Re: [Fwd: Re: DNS attacks evolve]

2008-08-14 Thread bert hubert
On Thu, Aug 14, 2008 at 10:07:30AM -0700, Mike Leber wrote: > FYI. There was some question here about whether PowerDNS was vulnerable > or not and what it was doing, so I asked Bert Hubert about it. Here is > his answer: And my additional nuance: By the way - just to nuance things, I'm sure

Re: [Fwd: Re: DNS attacks evolve]

2008-08-14 Thread Mike Leber
FYI. There was some question here about whether PowerDNS was vulnerable or not and what it was doing, so I asked Bert Hubert about it. Here is his answer: Original Message Subject: Re: [Fwd: Re: DNS attacks evolve] Date: Wed, 13 Aug 2008 21:29:50 +0200 From: bert hubert

Re: DNS attacks evolve

2008-08-11 Thread Jack Bates
Leo Bicknell wrote: If your vendor told you that you are not at risk they are wrong, and need to go re-read the Kaminski paper. EVERYONE is vunerable, the only question is if the attack takes 1 second, 1 minute, 1 hour or 1 day. While possibly interesting for short term problem management none

Re: DNS attacks evolve

2008-08-11 Thread Leo Bicknell
In a message written on Mon, Aug 11, 2008 at 09:41:54AM -0500, Jack Bates wrote: > >7) Have someone explain to me the repeated claims I've seen that djbdns and > > Nominum's server are not vulnerable to this, and why that is. > > PowerDNS has this to say about their non-vulnerability status: >

Re: DNS attacks evolve

2008-08-11 Thread Jack Bates
Joe Greco wrote: 6) Have someone explain to me the reasoning behind allowing the corruption of in-cache data, even if the data would otherwise be in-baliwick. I'm not sure I quite get why this has to be. It would seem to me to be safer to discard the data. (Does not eliminate the p

Re: DNS attacks evolve

2008-08-10 Thread Florian Weimer
* Joe Greco: > I am very, very, very disheartened to be shown to be wrong. As if 8 days > wasn't bad enough, a concentrated attack has been shown to be effective in > 10 hours. See http://www.nytimes.com/2008/08/09/technology/09flaw.html Note that the actual bandwidth utilization on that GE lin

Re: DNS attacks evolve

2008-08-09 Thread Kee Hinckley
On Aug 9, 2008, at 6:23 PM, Paul Vixie wrote: second, please think carefully about the word "severe". any time someone can cheerfully hammer you at full-GigE speed for 10 hours, you've got some trouble, and you'll need to monitor for those troubles. 11 seconds of 10MBit/sec fit my definitio

Re: DNS attacks evolve

2008-08-09 Thread Paul Vixie
[EMAIL PROTECTED] (Joe Greco) writes: > I am very, very, very disheartened to be shown to be wrong. As if 8 days > wasn't bad enough, a concentrated attack has been shown to be effective in > 10 hours. See http://www.nytimes.com/2008/08/09/technology/09flaw.html that's what theory predicted. g

DNS attacks evolve

2008-08-09 Thread Joe Greco
It's usually interesting to be proven wrong, but perhaps not in this case. I was among the first to point out that the 11-second DNS poisioning claim made by Vixie only worked out to about a week of concentrated attack after the patch. This was a number I extrapolated purely from Paul's 11-secon