Patched DNS servers still vulnerable to cache poisoning

10 Hours is an average

But it could happen on the first try or within the first few seconds of trying. A better solution needs to be found - which is why I'm going through the DNSSEC documentation and tools right now.

Hmmmph

The bug, still at large in some places, means someone could steal my Register Comments log in credentials and post comments as me. What if they already had? What if this isn't actually me posting?

What's that? It's an improvement? Well, no need to sound so happy about it!

Hmmmph! No ... no need to hand me my coat - I'll leave of my own accord, thankyou very much.

@ fronty

"we almost need to have a completely new way of achieving DNS type functionality, but without using the DNS protocol."

IPV6 combined with SSL certificates that are based on 164 bit encryption should do the job nicely.

Mine is the silver herring bone tweed one with the shimmering brown patches on the elbows and the hexadecimal calculator in the left side pocket, thanks.

@Tony Hoyle & @AC

>> "ISPs routinely filter the source addresses of packets to stop

>> exactly this kind of shenanigans, and have done for years.."

> Your faith in ISPs is ... touching.

Source address filtering does not work against DNS poisoning attack, as the forged packets have the source address of the real DNS server.

On a related note, Polyakov's attack (practically) cannot be mounted against ISP servers, due to bandwidth constraints. But, it *can* be mounted against a corporate network by means of trojaned system(s) on the LAN. OTOH, in the latter case, the attack can be stopped by packet filtering.

Eugene

Re:10 Hours is an average

We don't know how many times he succeeded with this tactic, so accepting 10 hours as an average isn't really a good idea. It's like rolling a dice once, getting a 6 and calling that the average roll of a dice.

Also, it goes both ways, it's theoretically possible to get it first try and succeed instantly, but it's also possible to go on for much much longer than 10 hours.

New plan!!

Why don't we all just use HOSTS files? :)

Critical?

I decided I need to check up on MS patches for this little baby last week. MS08-037 seems to be the one that covers this "gaping hole that bring an end to all of online civilisation" I believe.

So why isn't this offered or even LISTED on Windows Update, for either my XP clients or 2003 server (which runs in-house DNS)??

Source address filtering does work

Source address filtering works against any spoofing attack. The packets never leave the source network (most routers actually do this by default - linux has it built in to filter them.. calls them 'martian packets' and drops them.. cisco routers just drop them silently... no need to rely on the competence of the ISP).

That limits the attack to the local LAN - and once you're on that then the number of attack vectors is so large you'd be insane to attempt to brute force a DNS server - there are *much* easier ways to screw things up and they don't take 10 hours or even 1 hour.

As mentioned this not unique to DNS - any protocol that wants a reply can be spoofed given that kind of access and enough time (and for things like zeroconf and upnp 'enough time' is about 1/10th of a second). It's not fixable because the problem isn't with the protocol it's with allowing someone access to your LAN without adequate security.

Or add a slow-down to reduce the risks further

Insert a Load Balancer, and ensure round-robin is used on the farm or caches. Now its incredibly difficult to doing poisoning. Go to Starbucks.