Re: [Fwd: Re: DNS attacks evolve]

North American Network Operators Group

Re: [Fwd: Re: DNS attacks evolve]

From: Mike Leber
Date: Thu Aug 14 13:08:58 2008

List-archive: <http://mailman.nanog.org/pipermail/nanog>
List-help: <mailto:[email protected]?subject=help>
List-id: North American Network Operators Group <nanog.nanog.org>
List-post: <mailto:[email protected]>
List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

FYI. There was some question here about whether PowerDNS was vulnerable or not and what it was doing, so I asked Bert Hubert about it. Here is his answer:

-------- Original Message --------
Subject: Re: [Fwd: Re: DNS attacks evolve]
Date: Wed, 13 Aug 2008 21:29:50 +0200
From: bert hubert <[email protected]>
To: Mike Leber <[email protected]>
References: <[email protected]>

On Mon, Aug 11, 2008 at 11:12:35AM -0700, Mike Leber wrote:

Is there any post anywhere that provides more technical detail about how the PowerDNS cache is not vulnerable?


Mike, very briefly, PowerDNS implements two things: source port
randomization + near miss detection.

Near miss detection is documented here:

http://doc.powerdns.com/built-in-recursor.html
spoof-nearmiss-max

    If set to non-zero, PowerDNS will assume it is being spoofed after
seeing this many answers with the wrong id. Defaults to 20.

Some more is in:
http://doc.powerdns.com/recursor-details.html

I'll post a link to it and provide other operators a better answer than the equivalent of "because I say so". The answer could be anything such as "we reject updates to glue when", or "it takes 10 years based on these calculations...".


Calculations on how long it will take are on
http://blog.netherlabs.nl/articles/2008/08/05/calculating-the-chance-of-spoofing-an-agile-source-port-randomised-resolver

These calculations go beyond what powerdns 3.1.7 does however.


If your vendor told you that you are not at risk they are wrong,
and need to go re-read the Kaminski paper.  EVERYONE is vunerable,
the only question is if the attack takes 1 second, 1 minute, 1 hour
or 1 day.  While possibly interesting for short term problem

Or 1 year, or 2 years or a century.

Bert

--
http://www.PowerDNS.com      Open source, database driven DNS Software
http://netherlabs.nl              Open and Closed source services


--
+---------------- H U R R I C A N E - E L E C T R I C ----------------+
| Mike Leber        Wholesale IPv4 and IPv6 Transit      510 580 4100 |
| Hurricane Electric                                           AS6939 |
| [email protected]     Internet Backbone & Colocation      http://he.net |
+---------------------------------------------------------------------+

Follow-Ups:
- Re: [Fwd: Re: DNS attacks evolve] bert hubert

Prev by Date: Re: Public shaming list for ISPs announcing other ISPs IP space by mistake
Next by Date: Re: Public shaming list for ISPs announcing other ISPs IP space by mistake
Date Index
Thread Index
Author Index
Historical