From owner-freebsd-stable@FreeBSD.ORG Tue Jul 22 17:07:28 2008 Return-Path: Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B49D3106569B; Tue, 22 Jul 2008 17:07:28 +0000 (UTC) (envelope-from cliftonr@lava.net) Received: from outgoing01.lava.net (cake.lava.net [IPv6:2001:1888:0:1:230:48ff:fe5b:3b50]) by mx1.freebsd.org (Postfix) with ESMTP id EC3118FC0A; Tue, 22 Jul 2008 17:07:27 +0000 (UTC) (envelope-from cliftonr@lava.net) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by outgoing01.lava.net (Postfix) with ESMTP id 2D8F3D0125; Tue, 22 Jul 2008 07:07:27 -1000 (HST) Received: by malasada.lava.net (Postfix, from userid 102) id 0ED65153882; Tue, 22 Jul 2008 07:07:27 -1000 (HST) Date: Tue, 22 Jul 2008 07:07:26 -1000 From: Clifton Royston To: Doug Barton Message-ID: <20080722170726.GC1279@lava.net> Mail-Followup-To: Doug Barton , freebsd-stable@FreeBSD.ORG References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722160542.GA14592@epia-2.farid-hajji.net> <48860D38.6060209@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48860D38.6060209@FreeBSD.org> User-Agent: Mutt/1.4.2.2i Cc: freebsd-stable@FreeBSD.ORG Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2008 17:07:28 -0000 On Tue, Jul 22, 2008 at 09:39:20AM -0700, Doug Barton wrote: > cpghost wrote: > >Yes indeed. If I understand all this correctly, it's because the > >transaction ID that has to be sent back is only 2 bytes long, > > 2 bits, 16 bytes. ^^^^ ^^^^^ Think you mean those the other way! > >and if the query port doesn't change as well with every query, that > >can be cracked in milliseconds: sending 65536 DNS queries to a > >constant port is just way too easy! The namespace is way too small, > >and there's no way to fix this by switching to, say, 4 bytes or > >even more for the transaction ID without breaking existing > >resolvers; actually without breaking the protocol itself. > > That's more or less accurate, yes. > > Doug I just saw mention in Infoworld - adequate details of the exploit were guessed by another developer and then confirmed. They're now circulating, so I think we can expect engineered attacks soon. All: Upgrade your servers today, do not wait. -- Clifton -- Clifton Royston -- cliftonr@iandicomputing.com / cliftonr@lava.net President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services