More cache poisoning fun

Florian Weimer fw at deneb.enyo.de
Mon Aug 11 15:05:05 UTC 2008


* Paul Vixie:

> while i think it's bad that anybody who can hammer you at GigE speed for
> ten hours can poison your cache,

Looking at the numbers in the blog post, it's somewhere between 100mbps
and 200mbps, not full GE line rate.

> it's not a threat to the real world the way 11 seconds at 10-megabit
> was.

Still true.

> at some point ISC will have to put logic like this into BIND, of course.
> but protecting against the Polyakov attack is like synflood protection in
> that it's a rate-limit problem.

Synflood protection used to be about weeding out the attack packets, not
about rate-limiting per se.  Due to the lack of state in DNS, the analog
to synflood protection is somewhat difficult to achieve (and Cisco has a
broad patent in this area).


More information about the bind-users mailing list