Re: Dan Kaminsky

From: Paul Vixie (no email)
Date: Tue Aug 04 2009 - 15:25:54 EDT

  • Next message: Dragos Ruiu: "Re: Dan Kaminsky"

    Curtis Maurand <> writes:

    >> What does this have to do with Nanog, the guy found a critical
    >> security bug on DNS last year.
    >
    > He didn't find it. He only publicized it. the guy who wrote djbdns fount
    > it years ago.

    first blood on both the DNS TXID attack, and on what we now call the
    Kashpureff attack, goes to chris schuba who published in 1993:

    http://ftp.cerias.purdue.edu/pub/papers/christoph-schuba/schuba-DNS-msthesis.pdf

    i didn't pay any special heed to it since there was no way to get enough
    bites at the apple due to negative caching. when i saw djb's announcement
    (i think in 1999 or 2000, so, seven years after schuba's paper came out) i
    said, geez, that's a lot of code complexity and kernel overhead for a
    problem that can occur at most once per DNS TTL. and sure enough when we
    did finally put source port randomization into BIND it crashed a bunch of
    kernels and firewalls and NATs, and is still paying painful dividends for
    large ISP's who are now forced to implement it.

    why forced? what was it about kaminsky's announcement that changed this
    from a once-per-TTL problem that didn't deserve this complex/costly solution
    into a once-per-packet problem that made the world sit up and care? if you
    don't know the answer off the top of your head, then maybe do some reading
    or ask somebody privately, rather than continuing to announce in public that
    bernstein's problem statement was the same as kaminsky's problem statement.
    and, always give credit to chris schuba, who got there first.

    > Powerdns was patched for the flaw a year and a half before
    > Kaminsky published his article.

    nevertheless bert was told about the problem and was given a lengthy window
    in which to test or improve his solutions for it. and i think openbsd may
    have had source port randomization first, since they do it in their kernel
    when you try to bind(2) to port 0. most kernels are still very predictable
    when they're assigning a UDP port to an outbound socket.

    -- 
    Paul Vixie
    KI6YSY
    

  • Next message: Dragos Ruiu: "Re: Dan Kaminsky"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD