[nsp-sec] Solutions for the DNS vul? - Suggestion
Chris Morrow
morrowc at ops-netman.net
Fri Jul 25 01:14:15 EDT 2008
Darrel Lewis to the White Courtesy Phone Please (see below where I wildly
conjecture...)
On Fri, 25 Jul 2008, Yonglin ZHOU wrote:
> ----------- nsp-security Confidential --------
>
> If ISP has traffic cleaning device, or anti-DDOS firewalls, that could
most of these do (for dns) truncate -> tcp -> force 'authentication of
source' -> udp for X period of time... They don't do much wrt
Transaction-ID or state of the 'session'. Many of the deployments aren't
even in the right path for state maintenance :( (asyncronous routing
through the mitigation device(s) )
> help because the attacks consists numbers of packets in short times
> and the packets are all the same but the SN ID. Right?
I guess you could force everyone over to TCP, validate the source then
move along to solving the right answer.. I wonder though, the Cisco
GuardXT, when it hits 'strong mode' for DNS it will often cache answers
locally in order to buffer some/all of the conversation from the affected
resource. How's that device doing wrt this bug? Note that in many
deployments it might not matter, but there are certainly a few deployments
where it may (vzb, sprint, att that have these deployed toward their core
networks with the 'protected resource' often 30-40ms away).
-Chris
More information about the nsp-security
mailing list