From owner-freebsd-stable@FreeBSD.ORG Tue Jul 22 17:13:30 2008 Return-Path: Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E83D71065675 for ; Tue, 22 Jul 2008 17:13:30 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6]) by mx1.freebsd.org (Postfix) with ESMTP id 5BCDE8FC20 for ; Tue, 22 Jul 2008 17:13:30 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 13674 invoked by uid 399); 22 Jul 2008 17:13:29 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 22 Jul 2008 17:13:29 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <48861537.6060406@FreeBSD.org> Date: Tue, 22 Jul 2008 10:13:27 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.14 (X11/20080606) MIME-Version: 1.0 To: Doug Barton , freebsd-stable@FreeBSD.ORG References: <200807212219.QAA01486@lariat.net> <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722160542.GA14592@epia-2.farid-hajji.net> <48860D38.6060209@FreeBSD.org> <20080722170726.GC1279@lava.net> In-Reply-To: <20080722170726.GC1279@lava.net> X-Enigmail-Version: 0.95.6 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2008 17:13:31 -0000 Clifton Royston wrote: > On Tue, Jul 22, 2008 at 09:39:20AM -0700, Doug Barton wrote: >> cpghost wrote: >>> Yes indeed. If I understand all this correctly, it's because the >>> transaction ID that has to be sent back is only 2 bytes long, >> 2 bits, 16 bytes. > ^^^^ ^^^^^ Think you mean those the other way! Oops, ELACKOFCAFFEINE >>> and if the query port doesn't change as well with every query, that >>> can be cracked in milliseconds: sending 65536 DNS queries to a >>> constant port is just way too easy! The namespace is way too small, >>> and there's no way to fix this by switching to, say, 4 bytes or >>> even more for the transaction ID without breaking existing >>> resolvers; actually without breaking the protocol itself. >> That's more or less accurate, yes. >> >> Doug > > I just saw mention in Infoworld - adequate details of the exploit > were guessed by another developer and then confirmed. They're now > circulating, so I think we can expect engineered attacks soon. > > All: > Upgrade your servers today, do not wait. Agreed on both counts. -- This .signature sanitized for your protection