On Mon, Jun 10, 2019 at 12:37 PM Grant Taylor via bind-users <bind-users@lists.isc.org> wrote: > > On 6/7/19 8:44 PM, Mark Andrews wrote: > > Named drops those ports as they can be used in reflection attacks. > > Sane NAT developers avoid those ports for just that reason. The full > > list is below. > > I understand the logic behind avoiding potentially problematic ports. > > But I don't understand the actual attack scenario. Is the attack > against the BIND server?
The root problem is cache poisoning -- see "The Hitchhiker’s Guide to DNS Cache Poisoning" Section 3.2 Blind response forgery using birthday attack ( https://www.cs.cornell.edu/~shmat/shmat_securecomm10.pdf ) for a reasonable writeup. It's unclear how much protection using the additional port space actually helps in practice, but... There are many other mitigations, and the "right" answer is "just use DNSSEC". W > I.e. in an attempt to cause BIND to establish > a never ending loop of packets between itself and the purported address? > Or is this an attempt to cause BIND to attack a spoofed source with > said loop? > > Nor do I understand why BIND couldn't differentiate between an actual > query vs a reflected reply, daytime response, chargen, or time packet. > > Will someone please explain what I'm failing to understand? > > > > -- > Grant. . . . > unix || die > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
