name servers against cache corruption
someone asked me a question in private e-mail that deserves a public answer.
1) How exactly did Eugene Kashperuff propogate this "RR poisoning" across the Internet? From NANOG's previous mailings I can deduce that it was along the lines of dig @victim -t ns www.alternic.net. Where www.alternic.net had duff A records.
yes.
2) What were/are the symptoms of this attack? www.internic.net resolving to www.alternic.net?
yes.
3) If it was that easy to do, why hasn't it happened again?
because that particular attack only works if you are willing to get caught. since eugene did this as a publicity stunt (which, i understand, has now begun to backfire on him since his victims didn't interpret it that way), he _needed_ to be caught.
3a) What measures were taken (other than discussion of DNSSEC, or lack of it) to 'cure' affected servers?
upgrade to bind-4.9.6 or bind-8.1.1.
4) How can I check for cache corruption?
"dig @0 www.netsol.com a" and "dig @cache00.ns.uu.net www.netsol.com a" and check for differences.
Apologies if any of the above sound moronic or ill-informed; extracting facts from reams of "what is a backhoe" mail list is a painfully slow task. Time for some filters I think...
no apologia needed. public explainations of this attack have been poor, even and especially by me. i'm grateful for the opportunity to improve on that.
To respond to your upgrade to bind-4.9.6 or 8.1.1, I would go with 4.9.6 because I know of many bugs left in 8.1.1 that can harm a Name Server. When I get more information on this, I will release it to the list. One of the many bugs in it involves CNAME. I will talk to the person who released this information to me and get back to the list.
3a) What measures were taken (other than discussion of DNSSEC, or lack of it) to 'cure' affected servers?
upgrade to bind-4.9.6 or bind-8.1.1.
-- --- --- --- --- --- --- --- --- --- Steven Nash ph: (516)248-8400ext25 Systems Engineer / Network Security fax: (516)248-8897 Lightning Internet Services LLC email: snash@lightning.net http://www.lightning.net --- --- --- --- --- --- --- --- ---
On Wed, Jul 30, 1997 at 11:09:24AM -0700, Paul A Vixie wrote:
3) If it was that easy to do, why hasn't it happened again?
because that particular attack only works if you are willing to get caught.
Nicely put. Although accidents do happen, like the genieweb.com answering for ".com" debacle a couple weeks back.
4) How can I check for cache corruption?
"dig @0 www.netsol.com a" and "dig @cache00.ns.uu.net www.netsol.com a" and check for differences.
Paul: I assume dig @0 is an idiom for localhost? (Apologies for being less than familiar with dig, it's not on this machine, and I'm not the admin.)
Apologies if any of the above sound moronic or ill-informed; extracting facts from reams of "what is a backhoe" mail list is a painfully slow task. Time for some filters I think...
no apologia needed. public explainations of this attack have been poor, even and especially by me. i'm grateful for the opportunity to improve on that.
I hadn't thought that the explanations were all _that_ weak... and I'm on 7 lists, and the backhoe traffic didn't bother _me_ that much. Perhaps time for a new mail program, or a faster link? Cheers, -- jr '30 newsgroups, too' a -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "People propose, science studies, technology Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592
participants (3)
-
Jay R. Ashworth
-
Paul A Vixie
-
Systems Engineer