From owner-freebsd-stable@FreeBSD.ORG Tue Jul 22 16:05:47 2008 Return-Path: Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9337F106564A for ; Tue, 22 Jul 2008 16:05:47 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.freebsd.org (Postfix) with ESMTP id 335F68FC12 for ; Tue, 22 Jul 2008 16:05:47 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from epia-2.farid-hajji.net (epia-2 [192.168.254.11]) by fw.farid-hajji.net (Postfix) with ESMTP id B6FB533C52; Tue, 22 Jul 2008 18:05:43 +0200 (CEST) Date: Tue, 22 Jul 2008 18:05:43 +0200 From: cpghost To: freebsd-stable@FreeBSD.ORG Message-ID: <20080722160542.GA14592@epia-2.farid-hajji.net> References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200807221552.m6MFqgpm009488@lurza.secnetix.de> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2008 16:05:47 -0000 On Tue, Jul 22, 2008 at 05:52:42PM +0200, Oliver Fromme wrote: > I'm curious, is djbdns exploitable, too? Does it randomize > the source ports of UDP queries? Apparently, djbdns had randomization of the source ports a long time ago... > > Of course, all solutions that randomize ports are really just > > "security by obscurity," because by shuffling ports you're hiding the > > way to poison your cache... a little. > > True, but there is currently no better solution, AFAIK. > The problem is inherent in the way DNS queries work. Yes indeed. If I understand all this correctly, it's because the transaction ID that has to be sent back is only 2 bytes long, and if the query port doesn't change as well with every query, that can be cracked in milliseconds: sending 65536 DNS queries to a constant port is just way too easy! The namespace is way too small, and there's no way to fix this by switching to, say, 4 bytes or even more for the transaction ID without breaking existing resolvers; actually without breaking the protocol itself. > Best regards > Oliver cpghost. -- Cordula's Web. http://www.cordula.ws/