[DNS] Comcast and the DNS Server flaw issue Page 2

Author	All Replies
Alan Clegg @rr.com from: Cabal	reply to espaeth Transaction ID is just not enough (even if 100% "random") If you have sufficient transaction ID randomness, then to a certain degree the source port randomness is just an academic bonus. The issue with Bind was that both the source port and the transaction ID for the requests were predictable, which made the poisoning not just possible, but actually quite likely if you scripted things correctly. You sir, are completely incorrect. Alan Clegg aclegg@isc.org
	to forum · permalink · 2008-07-24 21:05:38 ·
espaeth Digital Plumber Premium,MVM join:2001-04-21 Minneapolis, MN ·voip.ms ·Vitelity VOIP ·Callcentric ·VoiceStick ·ViaTalk ·Comcast ·Embarq	said by Alan Clegg : If you have sufficient transaction ID randomness, then to a certain degree the source port randomness is just an academic bonus. You sir, are completely incorrect. Completely ? I will acknowledge that I overstated on source port randomness just being a bonus. Still, the most exploitable servers are those that are still using fixed source port queries, followed by the previous bind implementations that still had limited entropy for both the source port and transaction ID. The servers being reported with "poor" source port randomness (ie, randomness within a fixed range) but "good" for transaction ID randomness are still better off than those servers out there still susceptible to »securitytracker.com/alerts/2007/···442.html .
	to forum · permalink · · 2008-07-24 22:22:10 ·
Dan Kaminsky @speakeasy.net	reply to jbob Re: [DNS] Comcast and the DNS Server flaw issue The new bug is much worse than the old one -- predictable TXID wouldn't override cache, since there wouldn't be another race.
	to forum · permalink · 2008-07-25 00:42:42 ·
OB1 Premium join:2006-07-17 ITALY	reply to Dan Kaminsky said by Dan Kaminsky : This is Dan Kaminsky, the original finder of the bug. LOL... Hi there Dan, this world is really small, isn't it ? said by Dan Kaminsky : ComCast is using Nominum, the company that employs the inventor of DNS. Nominum has some extra protections that slow my attack down by a couple hundred times. (I called BS on Nominum and they were only too happy to give me a server to try to break. I eventually did, but not in 10 seconds like everyone else but DJB/power.) Uhmmm... maybe not to the vanilla stuff... but since nominum and ISC BIND share some "codebase", I wonder if nominum may be vulnerable to a certain "collision attack" Did you try it ?
	to forum · permalink · · 2008-08-05 09:38:03 ·
swilbourn @comcast.net	A previous poster wrote, "Uhmmm... maybe not to the vanilla stuff... but since nominum and ISC BIND share some "codebase", I wonder if nominum may be vulnerable to a certain "collision attack"" Sorry, but BIND and Nominum don't share any code. Nominum's servers are not derived from BIND at all, and in fact, has a different underlying design. Sandy Wilbourn VP Engineering, Nominum wilbourn@nominum.com
	to forum · permalink · 2008-08-05 11:56:09 ·
OB1 Premium join:2006-07-17 ITALY	said by swilbourn : Sorry, but BIND and Nominum don't share any code. Nominum's servers are not derived from BIND at all, and in fact, has a different underlying design. Yes ok, I was somewhat "smokey" and probably not correct, but my post was directed to Dan, and I hope he understood what I meant -- * ObiWan
	to forum · permalink · · 2008-08-05 12:02:56 ·


Thursday, 03-Dec 06:46:09	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF