Date: Tue, 22 Jul 2008 10:13:27 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Doug Barton <dougb@FreeBSD.org>, freebsd-stable@FreeBSD.ORG Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <48861537.6060406@FreeBSD.org> In-Reply-To: <20080722170726.GC1279@lava.net> References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722160542.GA14592@epia-2.farid-hajji.net> <48860D38.6060209@FreeBSD.org> <20080722170726.GC1279@lava.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Clifton Royston wrote:
> On Tue, Jul 22, 2008 at 09:39:20AM -0700, Doug Barton wrote:
>> cpghost wrote:
>>> Yes indeed. If I understand all this correctly, it's because the
>>> transaction ID that has to be sent back is only 2 bytes long,
>> 2 bits, 16 bytes.
> ^^^^ ^^^^^ Think you mean those the other way!
Oops, ELACKOFCAFFEINE
>>> and if the query port doesn't change as well with every query, that
>>> can be cracked in milliseconds: sending 65536 DNS queries to a
>>> constant port is just way too easy! The namespace is way too small,
>>> and there's no way to fix this by switching to, say, 4 bytes or
>>> even more for the transaction ID without breaking existing
>>> resolvers; actually without breaking the protocol itself.
>> That's more or less accurate, yes.
>>
>> Doug
>
> I just saw mention in Infoworld - adequate details of the exploit
> were guessed by another developer and then confirmed. They're now
> circulating, so I think we can expect engineered attacks soon.
>
> All:
> Upgrade your servers today, do not wait.
Agreed on both counts.
--
This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48861537.6060406>