Re: [ga] Vixies vixens make big boo boo on successful Russian DNS hack

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

Dr. Joe and all,

  Thanks for also saving/archiving the original story.  History if
saved in this manner can never be truthfully revised.  BTW, I
and 200 odd other or our members also archived this story
including all metadata for forensics purposes as well if needed
in the future for legal purposes.  I hope SANS will also be
covering it as well as did NetworkWorld.

  FWIW, it may be time to keep a closer watch on Circleid,
which I have also written for on occasion.  Yellow journalism
is not a good thing...

Joe Baptista wrote:

>
> The news story below was first published on CircleID.  It has since
> been yanked and is no where to be found on CircleID.  Maybe we are
> witnessing a bit of history revision.  This makes me sad because
> CircleID was a publication I once wrote for.  In fact I was one of the
> first paid writer for the organization.  Probably the only one at the
> time.  And it is sad to see revision at an organization I was once
> associated with.
>
> However it is understandable considering Vixie, the sacred cow of DNS,
> made such a stupid and silly statement in the article.
>
> Basically an internet researcher in Russia was able to break the Vixie
> patch and poison a servers cache after some 10 hours, billions of
> connections over a gigabit connection.  Vixies response was "before
> somebody gets all excited about it let's be clear that it takes two
> billion packets on average to defeat UDP port randomization, which in
> this case was a fully utilized gigabit Internet connection for a
> period of ten hours."  and proceeded to draw parallels that the level
> of risk was reasonably low because of this rationalization.
>
> I think sometime Vixie lives in the dark ages of the net, when
> everything was low bandwidth and script kiddies were a novelty.
> Indeed Polyakov, the Russian researcher, should be congratulated for
> his success in this attack considering the poor russian was using such
> limited resources.
>
> Unlike script kiddies or real internet criminals Polyakov did not have
> the resources required, being hundreds of thousands of computers
> connected through a maze of IRC botnets on hundreds of thousands of
> both DSL and gigabit connections to conduct a proper attack.  Poor man
> had to do it with one computer and one high speed internet link.  If
> he had better resources - like the kiddies - he could probably do it
> in much less time - 10 - 20 minutes?
>
> Under these circumstances I'm not surprised the story was yanked.  The
> quote makes Vixie look like an idiot.
>
> In any case - here is the original story no longer published at
> CircleID.
>
>
> Latest news postings on CircleID
> URL: http://www.circleid.com/news/
> Updated: 10 hours 46 min ago
>
> Emergency DNS Patch Still Vulnerable, Proves Russian Physicist
>
> 10 hours 19 min ago
> A Russian physicist has been able to successfully poison the latest
> BIND patch with fully randomized ports. In other words, the emergency
> fix put in place to patch the Domain Name System (DNS) vulnerability
> for BIND, Internet's most popular DNS software, has been demonstrated
> to be vulnerable?and still exploitable by criminals.
>
> Evgeniy Polyakov from Moscow, Russia in a blog post today, has shown
> how using two fairly powerful computers and a fast broadband
> connection, one could successfully attack the patched DNS server in
> less than 10 hours. With a fast connection, "any trojaned machine can
> poison your DNS during one night" says Polyakov in his blog post.
>
> As demonstrated by security expert, Dan Kaminsky on Wednesday at the
> Black Hat security conference, the vulnerability, if exploited by
> criminal, could be detrimental to the Web as well as services such as
> email.
>
> Paul Vixie, president of the Internet Systems Consortium (ISC), the
> organization in charge of maintaining the BIND software has verified
> that Polyakov's exploit looks real. However "before somebody gets all
> excited about it," Vixie says, "let's be clear that it takes two
> billion packets on average to defeat UDP port randomization, which in
> this case was a fully utilized gigabit Internet connection for a
> period of ten hours." In other words, the probability of a successful
> attack is fairly minimal. On the other hand, in the case of an
> unpatched server, an attack was "narrowed down to six seconds," Vixie
> noted.
>
> In the long term, Vixie says "we'll go on improving our forgery
> resilience, as will every recursive DNS implementor, while we continue
> pushing DNSSEC as the ultimate long term solution to the entire
> forgery problem including this off-path-attacker problem."
>
> More under: DNS, DNSSEC, Security
> Categories: Net coverage
>
> --
> Joe Baptista
> www.publicroot.org
> PublicRoot Consortium
> ----------------------------------------------------------------
> The future of the Internet is Open, Transparent, Inclusive,
> Representative & Accountable to the Internet community @large.
> ----------------------------------------------------------------
> Office: +1 (360) 526-6077 (extension 052)
> Fax: +1 (509) 479-0084
>
>
Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827