Date: Sun, 27 Apr 1997 22:35:48 +0000 (GMT) From: The Code Warrior <jbowie@bsdnet.org> To: Warner Losh <imp@village.org> Cc: Dmitry Valdov <dv@kis.ru>, freebsd-security@freebsd.org Subject: Re: SNI-12: BIND Vulnerabilities and Solutions (fwd) Message-ID: <Pine.BSF.3.96.970427222630.417B-100000@utopia.nh.ultranet.com> In-Reply-To: <E0wLexe-0006zz-00@rover.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 27 Apr 1997, Warner Losh wrote: > I have. There are some, but not a lot. I've been trying to plug them > as I find them. Most of them have long ago been plugged. As have I. > > And the name doesn't need to be spoofed either. You just need control > over the in-addr.arpa domain for the IP numbers that you claim to be > coming from for this attack to work. I'm well aware of this just commented on it due to the nature of the thread, wouldn't want to give any "impressionable" young children any ideas. :) As always I thank you for your imput. Maybe coming up with a kernel mod, using a new transport medium might be the answer. I mean if you reinvent the packet medium I suppose you could eliminate this sort of problem with better packet handling on the localhosts and / or routers. Regardless though, It seems to me that you could just come up with a version of named in which the server that the request is going to makes a secondary request to an undisclosed ns verifying the authenticity of the incoming packet. Any thoughts? -Jon Bowie SysAdmin / Consulting / TeenSysop 603-436-5698 jobe@insomnia.org jbowie@taco.net jbowie@teensysop.org jbowie@eliteness.org jbowie@bsdnet.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.970427222630.417B-100000>