mailing list archives
Re: BIND Nuking
From: tqbf () ENTERACT COM (Thomas H. Ptacek)
Date: Tue, 29 Jul 1997 20:38:04 -0500
when executed as "bind_nuke bogus.org" on a host, that bogus.org's
primary NS is configured to accept updates from, will cause named
to silently die. Nothing in the logs, nothing on the console.
... and of course, we all realize that there is no such thing as a BIND
denial-of-service-only attack. Anything that can cause an arbitrary
nameserver to die, or even not answer queries for a significant amount of
time, allows for trivial brute-force ID-guessing attacks.
Until DNSSEC is fully deployed on the net, or the BIND maintainers
integrate real ID-guessing countermeasures, the stability of the BIND
named service is security-critical.
Just some food for thought.
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com]
"If you're so special, why aren't you dead?"