On 10/21/2013 08:54 AM, Keith Mitchell wrote:
Applying the same 5-years' now-outside hindsight to this, the benefits of all that port randomization work seem murky at best - does anyone have data on many real Kaminsky cache-poisoning attacks took place in that time ?
The Kaminsky vulnerability was clear, and while not trivial to exploit was quite doable. The work that ISC and others did to address this was a huge service to the community. If it had not been done, I'm sure things in the last 5 years would have been pretty ugly.
The Herzberg/Shulman attacks seem even harder to exploit in a real (as opposed to la) environment
I can't judge that, but I think the math that says focus on things that we see in the wild over things generally agreed to be academic/unlikely is a good one.
Doug _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs