[kwlug disc.] DNS security threat

[john at netdirect.ca]

kwlug-disc-bounces at kwlug.org wrote on 08/01/2008 10:43:25 AM:

> Ok, that would work,, albeit, with a very very poor chance of success.
> Remember that the spoof answer has to return to the victim DNS server
> before google's reponse.. that will be hard for an attacking system to
> do, because the attacker would be sending millions of spoofed reponses
> all over the net.

This is a difficult exploit to take advantage of. It's a lot of work and 
it relies on one or more things going wrong *after* the compromise in 
order to take advantage of it.

This exploit has been blown out of proportion because of the reaction to 
how Kaminsky (the discoverer) handled this. It caused quite a stir just 
before the Black Hat security conference and there were claims that he was 
manipulating things to boost his exposure at the conference. It resulted 
in a lot of press.

> All in all, I'll take my chances.  By no means do I wish to discourage
> people from patching DNS, but I remain convinced that the real threat is
> ISP's with large DNS recursive servers that serve recursively to anyone
> who asks, and are sitting right there waiting for an attacker to poison
> their cache.

Are there any large ISPs that allow recursive queries from outside their 
network? I'm positive there are small ones but I would have assumed that 
the big ones had taken care of this years ago.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listserv.ccjclearline.com/pipermail/kwlug-disc/attachments/20080801/563786e5/attachment.htm