Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: DNS spoofing issue. Thoughts on
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Sat, 26 Jul 2008 11:51:51 -0500

--On Saturday, July 26, 2008 12:58 AM -0400 Valdis.Kletnieks () vt edu wrote:

On Fri, 25 Jul 2008 23:16:18 CDT, Paul Schmehl said:

Just apply the Microsoft patches and you'll be fine.  The patches make
the attack essentially impossible.

Paul, don't make me take you out back and smack you around. :)

First off - SBC probably doesn't run Windows on the server(s) that they
do the external for RandallMan's site, so the Microsoft patches are going
to do squat-all for that side of the problem.  And RandallMan most
certainly *DOES* need to worry about SBC getting patched - that's the
*biggest* threat now, is mass poisoning of an ISP's DNS servers affecting
*all* their customers.

Well, I *did* think about pointing that SBC isn't patched, but I thought he probably knew that already since he's clearly aware of the problem.

Paul Vixie already pointed out that on an unpatched system, the DNS can
get poisoned in about 11 seconds. And we *also* know that by iteratively
trying new bogus names, the attacker can keep trying over and over till
it works or they get bored. And all the current patches do is make it
*harder* to hit.

The attack isn't "impossible", it's more like "1% chance *per hour* that
your IDS doesn't notice and stop the attempts".  Big difference...

The information that I have says it's statistically impossible *if* you are patched.

Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]