FreeBSD 7.1 and BIND exploit

Doug Barton dougb at FreeBSD.org
Tue Jul 22 17:13:31 UTC 2008


Clifton Royston wrote:
> On Tue, Jul 22, 2008 at 09:39:20AM -0700, Doug Barton wrote:
>> cpghost wrote:
>>> Yes indeed. If I understand all this correctly, it's because the 
>>> transaction ID that has to be sent back is only 2 bytes long,
>> 2 bits, 16 bytes.
>     ^^^^     ^^^^^  Think you mean those the other way!

Oops, ELACKOFCAFFEINE

>>> and if the query port doesn't change as well with every query, that
>>> can be cracked in milliseconds: sending 65536 DNS queries to a
>>> constant port is just way too easy! The namespace is way too small,
>>> and there's no way to fix this by switching to, say, 4 bytes or
>>> even more for the transaction ID without breaking existing
>>> resolvers; actually without breaking the protocol itself.
>> That's more or less accurate, yes.
>>
>> Doug
> 
>   I just saw mention in Infoworld - adequate details of the exploit
> were guessed by another developer and then confirmed.  They're now
> circulating, so I think we can expect engineered attacks soon.
> 
> All:
>   Upgrade your servers today, do not wait.

Agreed on both counts.


-- 

     This .signature sanitized for your protection



More information about the freebsd-stable mailing list