Home page logo

nanog logo nanog mailing list archives

Re: how to protect name servers against cache corruption
From: "Thomas H. Ptacek" <tqbf () enteract com>
Date: Thu, 31 Jul 1997 00:20:26 -0500 (CDT)

What, exactly, does Bind 8.1 do?

BIND 8.1.1 does not appear to have an easy mechanism to match a query ID
to the question-section details of an open query. Currently, BIND
increments a counter, prints a debugging log line, and drops the packet;
it does not invalidate the open query.

Netcom's nameservers. They will no longer be able to resolve NETSOL.COM,
since every query they open up will be immediately invalidated by a fake

Well, one could make observations about comparisons of IP source
addresses here...

All of the attacks being discussed assume the attacker has the ability to
inject completely forged packets onto the network. All of my suggestions
are given under the assumption that this is a situation that we do not
have a reasonable expectation of being able to prevent in IPv4. 

I don't see that the problem you describe affects the people
_answering_.  You'd have to nail _every_ _inquirer_.  Ok, yes, hitting

This is true. However, remember that this thread occurred in response to
an attack by Eugene Kashpureff, who used a far more primitive attack and
made national news by effectively disabling NSI's home page. I don't think
the operation community wants to think about the implications of someone
with both malice and BRAINS trying to utilize the same security problems.

Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com]
"If you're so special, why aren't you dead?"

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]