Re: [Fwd: Re: DNS attacks evolve]

Thu, 14 Aug 2008 10:09:08 -0700
FYI. There was some question here about whether PowerDNS was vulnerable or not and what it was doing, so I asked Bert Hubert about it. Here is his answer: 

-------- Original Message --------
Subject: Re: [Fwd: Re: DNS attacks evolve]
Date: Wed, 13 Aug 2008 21:29:50 +0200
From: bert hubert <[EMAIL PROTECTED]>
To: Mike Leber <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>

On Mon, Aug 11, 2008 at 11:12:35AM -0700, Mike Leber wrote:

Is there any post anywhere that provides more technical detail about how 
the PowerDNS cache is not vulnerable?


Mike, very briefly, PowerDNS implements two things: source port
randomization + near miss detection.

Near miss detection is documented here:

http://doc.powerdns.com/built-in-recursor.html
spoof-nearmiss-max

    If set to non-zero, PowerDNS will assume it is being spoofed after
seeing this many answers with the wrong id. Defaults to 20.

Some more is in:
http://doc.powerdns.com/recursor-details.html


I'll post a link to it and provide other operators a better answer than 
the equivalent of "because I say so".  The answer could be anything such 
as "we reject updates to glue when", or "it takes 10 years based on 
these calculations...".


Calculations on how long it will take are on
http://blog.netherlabs.nl/articles/2008/08/05/calculating-the-chance-of-spoofing-an-agile-source-port-randomised-resolver

These calculations go beyond what powerdns 3.1.7 does however.



If your vendor told you that you are not at risk they are wrong,
and need to go re-read the Kaminski paper.  EVERYONE is vunerable,
the only question is if the attack takes 1 second, 1 minute, 1 hour
or 1 day.  While possibly interesting for short term problem


Or 1 year, or 2 years or a century.

        Bert



--
http://www.PowerDNS.com      Open source, database driven DNS Software
http://netherlabs.nl              Open and Closed source services


--
+---------------- H U R R I C A N E - E L E C T R I C ----------------+
| Mike Leber        Wholesale IPv4 and IPv6 Transit      510 580 4100 |
| Hurricane Electric                                           AS6939 |
| [EMAIL PROTECTED]     Internet Backbone & Colocation      http://he.net |
+---------------------------------------------------------------------+























					Reply via email to