DNS spoofing vulnerability

Chris Buxton cbuxton at menandmice.com
Wed Jul 16 14:44:48 PDT 2008


Port randomization is the best cure for the Kaminsky exploit, short of  
DNSSEC.

Your statement about not being the target of the attack does not seem  
to me to represent a smart attitude. The attack ultimately targets you  
(as a pharming attack). The fact that it goes through a vulnerability  
at AT&T doesn't change that. If I were you, I would be testing AT&T's  
resolvers to see that they've been fixed. For myself, I spent an hour  
on the phone with Comcast yesterday trying to convince them to fix the  
resolvers they assign to me. If they don't by next week, I'll deploy  
my own HLFS-based resolver. And because my little router uses NAT/PAT  
and dnsmasq, I may be forced to retire it as well, replacing it with  
an HLFS-based router (probably the same machine as my replacement  
resolver).

Chris Buxton
Professional Services
Men & Mice

On Jul 16, 2008, at 9:09 AM, marty wrote:

>> You're right, none of the BIND server stuff relates to you - I think
>> AT&T should be able to upgrade their servers in time, if they haven't
>> already. We're only discussing it because you brought it up.
>>
> Actually it was you who brought it up with that "Chicken
> Little" routine:)
>
>> If you want to check on AT&T's progress, execute this command
>> [assuming you have dig installed]:
>>
>> dig +short porttest.dns-oarc.net TXT
> That just shows the level of source port randomness for a
> given resolver. Poor randomness in itself does not
> constitute a vulnerability but it is a prerequisite for
> Kaminsky's sploit, and others to work.
>
> People have been attacking DNS successfully since it was
> introduced. DNS attacks don't target single individuals but
> instead attack the trusted DNS infrastructure to misdirect
> the end users. This means only the big players are the
> logical targets anyway, not HLFS users.
>
> Marty B.
>
>
> -- 
> Electile Dysfunction : the inability to become aroused over
> any of the
> choices for President put forth by either party in the 2008
> election.
>
> -- 
> http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
> FAQ: http://www.linuxfromscratch.org/faq/
> Unsubscribe: See the above information page




More information about the hlfs-dev mailing list