Possible fix for Kaminsky's bug
JINMEI Tatuya / 神明達哉
Jinmei_Tatuya at isc.org
Tue Sep 2 21:10:12 UTC 2008
At Tue, 2 Sep 2008 16:51:55 -0400,
"L. Gabriel Somlo" <gsomlo at gmail.com> wrote:
> > Of course, if the recursive server has cached a valid www.cnn.com/A,
> > the result of the attack won't be effective until it expires. But
> > once it expires, the attacker gets the full control of it and keeps
> > the situation as long as they want. (This is different from how the
> > TTL matters in the traditional brute force attacks).
>
> I tried that, and it doesn't work if the victim server already has an
I also tried that successfully. What exactly did you try, and how
didn't it work?
> A record for www.cnn.com cached. The attack you described relies on
> there being nothing in the cache for www.cnn.com. The presence of an A
> record means the attack must succeed before the valid A record gets
> cached or wait until after it expires and before it gets renewed again.
No, the presence of an A record simply means the attack is not
effective until the A record expires (the attack itself succeeds
anytime unless the server also caches www.cnn.com./NS, which is very
unlikely). When "it gets renewed again", the server is already
poisoned with the forged NS, and it will be poisoned with a forged A
record by the forged NS.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list