Home page logo

nanog logo nanog mailing list archives

Re: how to protect name servers against cache corruption
From: Michael Dillon <michael () priori net>
Date: Wed, 30 Jul 1997 23:33:43 -0700

I don't think
the operation community wants to think about the implications of someone
with both malice and BRAINS trying to utilize the same security problems.

Maybe some of us have thought about it and realized that the best course of
action is to:

a. not talk publicly about this lest the cracker community learn too much

b. harden our networks and systems to survive such a scenario. A couple
   of good tips have been pointed out re filtering bogus source routes
   and blocking broadcast packets during this thread. Not to mention
   upgrading to the latest BIND and running servers non-recursively if
   they are only acting as primary/secondary for customer domains.

c. make sure that we have the logging systems in place to trace and identify
   the people carrying out such an attack so that the appropriate law
   enforcement agencies can deal with them.

Some of us also know that there are some very bright and skilled people
studying information warfare in order to better prepare the armed forces
and civilian security agencies to deal with info warfare attacks. We may as
well let them do their job and we'll do ours.

We are like the designers and operators of an interstate toll highway, not
like the highway patrol.

In fact I think one of your most recent posts quite eloquently pointed out
the difficulty, futility almost, of trying to block such attacks with a
protocol that was never designed to be secure. If we are going to take
heroic measures, would they not be better spent on implementing DNSSEC
rather than shoring up the old DNS protocol? The lesson of the coal mines
in England comes to mind...

Michael Dillon                    voice: +1-415-482-2840
Senior Systems Architect            fax: +1-415-482-2844
PRIORI NETWORKS, INC.              http://www.priori.net

"The People You Know.  The People You Trust."

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]