North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: how to protect name servers against cache corruption
> What, exactly, does Bind 8.1 do? BIND 8.1.1 does not appear to have an easy mechanism to match a query ID to the question-section details of an open query. Currently, BIND increments a counter, prints a debugging log line, and drops the packet; it does not invalidate the open query. > > Netcom's nameservers. They will no longer be able to resolve NETSOL.COM, > > since every query they open up will be immediately invalidated by a fake > > response. > Well, one could make observations about comparisons of IP source > addresses here... All of the attacks being discussed assume the attacker has the ability to inject completely forged packets onto the network. All of my suggestions are given under the assumption that this is a situation that we do not have a reasonable expectation of being able to prevent in IPv4. > I don't see that the problem you describe affects the people > _answering_. You'd have to nail _every_ _inquirer_. Ok, yes, hitting This is true. However, remember that this thread occurred in response to an attack by Eugene Kashpureff, who used a far more primitive attack and made national news by effectively disabling NSI's home page. I don't think the operation community wants to think about the implications of someone with both malice and BRAINS trying to utilize the same security problems. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [email@example.com] ---------------- "If you're so special, why aren't you dead?"