[dns-operations] summary of recent vulnerabilities in DNS security.

Colm MacCárthaigh colm at stdlib.net
Mon Oct 21 16:22:16 UTC 2013


On Mon, Oct 21, 2013 at 8:54 AM, Keith Mitchell <keith at smoti.org> wrote:
> Then ISC/BIND response to Kaminsky in 2008 was to burn perhaps 50% of
> the company's product-wide development and support resources over that
> year to co-ordinating, fixing, disclosing, patching, releasing and
> evangelizing the solution to the problem.

I think that may reinforces my point; better to pay attention now than
to repeat history and write off the attack as "never to be seen in the
real world".  I have to believe that if ISC had added source port
randomisation back in 2001 when it was clear that there was an attack
vector it would have been far less costly all-round.

> Applying the same 5-years' now-outside hindsight to this, the benefits
> of all that port randomization work seem murky at best - does anyone
> have data on many real Kaminsky cache-poisoning attacks took place in
> that time ? The Herzberg/Shulman attacks seem even harder to exploit in
> a real (as opposed to la) environment.

I've definitely come across some deliberate cache poisoning, but
you're right - it is murky. The incidence is probably very low. But
that same argument can be used to ask "Why deploy DNSSEC?". We're
always mucking around for boundary cases with this stuff.

-- 
Colm



More information about the dns-operations mailing list