Re: first succesful (lab) spoof of a fully source port randomized server reported
sthaug@nethelp.no Fri, 08 August 2008 11:31 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B3EE13A6D40; Fri, 8 Aug 2008 04:31:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.159
X-Spam-Level:
X-Spam-Status: No, score=0.159 tagged_above=-999 required=5 tests=[AWL=-1.207, BAYES_40=-0.185, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3K0x0nCY1tyY; Fri, 8 Aug 2008 04:31:31 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id CE5FD3A6C95; Fri, 8 Aug 2008 04:31:30 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KRQ6o-0002P0-9u for namedroppers-data@psg.com; Fri, 08 Aug 2008 11:26:14 +0000
Received: from [195.1.209.33] (helo=bizet.nethelp.no) by psg.com with smtp (Exim 4.69 (FreeBSD)) (envelope-from <sthaug@nethelp.no>) id 1KRQ6j-0002OD-H0 for namedroppers@ops.ietf.org; Fri, 08 Aug 2008 11:26:11 +0000
Received: (qmail 82468 invoked from network); 8 Aug 2008 11:26:07 -0000
Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33) by bizet.nethelp.no with SMTP; 8 Aug 2008 11:26:07 -0000
Date: Fri, 08 Aug 2008 13:26:07 +0200
Message-Id: <20080808.132607.41660169.sthaug@nethelp.no>
To: namedroppers@ops.ietf.org
Subject: Re: first succesful (lab) spoof of a fully source port randomized server reported
From: sthaug@nethelp.no
In-Reply-To: <20080808111242.GI6566@outpost.ds9a.nl>
References: <20080808111242.GI6566@outpost.ds9a.nl>
X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
> http://tservice.net.ru/~s0mbre/blog//devel/networking/dns/2008_08_08 > > "Attack took about half of the day, i.e. a bit less than 10 hours. > So, if you have a GigE lan, any trojaned machine can poison your DNS during > one night... " > > Congratulations are due to Evgeniy Polyakov! He includes the source of his > exploit. Interesting enough. Meanwhile, if I have a recursive name server where the total traffic from the authoritative servers is in the range of 2 - 3 Mbps, I believe I could safely rate limit the traffic from each individual IP (representing a possibly spoofed authoritative server) to 100 - 200 kbps. This should raise the bar somewhat. Steinar Haug, Nethelp consulting, sthaug@nethelp.no -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- first succesful (lab) spoof of a fully source por… bert hubert
- Re: first succesful (lab) spoof of a fully source… sthaug
- Re: first succesful (lab) spoof of a fully source… Jeroen Massar
- Re: first succesful (lab) spoof of a fully source… Ondřej Surý
- Re: first succesful (lab) spoof of a fully source… Jeroen Massar
- Re: first succesful (lab) spoof of a fully source… sthaug
- Re: first succesful (lab) spoof of a fully source… Alex Bligh
- Re: first succesful (lab) spoof of a fully source… Paul Vixie