North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: how to protect name servers against cache corruption
someone asked me a question in private e-mail that deserves a public answer. > 1) How exactly did Eugene Kashperuff propogate this "RR poisoning" across > the Internet? From NANOG's previous mailings I can deduce that it was along > the lines of dig @victim -t ns www.alternic.net. Where www.alternic.net had > duff A records. yes. > 2) What were/are the symptoms of this attack? www.internic.net resolving to > www.alternic.net? yes. > 3) If it was that easy to do, why hasn't it happened again? because that particular attack only works if you are willing to get caught. since eugene did this as a publicity stunt (which, i understand, has now begun to backfire on him since his victims didn't interpret it that way), he _needed_ to be caught. > 3a) What measures were taken (other than discussion of DNSSEC, or lack of > it) to 'cure' affected servers? upgrade to bind-4.9.6 or bind-8.1.1. > 4) How can I check for cache corruption? "dig @0 www.netsol.com a" and "dig @cache00.ns.uu.net www.netsol.com a" and check for differences. > Apologies if any of the above sound moronic or ill-informed; extracting > facts from reams of "what is a backhoe" mail list is a painfully slow task. > Time for some filters I think... no apologia needed. public explainations of this attack have been poor, even and especially by me. i'm grateful for the opportunity to improve on that.