[nsp-sec] DNS vulnerability CVE-2008-1447/VU#800113

Florian Weimer fweimer at bfk.de
Wed Jul 9 05:09:47 EDT 2008 

* Sean Donelan:

> Other than some software vendors/programmers announcing a fix for an
> old problem, has anything actually changed in the world today?

The problem is old (25 years or so).  I think most of us didn't know
that it was there.  It could be that people realized its existence but
were too scared/bored/whatever to actually do something about it, or
they used the wrong channels (like the DNSEXT WG in the IETF).

> Just trying to figure out if this is really a "red alert" or business
> as usual, upgrade your stuff regularly because programmers are human.

There is an attack method with moderate complexity and very moderate
bandwidth requirements that can poison a resolver cache within a
couple of minutes, provided that the resolver does not use a
sufficiently large source port randomization pool.  I'm not sure if
it's actually new (see above), but I think it hasn't been posted to
the usual mailing lists (BUGTRAQ et al.).  The paper referenced in
<http://isc.sans.org/diary.html?storyid=4693> does NOT mention the
attack method, nor does any of Amit Klein's work.

It's difficult to predict what will happen, of course.  To put things
a bit into perspective, you need to consider that DNS vendors have not
fixed all those supposedly-critical bugs you've dealt with during the
last decade, so they lack a little bit of perspective.  One thing that
should help us is that it's not obvious how to plug this type of
attack into existing commercial exploit infrastructures, and how to
monetize it.  The downside is that even unsuccessful attack attempts
can put significant load on resolvers, affecting their operation.

Personally, I think that will somehow deal with this mess, assuming
that ISPs and large enterprises actually implement the patches.
However, that's my personal opinion--I've talked to about a dozen
people about this bug, and there were only two (three including me)
who thought that we could avoid major outages/problems.  The optimists
(realists?) are clearly in the minority.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the nsp-security mailing list