[ga] Vixies vixens make big boo boo on successful Russian DNS hack

["Joe Baptista" <baptista@xxxxxxxxxxxxxx>]

The news story below was first published on CircleID.  It has since been
yanked and is no where to be found on CircleID.  Maybe we are witnessing a
bit of history revision.  This makes me sad because CircleID was a
publication I once wrote for.  In fact I was one of the first paid writer
for the organization.  Probably the only one at the time.  And it is sad to
see revision at an organization I was once associated with.

However it is understandable considering Vixie, the sacred cow of DNS, made
such a stupid and silly statement in the article.

Basically an internet researcher in Russia was able to break the Vixie patch
and poison a servers cache after some 10 hours, billions of connections over
a gigabit connection.  Vixies response was "before somebody gets all excited
about it let's be clear that it takes two billion packets on average to
defeat UDP port randomization, which in this case was a fully utilized
gigabit Internet connection for a period of ten hours."  and proceeded to
draw parallels that the level of risk was reasonably low because of this
rationalization.

I think sometime Vixie lives in the dark ages of the net, when everything
was low bandwidth and script kiddies were a novelty.  Indeed Polyakov, the
Russian researcher, should be congratulated for his success in this attack
considering the poor russian was using such limited resources.

Unlike script kiddies or real internet criminals Polyakov did not have the
resources required, being hundreds of thousands of computers connected
through a maze of IRC botnets on hundreds of thousands of both DSL and
gigabit connections to conduct a proper attack.  Poor man had to do it with
one computer and one high speed internet link.  If he had better resources -
like the kiddies - he could probably do it in much less time - 10 - 20
minutes?

Under these circumstances I'm not surprised the story was yanked.  The quote
makes Vixie look like an idiot.

In any case - here is the original story no longer published at CircleID.


Latest news postings on CircleID
*URL:* http://www.circleid.com/news/
*Updated:* 10 hours 46 min ago
 Emergency DNS Patch Still Vulnerable, Proves Russian
Physicist<http://www.circleid.com/posts/88982_emergency_dns_patch_still_vulnerable/>
*10 hours 19 min* ago

A Russian physicist has been able to successfully poison the latest BIND
patch with fully randomized ports. In other words, the emergency fix put in
place to patch the Domain Name System (DNS)
vulnerability<http://www.circleid.com/posts/largest_synchronized_dns_bug_patch/>for
BIND, Internet's most popular DNS software, has been demonstrated to
be
vulnerable—and still exploitable by criminals.

Evgeniy Polyakov from Moscow, Russia in a blog
post<http://tservice.net.ru/%7Es0mbre/blog/devel/networking/dns/2008_08_08.html>today,
has shown how using two fairly powerful computers and a fast
broadband connection, one could successfully attack the patched DNS server
in less than 10 hours. With a fast connection, "any trojaned machine can
poison your DNS during one night" says Polyakov in his blog post.

As demonstrated by security expert, Dan
Kaminsky<http://www.circleid.com/posts/88670_kaminsky_dns_bug_disclosure/>on
Wednesday at the Black Hat security conference, the vulnerability, if
exploited by criminal, could be detrimental to the Web as well as services
such as email.

Paul Vixie <http://www.circleid.com/members/620/>, president of the Internet
Systems Consortium (ISC <http://www.isc.org/>), the organization in charge
of maintaining the BIND software has verified that Polyakov's exploit looks
real. However "before somebody gets all excited about it," Vixie says,
"let's be clear that it takes two billion packets on average to defeat UDP
port randomization, which in this case was a fully utilized gigabit Internet
connection for a period of ten hours." In other words, the probability of a
successful attack is fairly minimal. On the other hand, in the case of an
unpatched server, an attack was "narrowed down to six seconds," Vixie noted.


In the long term, Vixie says "we'll go on improving our forgery resilience,
as will every recursive DNS implementor, while we continue pushing
DNSSEC<http://en.wikipedia.org/wiki/Dnssec>as the ultimate long term
solution to the entire forgery problem including
this off-path-attacker problem."

More under: DNS <http://www.circleid.com/topics/dns>,
DNSSEC<http://www.circleid.com/topics/dnssec>,
Security <http://www.circleid.com/topics/security>
 Categories: Net coverage<http://public.icann.org/en/aggregator/categories/2>


-- 
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084