Possible fix for Kaminsky's bug
John Hascall
john at iastate.edu
Wed Aug 27 12:28:04 UTC 2008
> JINMEI, Tatuya wrote:
> "L. Gabriel Somlo" <gsomlo at gmail.com> wrote:
> > I believe the attached patch fixes Dan Kaminsky's bug, and puts us
> > back to where an attacker would have to wait for the TTL to expire
> > before being able to poison the cache.
> > Anyone see any reason why we shouldn't do this ?
> I'm pretty sure that this patch doesn't avoid all variations of
> Kaminsky's attack, but could you be more specific about the intended
> attack scenario you have in your mind, by clarifying:
>
> - assumption: the cache contents before the attack with the 'trust'
> level
> - attack packet: a sequence of query that triggers the attack and
> forged responses
> - resulting cache contents when the attack succeeds
It seems like this might have some promise,
but I don't think it is enough.
- Empty cache
- Query for [<random>.example.com]
Stream of replies for [1.example.com/ns.example.com->evil]
- real reply [NXDOMAIN, SOA for example.com]
I think for this to have any chance of working
the real reply would have to contain the NS and A
records for the nameserver that would contain
that <random>.example.com if it existed.
Then that info would live in the cache util the TTL expired.
John
More information about the bind-users
mailing list