<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {color:blue;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:Arial;
        color:navy;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
        {page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=blue>
<div class=Section1>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=2 color=navy
face=Arial><span style='font-size:10.0pt;font-family:Arial;color:navy'>Snip</span></font><o:p></o:p></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>On Wed, Jul 9, 2008 at 10:50 AM, C F <<a
href="mailto:shmaltz@gmail.com">shmaltz@gmail.com</a>> wrote:<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>Very interesting article.
I guess we won't know much more for another few weeks:<br>
<a
href="http://www.breitbart.com/article.php?id=080709124916.zxdxcmkx&show_article=1"
target="_blank">http://www.breitbart.com/article.php?id=080709124916.zxdxcmkx&show_article=1</a><o:p></o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
I thought this was common knowledge. I remember hearing about the flaw
around 2000 or so.<br>
<br>
Thanks,<br>
Steve T<o:p></o:p></span></font></p>
</div>
</div>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Knowledge yes, but common, I don’t think
so. Cache Poisoning has been around since before 2000.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>A properly designed DNS server with the
right amount of randomness in its request would be a difficult target. The
attack exploits the fact that many sequential packets had sequential numbers do
that it was easy to send a malformed packet back as a response to a query.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>It works like this:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Badman requests the address for <a
href="http://www.digium.com/">www.digium.com</a> from a name server, the server
does not have it in its cache or it has expired. Name server requests the
information from its forwarders, or the root domain. Badman sends a packet with
the address of the forwarder or root domain server forged with an incremented
sequence number. The name server thinks that it is a valid response and adds it
to its cache… the Cache is poisoned…<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Clearing the cache, would clean out the
poison entry, and unless the Badman was able to guess the precise time your
name server was to request the information, your server should get the correct
entry.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Ever since Windows 2003, Bind 9.0+, and
all versions of TinyDNS have random numbers been used for the sequence in the
packet. There is always a brute force attack that can be done, to simply
overwhelm the DNS server and possibly ‘guess’ the next sequence
number but that would be time consuming, and most intrusion detection systems
will pick it up as a DOS or DDOS attack and start to shut down access. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Best solution is to use a trusted DNS
server, don’t have your master DNS server (the one that resolves your
domain for the rest of the world) set to do recursive lookups, and as I do. Hide
your DNS server behind a NAT’ed firewall that randomizes outgoing ports
and sequence numbers.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Alex<o:p></o:p></span></font></p>
</div>
</div>
</body>
</html>