On second note after reading CERT it looks like thats exactly what it is. Another case where the media is over dramatizing something.
On Wed, Jul 9, 2008 at 1:17 PM, C F <[EMAIL PROTECTED]> wrote: > I don't think that this is the exploit that they are talking about. > What you say is too simple and requires too much to achieve (do it the > right time when a request is asked and quicker than the intended DNS > server). > > On Wed, Jul 9, 2008 at 12:01 PM, Alexander Lopez <[EMAIL PROTECTED]> wrote: >> Snip >> >> On Wed, Jul 9, 2008 at 10:50 AM, C F <[EMAIL PROTECTED]> wrote: >> >> Very interesting article. I guess we won't know much more for another few >> weeks: >> http://www.breitbart.com/article.php?id=080709124916.zxdxcmkx&show_article=1 >> >> I thought this was common knowledge. I remember hearing about the flaw >> around 2000 or so. >> >> Thanks, >> Steve T >> >> Knowledge yes, but common, I don't think so. Cache Poisoning has been >> around since before 2000. >> >> >> >> A properly designed DNS server with the right amount of randomness in its >> request would be a difficult target. The attack exploits the fact that many >> sequential packets had sequential numbers do that it was easy to send a >> malformed packet back as a response to a query. >> >> >> >> It works like this: >> >> >> >> Badman requests the address for www.digium.com from a name server, the >> server does not have it in its cache or it has expired. Name server requests >> the information from its forwarders, or the root domain. Badman sends a >> packet with the address of the forwarder or root domain server forged with >> an incremented sequence number. The name server thinks that it is a valid >> response and adds it to its cache… the Cache is poisoned… >> >> >> >> Clearing the cache, would clean out the poison entry, and unless the Badman >> was able to guess the precise time your name server was to request the >> information, your server should get the correct entry. >> >> >> >> Ever since Windows 2003, Bind 9.0+, and all versions of TinyDNS have random >> numbers been used for the sequence in the packet. There is always a brute >> force attack that can be done, to simply overwhelm the DNS server and >> possibly 'guess' the next sequence number but that would be time consuming, >> and most intrusion detection systems will pick it up as a DOS or DDOS attack >> and start to shut down access. >> >> >> >> Best solution is to use a trusted DNS server, don't have your master DNS >> server (the one that resolves your domain for the rest of the world) set to >> do recursive lookups, and as I do. Hide your DNS server behind a NAT'ed >> firewall that randomizes outgoing ports and sequence numbers. >> >> >> >> >> >> Alex >> >> _______________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> AstriCon 2008 - September 22 - 25 Phoenix, Arizona >> Register Now: http://www.astricon.net >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> > _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
