|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: how to protect name servers against cache corruption
Wouldn't a behavior like this be able to be used to bring name servers down by simply killing CPU time? -Deepak. On 30 Jul 1997 tqbf@smtp.enteract.com wrote: > In article <19970730001246.22933@netmonger.net>, you wrote: > >_details_. Paul has written papers on DNS security, along with BIND > >itself, and I'm inclined to believe him when he says there are no more > >trivial fixes. If you know of one, why don't you share it? I'm not > > Fair enough. > > Here's a simple piece of input. If BIND 8.1.1 receives a DNS query > response with an invalid query ID, it logs it and drops the packet. > However, the invalid query ID is evidence of an attack in progress. Why > doesn't BIND parse the packet, find out what question is being answered, > and immediately re-issue the query with a different ID? > > In other words, it's possible for BIND to detect that it is under attack > (in a response-forged query-ID guessing situation). BIND doesn't do > anything about this. Why? > > Just the simplest suggestion I can come up with (without having this go > into multiple pages) to convey the idea that I am trying to be > constructive here. > > I'm not sure this is the appropriate forum for this discussion > (*copout*Ididn'tstartthisthread*copout*), but if you want further details > as to my harebrained suggestions, I'm happy to give them! > > -- > ---------------- > Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] > ---------------- > exit(main(kfp->kargc, argv, environ)); > >
|