[nsp-sec] DNS vulnerability CVE-2008-1447/VU#800113
Florian Weimer
fweimer at bfk.de
Wed Jul 9 03:09:15 EDT 2008
* Chris Morrow:
> So... how does that change if lots and lots of CPE devices:
> 1) have vulnerable recursors (they will/do I guarantee it)
> 2) will 'never' get upgraded (they won't I guarantee it)
I guess ISPs need to patch their resolvers (d'oh) and make sure that
when a customer receives a packet which claims to come from one of the
resolvers, it actually originated there. This is different from the
caching resolver case, where you'd need universal BCP38 deployment.
For the stub resolver case, you only need to make sure that no one can
spoof your resolver addresses from your upstream/peers, and you need
to implement BCP38 on customer interfaces. This should be doable, I
think.
(This assumes that the resolver in the CPE actually verifies source
address information, which is likely not true for all of them.)
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the nsp-security
mailing list