On Mon, Oct 21, 2013 at 8:54 AM, Keith Mitchell <ke...@smoti.org> wrote: > Then ISC/BIND response to Kaminsky in 2008 was to burn perhaps 50% of > the company's product-wide development and support resources over that > year to co-ordinating, fixing, disclosing, patching, releasing and > evangelizing the solution to the problem.
I think that may reinforces my point; better to pay attention now than to repeat history and write off the attack as "never to be seen in the real world". I have to believe that if ISC had added source port randomisation back in 2001 when it was clear that there was an attack vector it would have been far less costly all-round. > Applying the same 5-years' now-outside hindsight to this, the benefits > of all that port randomization work seem murky at best - does anyone > have data on many real Kaminsky cache-poisoning attacks took place in > that time ? The Herzberg/Shulman attacks seem even harder to exploit in > a real (as opposed to la) environment. I've definitely come across some deliberate cache poisoning, but you're right - it is murky. The incidence is probably very low. But that same argument can be used to ask "Why deploy DNSSEC?". We're always mucking around for boundary cases with this stuff. -- Colm _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
