From owner-freebsd-security Sun Mar 14 8:59:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from dhabat.pair.com (dhabat.pair.com [209.68.1.219]) by hub.freebsd.org (Postfix) with ESMTP id 6650415129 for ; Sun, 14 Mar 1999 08:59:21 -0800 (PST) (envelope-from alanp@dhabat.pair.com) Received: (from alanp@localhost) by dhabat.pair.com (8.9.1/8.6.12) id LAA29296; Sun, 14 Mar 1999 11:59:01 -0500 (EST) X-Envelope-To: freebsd-security@freebsd.org Message-ID: <19990314115901.A29122@unixpower.org> Date: Sun, 14 Mar 1999 11:59:01 -0500 From: Alan To: Marc Slemko Cc: freebsd-security@freebsd.org Subject: Re: bind 8.1.2 cache poisoning References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1 In-Reply-To: ; from Marc Slemko on Sat, Mar 13, 1999 at 10:53:36PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Mar 13, 1999 at 10:53:36PM -0800, Marc Slemko wrote: > On Sat, 13 Mar 1999, Jesse wrote: > > Yup, it can be done. There are three or four programs that I have seen > which do it. > > The way an name server can match a response to a request is by looking > at the query id. This query id is a 16 bit number. If you can guess > that number, you can often spoof a response. > Really, I have only seen 2. > > Hmm? I'm not sure what you are talking about. The root name servers do > not run with recursion enabled making this attack not work against them. > Hmmph.... I admin a box for a friend, and I saw people who had root 'snoof'ing stuff like 'owned.microsoft.com' onto a.root-servers.net. It's really sad when people you think you can trust do things like that. -- | Alan L. * Webmaster of www.UnixPower.org | | Windsor Unix Users Group Founder: http://unix.windsor.on.ca/ | | Personal Page: http://www.unixpower.org/alanp/ | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message