mailing list archives
Re: how to protect name servers against cache corruption
From: "Thomas H. Ptacek" <tqbf () enteract com>
Date: Wed, 30 Jul 1997 18:38:31 -0500 (CDT)
Wouldn't a behavior like this be able to be used to bring name servers
down by simply killing CPU time?
Yes, and it's easier than killing CPU time; there's a targetted attack
wherein I can pick a resource record and continuously throw forged
responses for it, with bad query IDs, at a nameserver - that server is now
unable to resolve requests for that record.
And, of course, this ties in nicely with other unfixed servers, since,
right now, any problem that allows me to prevent a BIND server from
responding to queries will allow me to spoof anything it's authoritative
Attack detection is a tool, not an answer. I'm curious as to why it hasn't
been discussed further; it's certainly not MY idea, and it's certainly
been talked about on other forums.
There are other tools available as well. I suppose the point (right now)
is that there are things that can be done to strengthen the current DNS
protocol (as well as it's implementations) that won't break naieve servers
and will make attacks far harder, even in the absence of DNSSEC.
What do you think the timeline is on global deployment of DNSSEC? It's
surprising to me that people aren't more concerned, in light of the fact
that you've just been told flat out, by myself as well as by Mr. Vixie,
that there are exploitable problems that can't be entirely fixed until the
entire protocol is modified.
I suppose the operations context to this is, "hey, you realize DNS is
COMPLETELY BROKEN? What are your plans for dealing with the possibility
of someone posting exploits?" Do we simply stop using DNS?
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com]
"If you're so special, why aren't you dead?"