On Jul 9, 2008, at 4:07 PM, Fernando Gont wrote:
At 12:41 p.m. 09/07/2008, Steven M. Bellovin wrote:
It's worth noting that the basic idea of the attack isn't new. Paul
Vixie described it in 1995 at the Usenix Security Conference
(http://www.usenix.org/publications/library/proceedings/security95/vixie.html
)
-- in a section titled "What We Cannot Fix", he wrote:
With only 16 bits worth of query ID and 16 bits worth of UDP
port number, it's hard not to be predictable. A determined
attacker can try all the numbers in a very short time and can
use patterns derived from examination of the freely available
BIND code. Even if we had a white noise generator to help
randomize our numbers, it's just too easy to try them all.
We have one IETF ID on port randomization for years:
http://www.gont.com.ar/drafts/port-randomization/index.html
While this does not make the attack impossible, it does make it much
harder.
The same thing applies to those RST attacks circa 2004.
Most of these blind attacks assume the source port numbers are easy
to guess. But... why should they?
Because many name servers use one port, or easily guessable sequence
of ports?
--
TTFN,
patrick
