trigger point for new bug
michoski at cisco.com
Wed Nov 16 19:58:34 UTC 2011
On 11/16/11 10:55 AM, "Chris Brookes" <cbrookes at gmail.com> wrote:
> Any info on whether the newly announced bug can be triggered before
> the query ACL is applied on a recursive only server? An authoritative
> only server ought to be safe?
Hmm, good question. Then folks with IDS/IPS hooks could potentially catch
who's sending the bad queries and mitigate with ACL additions... With all
due caution typically associated with such an approach. ;-)
>From everything I've read, authoritative servers should not be vulnerable
since it equates to malformed cache entries.
Of course only time will tell if this is a random find or targeted attack.
If targeted (e.g. Motivated bad guy sitting in a room with BIND9 code),
there may be others looming. I'm glad ISC is looking. I'm genuinely
curious, but keep recalling the phrase, "Never attribute to malice that
which is adequately explained by stupidity." Regardless, it's a good time
to be watching logs!
By nature, men are nearly alike;
by practice, they get to be wide apart.
More information about the bind-users