okay already

Discussion:

okay already

Paul Theodoropoulos

2010-03-19 16:01:33 UTC

jesus h. christ in a chicken basket, we've already had several weeks of
black helicopter paranoia wafting through this list. i realize that
daemontools doesn't have its own dedicated mailing list - but this new
set of threads isn't about daemontools, it's assorting flamey/ranty
stuff about djb's coding philosophy, whether a different author's
license statement is disrespectful, and whether someone is a freebsd
committer.

please people. can we give it a rest?

here's something back on topic, about a week ago someone made an offhand
comment about possibly using memcached as dnscache's store. that's a
really intriguing idea to me, and i'd be interested in more discussion
of it (i apologize, i don't remember who made the comment, and with the
volume of list traffic i've been deleting messages with verve, eclat,
and elan (with apologies to robert sheckley)

--
Paul Theodoropoulos

Joe Baptista

2010-03-19 16:09:10 UTC

Permalink

I think the flaming and ranting is completely understandable. Comes down to
credibility. And right now the DNSSEC vs. DNScurve forces are flaming and
ranting at high speed to discredit DNScurve and Bernstein.

cheers
joe baptista

On Fri, Mar 19, 2010 at 12:01 PM, Paul Theodoropoulos

Post by Paul Theodoropoulos
jesus h. christ in a chicken basket, we've already had several weeks of
black helicopter paranoia wafting through this list. i realize that
daemontools doesn't have its own dedicated mailing list - but this new set
of threads isn't about daemontools, it's assorting flamey/ranty stuff about
djb's coding philosophy, whether a different author's license statement is
disrespectful, and whether someone is a freebsd committer.
please people. can we give it a rest?
here's something back on topic, about a week ago someone made an offhand
comment about possibly using memcached as dnscache's store. that's a really
intriguing idea to me, and i'd be interested in more discussion of it (i
apologize, i don't remember who made the comment, and with the volume of
list traffic i've been deleting messages with verve, eclat, and elan (with
apologies to robert sheckley)
--
Paul Theodoropoulos

--
Joe Baptista

www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084

Personal: http://baptista.cynikal.net/

Jason Haar

2010-03-19 19:44:31 UTC

Permalink

Post by Joe Baptista
I think the flaming and ranting is completely understandable. Comes
down to credibility. And right now the DNSSEC vs. DNScurve forces are
flaming and ranting at high speed to discredit DNScurve and Bernstein.

Does anyone really believe DNScurve is ever going to become a true
standard? I think it will be too little - too late. DJB specializes in
crypto and I'm absolutely sure DNScurve is better than DNSsec (leap of
faith there), but I still think it doesn't matter.

DJB announced DNScurve around the time the design holes in DNS were
getting some press, and I got all excited that he (or is that "He"? ;-)
was about to release new code and there'd be a huge leap of interest
worldwide and DNSsec might die. However, nothing appeared and the years
rolled on - and DNSsec has government backing...

djbdns needs DNSsec support, otherwise one by one we will all be
eventually told by our employers to replace it with one that does...

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Christopher Chan

2010-03-20 13:02:16 UTC

Permalink

Post by Jason Haar

Does anyone really believe DNScurve is ever going to become a true
standard? I think it will be too little - too late. DJB specializes in
crypto and I'm absolutely sure DNScurve is better than DNSsec (leap of
faith there), but I still think it doesn't matter.
DJB announced DNScurve around the time the design holes in DNS were
getting some press, and I got all excited that he (or is that "He"? ;-)
was about to release new code and there'd be a huge leap of interest
worldwide and DNSsec might die. However, nothing appeared and the years
rolled on - and DNSsec has government backing...

/me blinks. DNSSec does?

Post by Jason Haar
djbdns needs DNSsec support, otherwise one by one we will all be
eventually told by our employers to replace it with one that does...

HAHAhaha. I'm so worried. Running tinydns for bradbury.edu.hk and the
clueless replacement at IAS will not even know what you are talking about.

Dean Anderson

2010-03-22 19:44:57 UTC

Permalink

Post by Christopher Chan

Post by Jason Haar

Does anyone really believe DNScurve is ever going to become a true
standard? I think it will be too little - too late. DJB specializes in
crypto and I'm absolutely sure DNScurve is better than DNSsec (leap of
faith there), but I still think it doesn't matter.
DJB announced DNScurve around the time the design holes in DNS were
getting some press, and I got all excited that he (or is that "He"? ;-)
was about to release new code and there'd be a huge leap of interest
worldwide and DNSsec might die. However, nothing appeared and the years
rolled on - and DNSsec has government backing...

/me blinks. DNSSec does?

No. While the Vixie/Cerf cartel thinks it can sign the roots in July,
the government is actually changing its policy from non-interference to
oversight. I'm getting through to all the right people, I think.

Post by Christopher Chan

Post by Jason Haar
djbdns needs DNSsec support, otherwise one by one we will all be
eventually told by our employers to replace it with one that does...

HAHAhaha. I'm so worried. Running tinydns for bradbury.edu.hk and the
clueless replacement at IAS will not even know what you are talking about.

Well, even if the roots are signed, any resolver can disable DNSSEC.
The problem isn't that one is forced to use DNSSEC, the problem is that
abusers can use root and TLD nameservers in DDoS attacks that are
impossible to mitigate; that the 512 bits keys are easilly cracked, with
pretty devasting results; that DNSSEC does not actually work to solve
any of its original problems. DNSSEC suicide (Bernstein's term for
expired signatures) has already occured a couple of times. Its all
here:

http://www.ntia.doc.gov/dns/comments/comment027.pdf

There is some more, though. Need a page on the full story of the
Vixie/Kaminksy hoax, for example.

--Dean

--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 256 5494

Dean Anderson

2010-03-22 19:56:24 UTC

Permalink

This post might be inappropriate. Click to display it.

Michael Loftis

2010-03-22 22:13:48 UTC

Permalink

Post by Dean Anderson
It occurs to me that another effect of the King/Day/Kaminksy/Vixie
crack-to-make-forgery-consistent patch is that a slew of repeated
queries will be sent to different nameservers, not all of which might be
in the path. By limiting to one query, a successfull interception
in-path to one nameserver, the attacker is guaranteed to get all the
queries outstanding. The patch really does make cracking DNS consistent
and virtually undetectable.

What you're totally missing, and have been totally misssing, and has been
tried to explain to you, is that, unpatched, it's MANY orders of magnitude
*easier* to get false data into the cache and propagated to users. And
very few domains have 1 or 2 DNS servers, so you have to guess which one
the system tries to contact as well. The patches greatly decrease the
likelihood of a successful collision/birthday attack. Without the patches,
it's trivial to get garbage data into the cache, and once it's in there, to
convince the caching resolver to retain that garbage information. With the
patches it takes a really large sustained attack to have any probability of
inserting any rogue data into the DNS Cache.

Quit talking crap about things you don't understand, or worse, don't know
anything about, it makes you appear really stupid.

Christopher Chan

2010-03-23 00:07:09 UTC

Permalink

Post by Michael Loftis

What you're totally missing, and have been totally misssing, and has
been tried to explain to you, is that, unpatched, it's MANY orders of
magnitude *easier* to get false data into the cache and propagated to
users. And very few domains have 1 or 2 DNS servers, so you have to
guess which one the system tries to contact as well. The patches greatly
decrease the likelihood of a successful collision/birthday attack.
Without the patches, it's trivial to get garbage data into the cache,
and once it's in there, to convince the caching resolver to retain that
garbage information. With the patches it takes a really large sustained
attack to have any probability of inserting any rogue data into the DNS
Cache.

Good thing one first has to muck about with the network packets and hope
the routers allow the packets through or takeover a box within the
dnscache's allowed network. Anyone running an open dnscache probably
does not care about security anyway and it would have been firewalled
after the first few rounds of hammering authoritative servers without
the merge patch.

Post by Michael Loftis
Quit talking crap about things you don't understand, or worse, don't
know anything about, it makes you appear really stupid.

And quit blowing up the 'ease' with which one can poison dnscache.

Dean Anderson

2010-03-23 15:19:35 UTC

Permalink

Post by Michael Loftis

The math does not hold for your claim. It holds for mine, though.

Post by Michael Loftis
Quit talking crap about things you don't understand, or worse, don't know
anything about, it makes you appear really stupid.

Yes, it does make someone appear stupid. But they are actually
just dishonest Vixie hucksters trying to mislead people by lying.

--Dean

--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 256 5494

Chris Pugh

2010-03-23 19:48:57 UTC

Permalink

Post by Michael Loftis
What you're totally missing, and have been totally misssing, and has been
tried to explain to you, is that, unpatched, it's MANY orders of magnitude
*easier* to get false data into the cache and propagated to users.

The math does not hold for your claim. It holds for mine, though.

At the risk of reopening a can of worms, how about a pointer to the
various versions of this
so called 'math'?

Post by Michael Loftis
Quit talking crap about things you don't understand, or worse, don't know
anything about, it makes you appear really stupid.

Yes, it does make someone appear stupid. But they are actually
just dishonest Vixie hucksters trying to mislead people by lying.

Good grief!

http://en.wikipedia.org/wiki/Marquess_of_Queensberry_rules

or

http://en.wikipedia.org/wiki/Celebrity_Deathmatch

? ;o)

Chris Pugh

2010-03-23 22:10:07 UTC

Permalink

Post by Chris Pugh

The math does not hold for your claim. It holds for mine, though.

At the risk of reopening a can of worms, how about a pointer to the
various versions of this
so called 'math'?

My analysis has been reposted several times. There has been no credible
dispute of the math I have posted and none by Loftis. Loftis' last
frivolous dispute was over Kaminsky's discredited "roulette logic"
claims. Loftis was "confused" about who wrote them. Or perhaps Loftis
was just dissembling and lying to create confusion.

Sigh... A straight link to the actual 'math' as calculated by the
various protagonists in this dispute, along with it's actual context,
would have done!

Post by Chris Pugh

Post by Michael Loftis
Quit talking crap about things you don't understand, or worse,
don't know anything about, it makes you appear really stupid.

Yes, it does make someone appear stupid. But they are actually just
dishonest Vixie hucksters trying to mislead people by lying.

Good grief!

Please recall that Michael Loftis was discredited as the one of several
Vixie people trolling this list.

Actually, I was being somewhat,

http://dictionary.reference.com/browse/facetious

in respect of,

http://en.wiktionary.org/wiki/handbags_at_dawn

( No apologies for the Brit'ism ). ;o)

Michael Loftis

2010-03-23 23:24:09 UTC

Permalink

--On Tuesday, March 23, 2010 10:10 PM +0000 Chris Pugh

Post by Chris Pugh

Sigh... A straight link to the actual 'math' as calculated by the
various protagonists in this dispute, along with it's actual context,
would have done!

The math for the rapid poisoning in DJBDNS is contained in
<http://www.your.org/dnscache/djbdns.pdf> -- the general
attack/vulnerability is probably best documented in
<http://www.kb.cert.org/vuls/id/457875> -- that contains many references.
Kaminsky's technique seems to be very well described by
<http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html>

Dan Kaminsky's blog at doxpara.com is apparently down right now so I can't
dig up/verify any links to his site but all but the (older US CERT VU#
457875) link to his site. Kaminsky, discovered a new, quicker way of
running the birthday attack.

<http://www.your.org/dnscache/> contains other information from Day.

Dean Anderson

2010-03-24 18:37:11 UTC

Permalink

All of the links cited below by Loftis are known to be BS, and have been
previously exposed as fraudulent false claims. Loftis himself has been
exposed as being a former MAPS employee with no genuine interest or
particular knowledge of DNS or DJB DNS.

There is no point in rehashing the discussion of the last month or so,
which was itself a rehash of prior discussion debunking and exposing as
fraudulent the claims of Day, Kaminsky, and King.

--Dean

Post by Michael Loftis
--On Tuesday, March 23, 2010 10:10 PM +0000 Chris Pugh

Post by Chris Pugh

Sigh... A straight link to the actual 'math' as calculated by the
various protagonists in this dispute, along with it's actual context,
would have done!

The math for the rapid poisoning in DJBDNS is contained in
<http://www.your.org/dnscache/djbdns.pdf> -- the general
attack/vulnerability is probably best documented in
<http://www.kb.cert.org/vuls/id/457875> -- that contains many references.
Kaminsky's technique seems to be very well described by
<http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html>
Dan Kaminsky's blog at doxpara.com is apparently down right now so I can't
dig up/verify any links to his site but all but the (older US CERT VU#
457875) link to his site. Kaminsky, discovered a new, quicker way of
running the birthday attack.
<http://www.your.org/dnscache/> contains other information from Day.

--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 256 5494

Dean Anderson

2010-03-23 21:24:30 UTC

Permalink

Post by Chris Pugh

The math does not hold for your claim. It holds for mine, though.

At the risk of reopening a can of worms, how about a pointer to the
various versions of this
so called 'math'?

Post by Chris Pugh

Post by Michael Loftis
Quit talking crap about things you don't understand, or worse,
don't know anything about, it makes you appear really stupid.

Yes, it does make someone appear stupid. But they are actually just
dishonest Vixie hucksters trying to mislead people by lying.

Good grief!

Please recall that Michael Loftis was discredited as the one of several
Vixie people trolling this list.

--Dean

--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 256 5494

Mark Johnson

2010-03-19 16:18:14 UTC

Permalink

On Fri, Mar 19, 2010 at 11:01 AM, Paul Theodoropoulos

Post by Paul Theodoropoulos
here's something back on topic, about a week ago someone made an offhand
comment about possibly using memcached as dnscache's store. that's a really
intriguing idea to me, and i'd be interested in more discussion of it (i
apologize, i don't remember who made the comment, and with the volume of
list traffic i've been deleting messages with verve, eclat, and elan (with
apologies to robert sheckley)

I think Matthew Dempsky suggested it. I think it's definitely worth
checking out. From what I can tell, libmemcached supports unix domain
sockets. That might be a good way to have multiple dnscache instances
sharing a large cache. It's probably easier than making dnscache
threaded.

Michael Loftis

2010-03-24 19:04:42 UTC

Permalink

So, you're including the US CERT in this supposed list of "hoaxers" now
too?

And yet more of your great faulty logic Dean. Someone worked at a company
N years ago (in my case, for about a month something like 7 years ago, and
I worked for Margie Arbon, not Paul Vixie. She and I had a personality
conflict and some bad miscommunications. I met Paul, several times, as
well as some of the ISC folks, but it's hard not to when you work in the
same office complex), must therefore then, and now, support any and all
actions by that company, in perpetuity! This is beginning to sound a lot
like libel. You draw assumptions and connections out of very thin air, and
then make some very bold accusations based on those assumptions.

Further, you don't know me at all, I don't recall ever meeting you, or
seeing anything other than your unsubstantiated claims against some sort of
mysterious DNS Cabal, Vixie Cartel, Kaminsky Hoax, etc. Kaminsky never
claimed to invent anything new, what was discovered is a way in which the
birthday attacks could be made many orders of magnitude more successful.
Unpatched DJBDNS, because it will send out many queries for the same data,
is somewhere around 200x more likely to fall prey to cache poisoning. No
nefarious smoke and mirrors, nothing of the sort. It's been very clearly
explained, the math was checked by real statisticians before and after the
fact and found to be sound. There's no way to precisely measure these
things, but they certainly can be estimated, in a number of ways.

DNS, as a protocol, has security flaws, we all know that. Some
implementations make these weaknesses more apparent, some make them less.
TCP is also flawed, with the same implementation issues. They both make
lots of assumptions about the trustworthiness of the networks they're
running over.

There is no point in rehashing the discussion of the last month or so,
which was itself a rehash of prior discussion debunking and exposing as
fraudulent the claims of Day, Kaminsky, and King.
--Dean

Dean Anderson

2010-03-24 19:59:38 UTC

Permalink

Post by Michael Loftis

So, you're including the US CERT in this supposed list of "hoaxers" now
too?

As I understand it, CERT takes no position on the veracity of the claim.
They just report the claim. But many people were initially taken in by
the hoax. It wasn't until November, 2008 that the hoax was uncovered.

Post by Michael Loftis
And yet more of your great faulty logic Dean.

There is no faulty logic on my part. Just unsubstantiated and
discredited claims on your part.

Post by Michael Loftis
Someone worked at a company N years ago (in my case, for about a month
something like 7 years ago, and I worked for Margie Arbon, not Paul
Vixie.

I don't care very much. I'd love to know more details, but they have no
bearing on your technical credibility, and can't rehabilitate your
character. I know who you are associated with; I know you have posted
nothing credible on any subject of DNS. I know you nonchalantly posted
a description of how Vixie was trying to "put some distance" between
himself and MAPS after MAPS was sued. That 'putting of distance' after
lawsuit is a dishonest behavior that evidences Vixie's lack of integrity
and poor citizenship (the quality of obeying laws and duties to
society). These are components of character. That you can so
nonchalantly report such bad character without embarassment or criticism
means you also have bad character.

MAPS is known to be a scam performing listwashing for spammers such as
Scott Richter, and extorting ISPs and other companies, convincing
network operators to violate laws such as the Wiretap Act and the ECPA,
and their state-law counterparts. That your only problem was a lack of
communiation with Margie Arbon is just further evidence of your lack of
character.

Post by Michael Loftis
Further, you don't know me at all, I don't recall ever meeting you, or
seeing anything other than your unsubstantiated claims against some
sort of mysterious DNS Cabal, Vixie Cartel, Kaminsky Hoax, etc.

There is no mystery to the cabal. There remains a lot I don't know about
it, but it has been uncovered.

Post by Michael Loftis
Kaminsky never claimed to invent anything new, what was discovered is
a way in which the birthday attacks could be made many orders of
magnitude more successful.

There is no such new attack "many orders of magnitude more successful".
That was the hoax. Kaminsky just fabricated his results with fictitious
claims of "roulette logic". There is no credibility to his claims.

--Dean

--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 256 5494

Vincent Labrecque

2010-03-25 20:49:02 UTC

Permalink

Post by Dean Anderson
I don't care very much. I'd love to know more details, but they have no
bearing on your technical credibility, and can't rehabilitate your
character. [...] These are components of character. That you can so
nonchalantly report such bad character without embarassment or criticism
means you also have bad character.

Wow, this is very interesting.

Jason Haar

2010-03-25 20:58:44 UTC

Permalink

Post by Vincent Labrecque
Wow, this is very interesting.

No it isn't. Please - can everyone just drop it, Enough.

Don't make me send you to your rooms

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Christopher Chan

2010-03-26 01:16:43 UTC

Permalink

Post by Jason Haar

Post by Vincent Labrecque
Wow, this is very interesting.

No it isn't. Please - can everyone just drop it, Enough.
Don't make me send you to your rooms

Wow, you are not interested in the gritty details of bad eggs in the
anti-spam community? It is no wonder spam-l died given the number of bad
eggs that posed as whitehat members on that list with people in all the
'high places' involved.

Well, hey, everybody seems to tolerate corrupt government anyway so I
guess there are people who are just not interested in stories of
corruption anymore. They'd rather stick their heads in the sand and you
know what, you get less stress not worrying about a problem you can do
nothing about! These guys are already in their rooms.

That's not enough for you eh? You have to make the entire thing
disappear eh? Sounds like you'd love living in China.

Chris Pugh

2010-03-26 06:32:14 UTC

Permalink

That's not enough for you eh? You have to make the entire thing disappear
eh? Sounds like you'd love living in China.

Which bit? Where do you vote sending them? You happen to be in an SAR! ;o)

bai

Chris.

Christopher Chan

2010-03-26 07:32:48 UTC

Permalink

Post by Chris Pugh

That's not enough for you eh? You have to make the entire thing disappear
eh? Sounds like you'd love living in China.

Which bit? Where do you vote sending them? You happen to be in an SAR! ;o)

SSSssshhh! Hong Kongers still think that 'China' means mainland China.
Can't let the big bullies^H^H^H^H^H^H^Hboys know. It's a secret.

But then things are a bit like that here already. Only certain
privileged people get to make noise without consequences and that's only
until the noose is ready. Especially after a certain attempt to pass a
law that drew half-a-million protesters. You got room where you are? :-D

Laurent Bercot

2010-03-26 19:12:44 UTC

Permalink

Post by Christopher Chan
Wow, you are not interested in the gritty details of bad eggs in the
anti-spam community? It is no wonder spam-l died given the number of bad
eggs that posed as whitehat members on that list with people in all the
'high places' involved.

My sarcasm-o-meter just blew up. I have no idea how to interpret this
paragraph. Just to be sure, here is an answer:

There are, of course, such things as corruption, heavy lobbying,
committee bullying, and all other sorts of political warfare that are
ultimately harmful to technical people and users (just like civilians
are the ultimate losers in any kind of war).
(Examples of these things can be found aplenty in the "namedroppers"
mailing-list archives, shortly after djbdns came out, when DJB was
attacking BIND on technical grounds and was never answered the same
way.)
I have no doubt "bad eggs" can be found in the Chinese government
and people with a long list of titles who decide how the Chinese
part of the Internet should work and interact with the rest of the
world. Among other places.

*But* all this has nothing to do with conspiracy theories made up
by local crackpot Dean Anderson, who will find any reason to slander
(sorry, "discredit") anyone who does not agree with him. For your own
sanity of mind, take what he says about people with a metric ton of salt.

--
Laurent

Christopher Chan

2010-03-27 06:52:58 UTC

Permalink

Post by Laurent Bercot
*But* all this has nothing to do with conspiracy theories made up
by local crackpot Dean Anderson, who will find any reason to slander
(sorry, "discredit") anyone who does not agree with him. For your own
sanity of mind, take what he says about people with a metric ton of salt.

He is welcome to slander me then as I do not agree with his view of the
merge dns queries patch being a security compromising one but nor do I
like the way dnscache has been painted as being super susceptible to
cache poisoning without it. As for conspiracy, I don't see why it should
be discounted given the aim of opendns. Same sort of thing that took
place anti-spam wise.

Call Dean whatever you want. My take on all this is a) do not ever use
OpenDNS's services (or any open dns cache service for that matter) and
b) never run an open dns cache service that you yourself intend to
depend on.

Sebastian Andersson

2010-03-25 07:27:22 UTC

Permalink

Post by Michael Loftis
Unpatched DJBDNS, because it will send out many queries for the same data,
is somewhere around 200x more likely to fall prey to cache poisoning. No
nefarious smoke and mirrors, nothing of the sort. It's been very clearly
explained, the math was checked by real statisticians before and after the
fact and found to be sound. There's no way to precisely measure these
things, but they certainly can be estimated, in a number of ways.

Can't one simply run metasploit's DNS poisoning module against djbdns
(on a lan to speed up the results) before and after the patch is applied
and measure the time differences?

/Sebastian

--
So it doesn't mess up the flow of .oooO o,o Oooo. (o_
reading. ( ) \_/ ( ) (o_ //\

Post by Michael Loftis
How come? \ ( /|\ ) / (/)_ V_/_

I prefer to reply inline. \_) (_/ http://dum.acc.umu.se/

Dean Anderson

2010-03-25 16:13:17 UTC

Permalink

And also on unpatched BIND. BIND was already well known to use only one
port (no guessing), and a brute force attack of all 65536 possible QIDs
was easily possible on a lan. That vulnerablity was the reason DJB
created dnscache: Vixie wouldn't fix BIND. All this was well known, as
were the efforts required. Kaminsky did not find anything that speeds up
the attack on BIND or anything else.

FYI, (I missed this on the first look) the CERT cited by Loftis is not
the most recent CERT on BIND by Kaminsky. Kaminsky's CERT is
http://www.kb.cert.org/vuls/id/800113

The CERT Loftis just cited, http://www.kb.cert.org/vuls/id/457875, was
from 2002, and also explains the birthday attack. Actaully, that is
another reference showing that Kaminsky didn't discover anything
whatsoever.

The 2002 CERT has a table which for DJBDNS, comes into the right
ballpark: (I had to relabel the headings a little)

| random bits to guess | outstanding requests | 50% success #packets
[...]
| TID only (16bits) | unlimited | 426 [BIND]
[...]
| TID and port (32 bits) | 200 | 15 million [DJBDNS]
[...]

I'm not certain that BIND allowed unlimited requests. The 2002 CERT also
was lists several implementations as being invulnerable. It is unclear
what criteria was used to decide some implementations invulnerable.
(adns, Check Point, GNU glibc, Network Appliance, Xerox Corporation were
listed a 'Not Vulnerable'. All implmentations are vulnerable; its just a
question of how many packets one has to send to succeed. Perhaps some
level of effort was decided to be "too high". When you have to send
millions of packets, that's probably "too high" for practical purposes.

This quote is appropo:

"The 'birthday attack' method described here appears to be reasonably
well known in the DNS developer community, but we have been unable
to find significant public discussion of it and are thus documenting
it here."

Apparently they missed the abuse of Bernstein on namedroppers when he
tried to discuss it, and the efforts by Vixie et al to quell anything
that was 'critical of BIND'. Or perhaps, their report just implies that
Vixie was successful at quelling the discussion of these attacks.

--Dean

Post by Sebastian Andersson

Can't one simply run metasploit's DNS poisoning module against djbdns
(on a lan to speed up the results) before and after the patch is applied
and measure the time differences?
/Sebastian

--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 256 5494

Continue reading on narkive:

Search results for 'okay already' (Questions and Answers)

replies

How can I re-word this sentence to make it sound better?

started 2016-01-03 08:14:14 UTC

words & wordplay

replies

What is your opinion about this? Sorry...so long...?

started 2010-07-10 16:05:41 UTC

family & relationships

replies