Re: [ga] Vixies vixens make big boo boo on successful Russian DNS hack

["Joe Baptista" <baptista@xxxxxxxxxxxxxx>]

On Sun, Aug 10, 2008 at 3:12 AM, Jeffrey A. Williams <jwkckid1@xxxxxxxxxxxxx
> wrote:

>
> Dr. Joe and all,
>
>  Thanks for also saving/archiving the original story.  History if
> saved in this manner can never be truthfully revised.  BTW, I
> and 200 odd other or our members also archived this story
> including all metadata for forensics purposes as well if needed
> in the future for legal purposes.  I hope SANS will also be
> covering it as well as did NetworkWorld.


Your a gem Jeff, if not a joy to add flavour to our gatherings.

cheers
joe baptista



>
>
>  FWIW, it may be time to keep a closer watch on Circleid,
> which I have also written for on occasion.  Yellow journalism
> is not a good thing...
>
> Joe Baptista wrote:
>
> >
> > The news story below was first published on CircleID.  It has since
> > been yanked and is no where to be found on CircleID.  Maybe we are
> > witnessing a bit of history revision.  This makes me sad because
> > CircleID was a publication I once wrote for.  In fact I was one of the
> > first paid writer for the organization.  Probably the only one at the
> > time.  And it is sad to see revision at an organization I was once
> > associated with.
> >
> > However it is understandable considering Vixie, the sacred cow of DNS,
> > made such a stupid and silly statement in the article.
> >
> > Basically an internet researcher in Russia was able to break the Vixie
> > patch and poison a servers cache after some 10 hours, billions of
> > connections over a gigabit connection.  Vixies response was "before
> > somebody gets all excited about it let's be clear that it takes two
> > billion packets on average to defeat UDP port randomization, which in
> > this case was a fully utilized gigabit Internet connection for a
> > period of ten hours."  and proceeded to draw parallels that the level
> > of risk was reasonably low because of this rationalization.
> >
> > I think sometime Vixie lives in the dark ages of the net, when
> > everything was low bandwidth and script kiddies were a novelty.
> > Indeed Polyakov, the Russian researcher, should be congratulated for
> > his success in this attack considering the poor russian was using such
> > limited resources.
> >
> > Unlike script kiddies or real internet criminals Polyakov did not have
> > the resources required, being hundreds of thousands of computers
> > connected through a maze of IRC botnets on hundreds of thousands of
> > both DSL and gigabit connections to conduct a proper attack.  Poor man
> > had to do it with one computer and one high speed internet link.  If
> > he had better resources - like the kiddies - he could probably do it
> > in much less time - 10 - 20 minutes?
> >
> > Under these circumstances I'm not surprised the story was yanked.  The
> > quote makes Vixie look like an idiot.
> >
> > In any case - here is the original story no longer published at
> > CircleID.
> >
> >
> > Latest news postings on CircleID
> > URL: http://www.circleid.com/news/
> > Updated: 10 hours 46 min ago
> >
> > Emergency DNS Patch Still Vulnerable, Proves Russian Physicist
> >
> > 10 hours 19 min ago
> > A Russian physicist has been able to successfully poison the latest
> > BIND patch with fully randomized ports. In other words, the emergency
> > fix put in place to patch the Domain Name System (DNS) vulnerability
> > for BIND, Internet's most popular DNS software, has been demonstrated
> > to be vulnerable—and still exploitable by criminals.
> >
> > Evgeniy Polyakov from Moscow, Russia in a blog post today, has shown
> > how using two fairly powerful computers and a fast broadband
> > connection, one could successfully attack the patched DNS server in
> > less than 10 hours. With a fast connection, "any trojaned machine can
> > poison your DNS during one night" says Polyakov in his blog post.
> >
> > As demonstrated by security expert, Dan Kaminsky on Wednesday at the
> > Black Hat security conference, the vulnerability, if exploited by
> > criminal, could be detrimental to the Web as well as services such as
> > email.
> >
> > Paul Vixie, president of the Internet Systems Consortium (ISC), the
> > organization in charge of maintaining the BIND software has verified
> > that Polyakov's exploit looks real. However "before somebody gets all
> > excited about it," Vixie says, "let's be clear that it takes two
> > billion packets on average to defeat UDP port randomization, which in
> > this case was a fully utilized gigabit Internet connection for a
> > period of ten hours." In other words, the probability of a successful
> > attack is fairly minimal. On the other hand, in the case of an
> > unpatched server, an attack was "narrowed down to six seconds," Vixie
> > noted.
> >
> > In the long term, Vixie says "we'll go on improving our forgery
> > resilience, as will every recursive DNS implementor, while we continue
> > pushing DNSSEC as the ultimate long term solution to the entire
> > forgery problem including this off-path-attacker problem."
> >
> > More under: DNS, DNSSEC, Security
> > Categories: Net coverage
> >
> > --
> > Joe Baptista
> > www.publicroot.org
> > PublicRoot Consortium
> > ----------------------------------------------------------------
> > The future of the Internet is Open, Transparent, Inclusive,
> > Representative & Accountable to the Internet community @large.
> > ----------------------------------------------------------------
> > Office: +1 (360) 526-6077 (extension 052)
> > Fax: +1 (509) 479-0084
> >
> >
> Regards,
>
> Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
> "Obedience of the law is the greatest freedom" -
>   Abraham Lincoln
>
> "Credit should go with the performance of duty and not with what is
> very often the accident of glory" - Theodore Roosevelt
>
> "If the probability be called P; the injury, L; and the burden, B;
> liability depends upon whether B is less than L multiplied by
> P: i.e., whether B is less than PL."
> United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
> ===============================================================
> Updated 1/26/04
> CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
> div. of Information Network Eng.  INEG. INC.
> ABA member in good standing member ID 01257402 E-Mail
> jwkckid1@xxxxxxxxxxxxx
> My Phone: 214-244-4827
>
>


-- 
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084