Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kaminsky's DNS Attack Disclosed, Then Pulled

Posted by Soulskill on from the can-of-worms dept.

An anonymous reader writes "Reverse engineering expert Halver Flake has recently mused on Dan Kaminsky's DNS vulnerability. Apparently his musings were close enough to the mark to cause one of the Matasano team, who apparently already knew of the attack, to publish the details on the Matasano blog in a post entitled 'Reliable DNS Forgery in 2008.' The blog post has since been pulled, but evidence of it exists on Google and elsewhere. It appears only a matter of time now before the full details leak." Reader Time out contributes a link to coverage on ZDNet as well.

4 of 281 comments (clear)

  1. Re:The push for DNSSec by gatekeep · · Score: 4, Insightful

    DNSSec is still the only ultimate patch for this. Source port randomization just makes it difficult to do given currently available processing and bandwidth capacity. Instead of 16 bits of entropy to crack (DNS Transaction ID) we now have rougly 32 (DNS Transaction ID + Source port).

    Given enough bandwidth, we're still vulnerable to poisoning, but it's not feasible today.

    DNSSec is more future proof. No matter how much bandwidth you have, guess a full certificate is orders of magnitude harder.

  2. Re:The significance of the attack... by Rudd-O · · Score: 4, Insightful

    Posted it on: http://rudd-o.com/archives/2008/07/21/the-dns-fiasco/

    --
    Rudd-O - http://rudd-o.com/
  3. Re:The push for DNSSec by Michael+Hunt · · Score: 4, Insightful

    BGP routes are filtered when they're exchanged between eBGP routers. If you don't filter, you're an idiot. This I agree with.

    You're not talking about BGP route filtering, though; you're talking about some kind of reverse path filtering (making sure that a route to the source address exists on the interface that you received the packet from). In practice, you almost never do this on BGP routers, as RPF makes some (somewhat naive) assumptions about the symmetry of Internetwork traffic.

    Most people who have some kind of RPF deployed have it on a customer-facing device, as you generally only have one route per customer (and can make assertions about traffic NOT coming via that route, AND traffic COMING via that route.)

    That said, not an awful lot of people even have RPF deployed. Certainly nowhere near 100%. And it only takes one (or a handful of machines) that can forge UDP source addresses for this to be an issue.

    --
    You're doing it wrong.
  4. Re:A: Because it breaks the flow of a message by Koiu+Lpoi · · Score: 4, Insightful

    Frankly, we should just do away with the subject line entirely. They generally just get filled with "Re:Re:Re:Re:Unoriginal First comment" anyways. It serves no purpose in a system like slashdot's, and causes things like the above.