[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Patrick W. Gilmore patrick at ianai.net
Thu Jul 10 13:36:30 UTC 2008

On Jul 10, 2008, at 3:35 AM, Otmar Lendl wrote:

> On 2008/07/10 03:07, "Patrick W. Gilmore" <patrick at ianai.net> wrote:
>> The last time we had something like this was the BGP/MD5 fiasco.  We
>> were told to trust the messengers, it was horrifically bad, the
>> Internet was about to die.
> This touches on a basic principle of disaster containment:
> Predicted disasters rarely happen.
> Take Y2K. Take the BGP/MD5 thing. Hopefully this DNS issue, too.
> My pet theory is that massive panic and PR activity cause people to
> look at the issue, fix most of the bugs/problems which can cause the
> disaster or prepare to deal with the effects if they are hit.
> The result is that these pre-announced disasters don't materialize in
> the predicted, massive scope.
> On the other hand, if there hadn't been the public panic, preparations
> would not have been as extensive and thus the disaster might indeed  
> have
> happened.

Let's be clear: I am not arguing against upgrading name servers to  
randomize source UDP ports.

My comment was simply that the MD5 fiasco was just that - a fiasco.   
Millions of dollars and man years of effort put into something that  
was NOT USEFUL.  The attacks did not occur because of the flurry of  
activity.  They did not occur because it is easier to take out an  
entire router than reset a single session.

I completely understand that security workers are 1) paranoid, and 2)  
paranoid, and most of all, 3) paranoid. :)  As they should be!  But  
when people say "Bad Stuff, Hurry Fix" based on a problem people have  
known about for years & years, I just worry about the effort I am  
about to put into a job when I don't actually know why I'm doing it.

OK, enough babbling.  Everyone go randomize your source ports.  This  
one does not have the drastic downtime associated with it that MD5 had  
(i.e. "cure worse than the disease").  It's probably a good idea  
whether there is a 'sploit in the wild or not.

Please forgive my questioning those have more information that I do.   
Call me paranoid too.


> So, the best possible case for this week's "the world is doomed" scare
> is that the fear-mongering will indeed work to trigger the necessary
> updates. Hopefully, people will tell each other in a year "gee, that  
> was
> an unnecessary panic last year, nothing happened when they released  
> the
> details of the attack".
> I wish the same were true for the IPv4 address exhaustation.
> /ol
> -- 
> -=-  Otmar Lendl  --  ol at bofh.priv.at  -=-
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list