Anyone using Infoblox DNSOne? They claimed to have fixed their BIND version but I still see issues with source ports staying the same.
Eric Davis Sr. Network Technician Rockefeller University IT Dept. 212-327-7508 646-772-4667(cell) -----Original Message----- From: Patrick W. Gilmore [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 09, 2008 4:15 PM To: [EMAIL PROTECTED] Subject: Re: Multiple DNS implementations vulnerable to cache poisoning On Jul 9, 2008, at 4:07 PM, Fernando Gont wrote: > At 12:41 p.m. 09/07/2008, Steven M. Bellovin wrote: > >> It's worth noting that the basic idea of the attack isn't new. Paul >> Vixie described it in 1995 at the Usenix Security Conference >> (http://www.usenix.org/publications/library/proceedings/security95/vixie.htm l >> ) >> -- in a section titled "What We Cannot Fix", he wrote: >> >> With only 16 bits worth of query ID and 16 bits worth of UDP >> port number, it's hard not to be predictable. A determined >> attacker can try all the numbers in a very short time and can >> use patterns derived from examination of the freely available >> BIND code. Even if we had a white noise generator to help >> randomize our numbers, it's just too easy to try them all. > > We have one IETF ID on port randomization for years: http://www.gont.com.ar/drafts/port-randomization/index.html > > While this does not make the attack impossible, it does make it much > harder. > > The same thing applies to those RST attacks circa 2004. > > Most of these blind attacks assume the source port numbers are easy > to guess. But... why should they? Because many name servers use one port, or easily guessable sequence of ports? -- TTFN, patrick