<<<
Chronological Index
>>> <<<
Thread Index
>>>
[ga] were all screwed - the only solution is obvious - smart ids dns
- To: Ga <ga@xxxxxxxxxxxxxx>
- Subject: [ga] were all screwed - the only solution is obvious - smart ids dns
- From: "Joe Baptista" <baptista@xxxxxxxxxxxxxx>
- Date: Mon, 11 Aug 2008 10:38:52 -0400
People, were all screwed thanks to this DNS vulnerability. It is truly a
monster in the making and we are being bamboozled into thinking DNSSEC will
save our sorry souls. And the ease of causing damage to internet
infrastructure is enormous.
Every banking transaction, every communication channel can now be high
jacked by any script kiddie with a network of bots. And we are being asked
to settle for DNSSEC which is clear is not so secure and easily broken by -
guess who - script kiddies. When the kiddies figure out how to control the
DNS through these vulnerabilities were going to be a mess.
My main concern are the criminals who will soon also discover how these
flaws can be exploited. Port randomization as has been show does not work.
It just take more time to do. Bernsteins concern with the year 2015 is very
real today.
I've asked Vixie some questions and gotten some replies. I hate to say this
but the only real way left to guard against this attack is an intrusion
detection system (IDS) to monitor any recursive DNS server and a good well
behaved firewall.
I addressed the fix for these problems back Jan 2007 in the Public-Root Name
Server Operational Requirements document published by INAIC. The sections
are 4.2.7 to 4.2.9. The reference document is at the following URL.
http://www.publicroot.org/technical/root-server-standards.pdf
In any case thats what now needs to be done to secure DNS ASAP. A would
recommend a smart IDS that not only detects but also based on a set of rules
attempt to find and correct the answer or response to the DNS server in real
time. I expect OpenDNS has this sort of thing deployed.
cheers
joe baptista
--
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|