North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Exploit for DNS Cache Poisoning - RELEASED

  • From: Sean Donelan
  • Date: Thu Jul 24 10:32:28 2008

On Thu, 24 Jul 2008, Paul Ferguson wrote:
Let's hope some very large service providers get their act together
real soon now.

There is always a tension between discovery, changing, testing and
finally deployment.


Sure, I can empathize, to a certain extent. But this issue has been known for 2+ weeks now.

Not sure I can be very empathic now, given the seriousness, and the
proper warning ISPs have been given.

Also recognize some of the simple testing tools get a bit confused by some of the more complex DNS configurations used by the mega-ISP DNS clusters; and generate false positives (and maybe even false negative) results. You can see it happens when the testing tool reports widely different number of queries checked.

Several of the ISPs with complex DNS clusters are patching and upgrading
them; however the current state of some of the patches wouldn't support
the query load those providers normally experience.  So they've been
working on alternative mitigation strategies.  However, its difficult
to now if the alternative strategies actually mitigate the actual threat
without knowing the actual threat.

And finally, there probably are some providers who haven't made plans to
change their DNS. Unfortunately, the testing tools can't read minds (yet), so its difficult to know which ISPs are in this category.