[nsp-sec] DNS vulnerability CVE-2008-1447/VU#800113
Niels Provos
niels at google.com
Mon Jul 14 00:17:56 EDT 2008
On Tue, Jul 8, 2008 at 10:43 AM, Florian Weimer <fweimer at bfk.de> wrote:
> today, countermeasures for a DNS protocol vulnerability have been
> announced by several vendors. Unlike previous vulnerabilities
> involving weak transaction IDs, this is the real thing: a protocol
> issue which is very difficult to fix completely. The countermeasure
> recommended at this stage is UDP query source port randomization. It
> does not completely eliminate the vulnerability, but it makes
> exploitation attempts more noisy and noticeable because an attacker
> needs to send literally billions of packets.
If you need a quick tool to test your recursive resolver, I wrote a
small Python script to do so; see here:
http://www.provos.org/index.php?/archives/42-DNS-and-Randomness.html
All my resolvers were already using random source ports.
Niels.
More information about the nsp-security
mailing list