Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: NT DNS hacked ... ?
From: Don.Lewis () TSC TDK COM (Don Lewis)
Date: Fri, 13 Nov 1998 16:25:38 -0800


On Nov 13,  6:24pm, bobk wrote:
} Subject: Re: NT DNS hacked ... ?

} "cache corruption through sequence ID prediction" is a more complex
} attack. Both Microsoft and BIND are vulnerable to this. Luckily, there
} aren't many crackers attempting to use this, as far as I can tell. There
} is no complete protection for this attack, even though vendors of DNS
} software have known about the vulnerability for years.

Here is a patch for this that I'm using with a version of BIND slightly
older than 8.1.2.  It applies cleanly to 8.1.2 and compiles ...

Index: named.h
===================================================================
RCS file: /proj/named/BIND8/src/bin/named/named.h,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -u -r1.1.1.2 -r1.2
--- named.h     1997/12/11 11:26:37     1.1.1.2
+++ named.h     1998/01/21 11:32:42     1.2
@@ -41,6 +41,7 @@
 #define ROUND_ROBIN
 #define SORT_RESPONSE
 #define DNS_SECURITY
+#define RANDOMIZE_ID
 #undef RSAREF
 #undef BSAFE
 #define ALLOW_LONG_TXT_RDATA
Index: ns_config.c
===================================================================
RCS file: /proj/named/BIND8/src/bin/named/ns_config.c,v
retrieving revision 1.1.1.2
retrieving revision 1.4
diff -u -r1.1.1.2 -r1.4
--- ns_config.c 1997/12/11 11:26:39     1.1.1.2
+++ ns_config.c 1998/01/21 11:32:43     1.4
@@ -876,6 +885,9 @@
        case OPTION_MULTIPLE_CNAMES:
        case OPTION_HOSTSTATS:
        case OPTION_DEALLOC_ON_EXIT:
+#ifdef RANDOMIZE_ID
+       case OPTION_USE_ID_POOL:
+#endif /* RANDOMIZE_ID */
                if (value)
                        op->flags |= bool_opt;
                else
Index: ns_defs.h
===================================================================
RCS file: /proj/named/BIND8/src/bin/named/ns_defs.h,v
retrieving revision 1.1.1.2
retrieving revision 1.3
diff -u -r1.1.1.2 -r1.3
--- ns_defs.h   1997/12/11 11:26:41     1.1.1.2
+++ ns_defs.h   1998/01/21 11:32:45     1.3
@@ -144,6 +144,10 @@
                                         * CNAME RRs */
 #define OPTION_HOSTSTATS       0x0080  /* Maintain per-host statistics? */
 #define OPTION_DEALLOC_ON_EXIT 0x0100  /* Deallocate everything on exit? */
+#ifdef RANDOMIZE_ID
+#define        OPTION_USE_ID_POOL      0x0200  /* Use the memory hogging query ID
+                                        * pool */
+#endif /* RANDOMIZE_ID */

 #define        DEFAULT_OPTION_FLAGS    (OPTION_HOSTSTATS)

Index: ns_func.h
===================================================================
RCS file: /proj/named/BIND8/src/bin/named/ns_func.h,v
retrieving revision 1.1.1.2
retrieving revision 1.4
diff -u -r1.1.1.2 -r1.4
--- ns_func.h   1997/12/11 11:26:45     1.1.1.2
+++ ns_func.h   1998/01/21 11:32:48     1.4
@@ -212,6 +212,9 @@
                        writestream(struct qstream *, const u_char *, int),
                        ns_need(int need),
                        opensocket_f(void);
+#ifdef RANDOMIZE_ID
+extern void            nsid_hash(u_char *, size_t);
+#endif /* RANDOMIZE_ID */
 extern u_int16_t       nsid_next(void);
 extern int             sq_openw(struct qstream *, int),
                        sq_writeh(struct qstream *, sq_closure),
Index: ns_lexer.c
===================================================================
RCS file: /proj/named/BIND8/src/bin/named/ns_lexer.c,v
retrieving revision 1.1.1.2
retrieving revision 1.3
diff -u -r1.1.1.2 -r1.3
--- ns_lexer.c  1997/12/11 11:26:52     1.1.1.2
+++ ns_lexer.c  1998/01/21 11:32:49     1.3
@@ -295,6 +298,9 @@
        {"true", T_TRUE},
        {"type", T_TYPE},
        {"unlimited", T_UNLIMITED},
+#ifdef RANDOMIZE_ID
+       {"use-id-pool", T_USE_ID_POOL},
+#endif /* RANDOMIZE_ID */
        {"versions", T_VERSIONS},
        {"warn", T_WARN},
        {"yes", T_YES},
Index: ns_main.c
===================================================================
RCS file: /proj/named/BIND8/src/bin/named/ns_main.c,v
retrieving revision 1.1.1.2
retrieving revision 1.4
diff -u -r1.1.1.2 -r1.4
--- ns_main.c   1997/12/11 11:26:53     1.1.1.2
+++ ns_main.c   1998/01/21 11:32:50     1.4
@@ -143,6 +143,16 @@
                                sbufsize = 16 * 1024;

 static u_int16_t               nsid_state;
+#ifdef RANDOMIZE_ID
+static u_int16_t               *nsid_pool;  /* optional query id pool */
+static u_int16_t               *nsid_vtable;  /* optional shuffle table */
+static u_int32_t               nsid_hash_state;
+static u_int16_t               nsid_a1, nsid_a2, nsid_a3;
+static u_int16_t               nsid_c1, nsid_c2, nsid_c3;
+static u_int16_t               nsid_state2;
+static int                     nsid_algorithm;
+#endif /* RANDOMIZE_ID */
+
 static int                     needs;

 static struct qstream          *sq_add(void);
@@ -331,8 +341,6 @@

        _res.options &= ~(RES_DEFNAMES | RES_DNSRCH | RES_RECURSE);

-       nsid_init();
-
        /*
         * Initialize and load database.
         */
@@ -343,6 +351,8 @@
        time(&boottime);
        resettime = boottime;

+       nsid_init();
+
        /*
         * Fork and go into background now that
         * we've done any slow initialization
@@ -1800,8 +1808,401 @@
  * allocation scheme to make it a little harder to predict them.  Note
  * that the resolver will need the same protection so the cleverness
  * should be put there rather than here; this is just an interface layer.
+ *
+ * This is true but ... most clients only send out a few queries, they
+ * use varying port numbers, and the queries aren't sent to the outside
+ * world which we know is full of spoofers.  Doing a good job of randomizing
+ * ids may also be to expensive for each client. Queries forwarded by the
+ * server always come from the same port (unless you let 8.x pick a port
+ * and restart it periodically - maybe it should open several and use
+ * them randomly).  The server sends out lots more queries, and if it's
+ * cache is corrupted, it has the potential to affect more clients.
+ * NOTE: - randomizing the ID or source port doesn't help a bit if the
+ * queries can be sniffed.
+ *                             -- DL
+ */
+
+#ifdef RANDOMIZE_ID
+/*
+ * Allow the user to pick one of two ID randomization algorithms.
+ *
+ * The first algorithm is an adaptation of the sequence shuffling
+ * algorithm discovered by Carter Bays and S. D. Durham [ACM Trans. Math.
+ * Software 2 (1976), 59-64], as documented as Algorithm B in Chapter
+ * 3.2.2 in Volume 2 of Knuth's "The Art of Computer Programming".  We use
+ * a randomly selected linear congruential random number generator with a
+ * modulus of 2^16, whose increment is a randomly picked odd number, and
+ * whose multiplier is picked from a set which meets the following
+ * criteria:
+ *     Is of the form 8*n+5, which ensures "high potency" according to
+ *     principle iii in the summary chapter 3.6.  This form also has a
+ *     gcd(a-1,m) of 4 which is good according to principle iv.
+ *
+ *     Is between 0.01 and 0.99 times the modulus as specified by
+ *     principle iv.
+ *
+ *     Passes the spectral test "with flying colors" (ut >= 1) in
+ *     dimensions 2 through 6 as calculated by Algorithm S in Chapter
+ *     3.3.4 and the ratings calculated by formula 35 in section E.
+ *
+ *     Of the multipliers that pass this test, pick the set that is
+ *     best according to the theoretical bounds of the serial
+ *     correlation test.  This was calculated using a simplified
+ *     version of Knuth's Theorem K in Chapter 3.3.3.
+ *
+ * These criteria may not be important for this use, but we might as well
+ * pick from the best generators since there are so many possible ones and
+ * we don't have that many random bits to do the picking.
+ *
+ * We use a modulus of 2^16 instead of something bigger so that we will
+ * tend to cycle through all the possible IDs before repeating any,
+ * however the shuffling will perturb this somewhat.  Theoretically there
+ * is no minimimum interval between two uses of the same ID, but in
+ * practice it seems to be >64000.
+ *
+ * Our adaptatation  of Algorithm B mixes the hash state which has
+ * captured various random events into the shuffler to perturb the
+ * sequence.
+ *
+ * One disadvantage of this algorithm is that if the generator parameters
+ * were to be guessed, it would be possible to mount a limited brute force
+ * attack on the ID space since the IDs are only shuffled within a limited
+ * range.
+ *
+ * The second algorithm uses the same random number generator to populate
+ * a pool of 65536 IDs.  The hash state is used to pick an ID from a window
+ * of 4096 IDs in this pool, then the chosen ID is swapped with the ID
+ * at the beginning of the window and the window position is advanced.
+ * This means that the interval between uses of the ID will be no less
+ * than 65536-4096.  The ID sequence in the pool will become more random
+ * over time.
+ *
+ * For both algorithms, two more linear congruential random number generators
+ * are selected.  The ID from the first part of algorithm is used to seed
+ * the first of these generators, and its output is used to seed the second.
+ * The strategy is use these generators as 1 to 1 hashes to obfuscate the
+ * properties of the generator used in the first part of either algorithm.
+ *
+ * The first algorithm may be suitable for use in a client resolver since
+ * its memory requirements are fairly low and it's pretty random out of
+ * the box.  It is somewhat succeptible to a limited brute force attack,
+ * so the second algorithm is probably preferable for a longer running
+ * program that issues a large number of queries and has time to randomize
+ * the pool.
+ */
+
+#define NSID_SHUFFLE_TABLE_SIZE 100 /* Suggested by Knuth */
+/*
+ * Pick one of the next 4096 IDs in the pool.
+ * There is a tradeoff here between randomness and how often and ID is reused.
+ */
+#define NSID_LOOKAHEAD 4096    /* Must be a power of 2 */
+#define NSID_SHUFFLE_ONLY 1    /* algorithm 1 */
+#define NSID_USE_POOL 2                /* algorithm 2 */
+
+/*
+ * Keep a running hash of various bits of data that we'll use to
+ * stir the ID pool or perturb the ID generator
  */
+void
+nsid_hash(u_char *data, size_t len) {
+       /*
+        * Hash function similar to the one we use for hashing names.
+        * We don't fold case or toss the upper bit here, though.
+        * This hash doesn't do much interesting when fed binary zeros,
+        * so there may be a better hash function.
+        * This function doesn't need to be very strong since we're
+        * only using it to stir the pool, but it should be reasonably
+        * fast.
+        */
+       while (len-- > 0) {
+               /* rotate left HASHSHIFT */
+               nsid_hash_state = (nsid_hash_state << HASHSHIFT) |
+                   (nsid_hash_state>>((sizeof(nsid_hash_state)*8)-HASHSHIFT));
+               nsid_hash_state += *data++;
+       }
+}
+
+/*
+ * Table of good linear congruential multipliers for modulus 2^16
+ * in order of increasing serial correlation bounds (so trim from
+ * the end).
+ */
+static const u_int16_t nsid_multiplier_table[] = {
+        17565, 25013, 11733, 19877, 23989, 23997, 24997, 25421,
+        26781, 27413, 35901, 35917, 35973, 36229, 38317, 38437,
+        39941, 40493, 41853, 46317, 50581, 51429, 53453, 53805,
+        11317, 11789, 12045, 12413, 14277, 14821, 14917, 18989,
+        19821, 23005, 23533, 23573, 23693, 27549, 27709, 28461,
+        29365, 35605, 37693, 37757, 38309, 41285, 45261, 47061,
+        47269, 48133, 48597, 50277, 50717, 50757, 50805, 51341,
+        51413, 51581, 51597, 53445, 11493, 14229, 20365, 20653,
+        23485, 25541, 27429, 29421, 30173, 35445, 35653, 36789,
+        36797, 37109, 37157, 37669, 38661, 39773, 40397, 41837,
+        41877, 45293, 47277, 47845, 49853, 51085, 51349, 54085,
+        56933,  8877,  8973,  9885, 11365, 11813, 13581, 13589,
+        13613, 14109, 14317, 15765, 15789, 16925, 17069, 17205,
+        17621, 17941, 19077, 19381, 20245, 22845, 23733, 24869,
+        25453, 27213, 28381, 28965, 29245, 29997, 30733, 30901,
+        34877, 35485, 35613, 36133, 36661, 36917, 38597, 40285,
+        40693, 41413, 41541, 41637, 42053, 42349, 45245, 45469,
+        46493, 48205, 48613, 50861, 51861, 52877, 53933, 54397,
+        55669, 56453, 56965, 58021,  7757,  7781,  8333,  9661,
+        12229, 14373, 14453, 17549, 18141, 19085, 20773, 23701,
+        24205, 24333, 25261, 25317, 27181, 30117, 30477, 34757,
+        34885, 35565, 35885, 36541, 37957, 39733, 39813, 41157,
+        41893, 42317, 46621, 48117, 48181, 49525, 55261, 55389,
+        56845,  7045,  7749,  7965,  8469,  9133,  9549,  9789,
+        10173, 11181, 11285, 12253, 13453, 13533, 13757, 14477,
+        15053, 16901, 17213, 17269, 17525, 17629, 18605, 19013,
+        19829, 19933, 20069, 20093, 23261, 23333, 24949, 25309,
+        27613, 28453, 28709, 29301, 29541, 34165, 34413, 37301,
+        37773, 38045, 38405, 41077, 41781, 41925, 42717, 44437,
+        44525, 44613, 45933, 45941, 47077, 50077, 50893, 52117,
+         5293, 55069, 55989, 58125, 59205,  6869, 14685, 15453,
+        16821, 17045, 17613, 18437, 21029, 22773, 22909, 25445,
+        25757, 26541, 30709, 30909, 31093, 31149, 37069, 37725,
+        37925, 38949, 39637, 39701, 40765, 40861, 42965, 44813,
+        45077, 45733, 47045, 50093, 52861, 52957, 54181, 56325,
+        56365, 56381, 56877, 57013,  5741, 58101, 58669,  8613,
+        10045, 10261, 10653, 10733, 11461, 12261, 14069, 15877,
+        17757, 21165, 23885, 24701, 26429, 26645, 27925, 28765,
+        29197, 30189, 31293, 39781, 39909, 40365, 41229, 41453,
+        41653, 42165, 42365, 47421, 48029, 48085, 52773,  5573,
+        57037, 57637, 58341, 58357, 58901,  6357,  7789,  9093,
+        10125, 10709, 10765, 11957, 12469, 13437, 13509, 14773,
+        15437, 15773, 17813, 18829, 19565, 20237, 23461, 23685,
+        23725, 23941, 24877, 25461, 26405, 29509, 30285, 35181,
+        37229, 37893, 38565, 40293, 44189, 44581, 45701, 47381,
+        47589, 48557,  4941, 51069,  5165, 52797, 53149,  5341,
+        56301, 56765, 58581, 59493, 59677,  6085,  6349,  8293,
+         8501,  8517, 11597, 11709, 12589, 12693, 13517, 14909,
+        17397, 18085, 21101, 21269, 22717, 25237, 25661, 29189,
+        30101, 31397, 33933, 34213, 34661, 35533, 36493, 37309,
+        40037,  4189, 42909, 44309, 44357, 44389,  4541, 45461,
+        46445, 48237, 54149, 55301, 55853, 56621, 56717, 56901,
+         5813, 58437, 12493, 15365, 15989, 17829, 18229, 19341,
+        21013, 21357, 22925, 24885, 26053, 27581, 28221, 28485,
+        30605, 30613, 30789, 35437, 36285, 37189,  3941, 41797,
+         4269, 42901, 43293, 44645, 45221, 46893,  4893, 50301,
+        50325,  5189, 52109, 53517, 54053, 54485,  5525, 55949,
+        56973, 59069, 59421, 60733, 61253,  6421,  6701,  6709,
+         7101,  8669, 15797, 19221, 19837, 20133, 20957, 21293,
+        21461, 22461, 29085, 29861, 30869, 34973, 36469, 37565,
+        38125, 38829, 39469, 40061, 40117, 44093, 47429, 48341,
+        50597, 51757,  5541, 57629, 58405, 59621, 59693, 59701,
+        61837,  7061, 10421, 11949, 15405, 20861, 25397, 25509,
+        25893, 26037, 28629, 28869, 29605, 30213, 34205, 35637,
+        36365, 37285,  3773, 39117,  4021, 41061, 42653, 44509,
+         4461, 44829,  4725,  5125, 52269, 56469, 59085,  5917,
+        60973,  8349, 17725, 18637, 19773, 20293, 21453, 22533,
+        24285, 26333, 26997, 31501, 34541, 34805, 37509, 38477,
+        41333, 44125, 46285, 46997, 47637, 48173,  4925, 50253,
+        50381, 50917, 51205, 51325, 52165, 52229,  5253,  5269,
+        53509, 56253, 56341,  5821, 58373, 60301, 61653, 61973,
+        62373,  8397, 11981, 14341, 14509, 15077, 22261, 22429,
+        24261, 28165, 28685, 30661, 34021, 34445, 39149,  3917,
+        43013, 43317, 44053, 44101,  4533, 49541, 49981,  5277,
+        54477, 56357, 57261, 57765, 58573, 59061, 60197, 61197,
+        62189,  7725,  8477,  9565, 10229, 11437, 14613, 14709,
+        16813, 20029, 20677, 31445,  3165, 31957,  3229, 33541,
+        36645,  3805, 38973,  3965,  4029, 44293, 44557, 46245,
+        48917,  4909, 51749, 53709, 55733, 56445,  5925,  6093,
+        61053, 62637,  8661,  9109, 10821, 11389, 13813, 14325,
+        15501, 16149, 18845, 22669, 26437, 29869, 31837, 33709,
+        33973, 34173,  3677,  3877,  3981, 39885, 42117,  4421,
+        44221, 44245, 44693, 46157, 47309,  5005, 51461, 52037,
+        55333, 55693, 56277, 58949,  6205, 62141, 62469,  6293,
+        10101, 12509, 14029, 17997, 20469, 21149, 25221, 27109,
+         2773,  2877, 29405, 31493, 31645,  4077, 42005, 42077,
+        42469, 42501, 44013, 48653, 49349,  4997, 50101, 55405,
+        56957, 58037, 59429, 60749, 61797, 62381, 62837,  6605,
+        10541, 23981, 24533,  2701, 27333, 27341, 31197, 33805,
+         3621, 37381,  3749,  3829, 38533, 42613, 44381, 45901,
+        48517, 51269, 57725, 59461, 60045, 62029, 13805, 14013,
+        15461, 16069, 16157, 18573,  2309, 23501, 28645,  3077,
+        31541, 36357, 36877,  3789, 39429, 39805, 47685, 47949,
+        49413,  5485, 56757, 57549, 57805, 58317, 59549, 62213,
+        62613, 62853, 62933,  8909, 12941, 16677, 20333, 21541,
+        24429, 26077, 26421,  2885, 31269, 33381,  3661, 40925,
+        42925, 45173,  4525,  4709, 53133, 55941, 57413, 57797,
+        62125, 62237, 62733,  6773, 12317, 13197, 16533, 16933,
+        18245,  2213,  2477, 29757, 33293, 35517, 40133, 40749,
+         4661, 49941, 62757,  7853,  8149,  8573, 11029, 13421,
+        21549, 22709, 22725, 24629,  2469, 26125,  2669, 34253,
+        36709, 41013, 45597, 46637, 52285, 52333, 54685, 59013,
+        60997, 61189, 61981, 62605, 62821,  7077,  7525,  8781,
+        10861, 15277,  2205, 22077, 28517, 28949, 32109, 33493,
+         3685, 39197, 39869, 42621, 44997, 48565,  5221, 57381,
+        61749, 62317, 63245, 63381, 23149,  2549, 28661, 31653,
+        33885, 36341, 37053, 39517, 42805, 45853, 48997, 59349,
+        60053, 62509, 63069,  6525,  1893, 20181,  2365, 24893,
+        27397, 31357, 32277, 33357, 34437, 36677, 37661, 43469,
+        43917, 50997, 53869,  5653, 13221, 16741, 17893,  2157,
+        28653, 31789, 35301, 35821, 61613, 62245, 12405, 14517,
+        17453, 18421,  3149,  3205, 40341,  4109, 43941, 46869,
+        48837, 50621, 57405, 60509, 62877,  8157, 12933, 12957,
+        16501, 19533,  3461, 36829, 52357, 58189, 58293, 63053,
+        17109,  1933, 32157, 37701, 59005, 61621, 13029, 15085,
+        16493, 32317, 35093,  5061, 51557, 62221, 20765, 24613,
+         2629, 30861, 33197, 33749, 35365, 37933, 40317, 48045,
+        56229, 61157, 63797,  7917, 17965,  1917,  1973, 20301,
+         2253, 33157, 58629, 59861, 61085, 63909,  8141,  9221,
+        14757,  1581, 21637, 26557, 33869, 34285, 35733, 40933,
+        42517, 43501, 53653, 61885, 63805,  7141, 21653, 54973,
+        31189, 60061, 60341, 63357, 16045,  2053, 26069, 33997,
+        43901, 54565, 63837,  8949, 17909, 18693, 32349, 33125,
+        37293, 48821, 49053, 51309, 64037,  7117,  1445, 20405,
+        23085, 26269, 26293, 27349, 32381, 33141, 34525, 36461,
+        37581, 43525,  4357, 43877,  5069, 55197, 63965,  9845,
+        12093,  2197,  2229, 32165, 33469, 40981, 42397,  8749,
+        10853,  1453, 18069, 21693, 30573, 36261, 37421, 42533
+};
+#define NSID_MULT_TABLE_SIZE \
+           ((sizeof nsid_multiplier_table)/(sizeof nsid_multiplier_table[0]))
+
+void
+nsid_init() {
+       struct timeval now;
+       pid_t mypid;
+       u_int16_t a1ndx, a2ndx, a3ndx, c1ndx, c2ndx, c3ndx;
+       int i;
+
+       if (nsid_algorithm != 0)
+               return;
+
+       gettimeofday(&now, NULL);
+       mypid = getpid();
+
+       /* Initialize the state */
+       nsid_hash_state = 0;
+       nsid_hash((u_char *)&now, sizeof now);
+       nsid_hash((u_char *)&mypid, sizeof mypid);
+
+       /*
+        * Select our random number generators and initial seed.
+        * We could really use more random bits at this point,
+        * but we'll try to make a silk purse out of a sows ear ...
+        */
+       /* generator 1 */
+       a1ndx = ((u_long) NSID_MULT_TABLE_SIZE *
+               (nsid_hash_state & 0xFFFF)) >> 16;
+       nsid_a1 = nsid_multiplier_table[a1ndx];
+       c1ndx = (nsid_hash_state >> 9) & 0x7FFF;
+       nsid_c1 = 2*c1ndx + 1;
+       /* generator 2, distinct from 1 */
+       a2ndx = ((u_long) (NSID_MULT_TABLE_SIZE - 1) *
+               ((nsid_hash_state >> 10) & 0xFFFF)) >> 16;
+       if (a2ndx >= a1ndx)
+               a2ndx++;
+       nsid_a2 = nsid_multiplier_table[a2ndx];
+       c2ndx = nsid_hash_state % 32767;
+       if (c2ndx >= c1ndx)
+               c2ndx++;
+       nsid_c2 = 2*c2ndx + 1;
+       /* generator 3, distinct from 1 and 2 */
+       a3ndx = ((u_long) (NSID_MULT_TABLE_SIZE - 2) *
+               ((nsid_hash_state >> 20) & 0xFFFF)) >> 16;
+       if (a3ndx >= a1ndx || a3ndx >= a2ndx)
+               a3ndx++;
+       if (a3ndx >= a1ndx && a3ndx >= a2ndx)
+               a3ndx++;
+       nsid_a3 = nsid_multiplier_table[a3ndx];
+       c3ndx = nsid_hash_state % 32766;
+       if (c3ndx >= c1ndx || c3ndx >= c2ndx)
+               c3ndx++;
+       if (c3ndx >= c1ndx && c3ndx >= c2ndx)
+               c3ndx++;
+       nsid_c3 = 2*c3ndx + 1;
+
+       nsid_state = ((nsid_hash_state >> 16) ^ (nsid_hash_state)) & 0xFFFF;
+
+
+       /* Do the algorithm specific initialization */
+       INSIST(server_options != NULL);
+       if (NS_OPTION_P(OPTION_USE_ID_POOL) == 0) {
+               /* Algorithm 1 */
+               nsid_algorithm = 1;
+               nsid_vtable = malloc(NSID_SHUFFLE_TABLE_SIZE *
+                                    (sizeof(u_int16_t)) );
+               if (!nsid_vtable)
+                       ns_panic(ns_log_default, 1, "malloc(nsid_vtable)",
+                                NULL);
+               for (i = 0; i < NSID_SHUFFLE_TABLE_SIZE; i++) {
+                       nsid_vtable[i] = nsid_state;
+                       nsid_state = (((u_long) nsid_a1 * nsid_state) + nsid_c1)
+                                    & 0xFFFF;
+               }
+               nsid_state2 = nsid_state;
+       } else {
+               /* Algorithm 2 */
+               nsid_algorithm = 2;
+               nsid_pool = malloc(0x10000 * (sizeof(u_int16_t)));
+               if (!nsid_pool)
+                       ns_panic(ns_log_default, 1, "malloc(nsid_pool)", NULL);
+               for (i = 0; ; i++) {
+                       nsid_pool[i] = nsid_state;
+                       nsid_state = (((u_long) nsid_a1 * nsid_state) + nsid_c1)                                     & 
0xFFFF;
+                       if (i == 0xFFFF)
+                               break;
+               }

+       }
+}
+
+#define NSID_RANGE_MASK (NSID_LOOKAHEAD - 1)
+
+#define NSID_POOL_MASK 0xFFFF /* used to wrap the pool index */
+
+u_int16_t
+nsid_next() {
+       u_int16_t id, compressed_hash;
+
+       compressed_hash = ((nsid_hash_state >> 16) ^ (nsid_hash_state)) &
+                         0xFFFF;
+       if (nsid_algorithm == 1) {
+               u_int16_t j;
+
+               /*
+                * This is the original Algorithm B
+                * j = ((u_long) NSID_SHUFFLE_TABLE_SIZE * nsid_state2)
+                *     >> 16;
+                *
+                * We'll perturb it with some random stuff  ...
+                */
+               j = ((u_long) NSID_SHUFFLE_TABLE_SIZE *
+                   (nsid_state2 ^ compressed_hash)) >> 16;
+               nsid_state2 = id = nsid_vtable[j];
+               nsid_state = (((u_long) nsid_a1 * nsid_state) + nsid_c1) &
+                            0xFFFF;
+               nsid_vtable[j] = nsid_state;
+       } else if (nsid_algorithm == 2) {
+               u_int16_t pick;
+
+               pick = compressed_hash & NSID_RANGE_MASK;
+               id = nsid_pool[(nsid_state + pick) & NSID_POOL_MASK];
+               if (pick != 0) {
+                       /* Swap two IDs to stir the pool */
+                       nsid_pool[(nsid_state + pick) & NSID_POOL_MASK] =
+                               nsid_pool[nsid_state];
+                       nsid_pool[nsid_state] = id;
+               }
+
+               /* increment the base pointer into the pool */
+               if (nsid_state == 65535)
+                       nsid_state = 0;
+               else
+                       nsid_state++;
+       } else
+               ns_panic(ns_log_default, 1, "Unknown ID algorithm", NULL);
+
+        /* Now lets obfuscate ... */
+       id = (((u_long) nsid_a2 * id) + nsid_c2) & 0xFFFF;
+       id = (((u_long) nsid_a3 * id) + nsid_c3) & 0xFFFF;
+
+       return (id);
+}
+#else  /* RANDOMIZE_ID */
 void
 nsid_init() {
        nsid_state = res_randomid();
@@ -1815,6 +2216,7 @@
                nsid_state++;
        return (nsid_state);
 }
+#endif /* RANDOMIZE_ID */

 static void
 deallocate_everything(void) {
Index: ns_parser.y
===================================================================
RCS file: /proj/named/BIND8/src/bin/named/ns_parser.y,v
retrieving revision 1.1.1.2
retrieving revision 1.3
diff -u -r1.1.1.2 -r1.3
--- ns_parser.y 1997/12/11 11:26:58     1.1.1.2
+++ ns_parser.y 1998/01/21 11:32:52     1.3
@@ -137,6 +137,7 @@
 %type  <axfr_fmt>      transfer_format
 %token                 T_NOTIFY T_AUTH_NXDOMAIN T_MULTIPLE_CNAMES
 %token                 T_CLEAN_INTERVAL T_INTERFACE_INTERVAL T_STATS_INTERVAL
+%token                 T_USE_ID_POOL

 /* Items used for the "logging" statement: */
 %token                 T_LOGGING T_CATEGORY T_CHANNEL T_SEVERITY T_DYNAMIC
@@ -324,6 +328,10 @@
                set_boolean_option(current_options, OPTION_MULTIPLE_CNAMES,
                                   $2);
        }
+       | T_USE_ID_POOL yea_or_nay
+       {
+               set_boolean_option(current_options, OPTION_USE_ID_POOL, $2);
+       }
        | T_CHECK_NAMES check_names_type check_names_opt
        {
                current_options->check_names[$2] = $3;
Index: ns_req.c
===================================================================
RCS file: /proj/named/BIND8/src/bin/named/ns_req.c,v
retrieving revision 1.1.1.2
retrieving revision 1.4
diff -u -r1.1.1.2 -r1.4
--- ns_req.c    1997/12/11 11:27:03     1.1.1.2
+++ ns_req.c    1998/01/21 11:32:54     1.4
@@ -177,6 +177,12 @@
        }
 #endif

+#ifdef RANDOMIZE_ID
+       /* Hash some stuff so it's nice and random */
+       nsid_hash((char *)&tt, sizeof(tt));
+       nsid_hash(msg, (msglen > 512) ? 512 : msglen);
+#endif /* RANDOMIZE_ID
+
        /*
         * It's not a response so these bits have no business
         * being set. will later simplify work if we can



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]