Port randomization is the best cure for the Kaminsky exploit, short of DNSSEC.
Your statement about not being the target of the attack does not seem to me to represent a smart attitude. The attack ultimately targets you (as a pharming attack). The fact that it goes through a vulnerability at AT&T doesn't change that. If I were you, I would be testing AT&T's resolvers to see that they've been fixed. For myself, I spent an hour on the phone with Comcast yesterday trying to convince them to fix the resolvers they assign to me. If they don't by next week, I'll deploy my own HLFS-based resolver. And because my little router uses NAT/PAT and dnsmasq, I may be forced to retire it as well, replacing it with an HLFS-based router (probably the same machine as my replacement resolver). Chris Buxton Professional Services Men & Mice On Jul 16, 2008, at 9:09 AM, marty wrote: >> You're right, none of the BIND server stuff relates to you - I think >> AT&T should be able to upgrade their servers in time, if they haven't >> already. We're only discussing it because you brought it up. >> > Actually it was you who brought it up with that "Chicken > Little" routine:) > >> If you want to check on AT&T's progress, execute this command >> [assuming you have dig installed]: >> >> dig +short porttest.dns-oarc.net TXT > That just shows the level of source port randomness for a > given resolver. Poor randomness in itself does not > constitute a vulnerability but it is a prerequisite for > Kaminsky's sploit, and others to work. > > People have been attacking DNS successfully since it was > introduced. DNS attacks don't target single individuals but > instead attack the trusted DNS infrastructure to misdirect > the end users. This means only the big players are the > logical targets anyway, not HLFS users. > > Marty B. > > > -- > Electile Dysfunction : the inability to become aroused over > any of the > choices for President put forth by either party in the 2008 > election. > > -- > http://linuxfromscratch.org/mailman/listinfo/hlfs-dev > FAQ: http://www.linuxfromscratch.org/faq/ > Unsubscribe: See the above information page -- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
