[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning
Patrick W. Gilmore
patrick at ianai.net
Thu Jul 10 13:36:30 UTC 2008
On Jul 10, 2008, at 3:35 AM, Otmar Lendl wrote:
> On 2008/07/10 03:07, "Patrick W. Gilmore" <patrick at ianai.net> wrote:
>> The last time we had something like this was the BGP/MD5 fiasco. We
>> were told to trust the messengers, it was horrifically bad, the
>> Internet was about to die.
> This touches on a basic principle of disaster containment:
> Predicted disasters rarely happen.
> Take Y2K. Take the BGP/MD5 thing. Hopefully this DNS issue, too.
> My pet theory is that massive panic and PR activity cause people to
> look at the issue, fix most of the bugs/problems which can cause the
> disaster or prepare to deal with the effects if they are hit.
> The result is that these pre-announced disasters don't materialize in
> the predicted, massive scope.
> On the other hand, if there hadn't been the public panic, preparations
> would not have been as extensive and thus the disaster might indeed
Let's be clear: I am not arguing against upgrading name servers to
randomize source UDP ports.
My comment was simply that the MD5 fiasco was just that - a fiasco.
Millions of dollars and man years of effort put into something that
was NOT USEFUL. The attacks did not occur because of the flurry of
activity. They did not occur because it is easier to take out an
entire router than reset a single session.
I completely understand that security workers are 1) paranoid, and 2)
paranoid, and most of all, 3) paranoid. :) As they should be! But
when people say "Bad Stuff, Hurry Fix" based on a problem people have
known about for years & years, I just worry about the effort I am
about to put into a job when I don't actually know why I'm doing it.
OK, enough babbling. Everyone go randomize your source ports. This
one does not have the drastic downtime associated with it that MD5 had
(i.e. "cure worse than the disease"). It's probably a good idea
whether there is a 'sploit in the wild or not.
Please forgive my questioning those have more information that I do.
Call me paranoid too.
> So, the best possible case for this week's "the world is doomed" scare
> is that the fear-mongering will indeed work to trigger the necessary
> updates. Hopefully, people will tell each other in a year "gee, that
> an unnecessary panic last year, nothing happened when they released
> details of the attack".
> I wish the same were true for the IPv4 address exhaustation.
> -=- Otmar Lendl -- ol at bofh.priv.at -=-
> dns-operations mailing list
> dns-operations at lists.oarci.net
More information about the dns-operations