dig source port patch
Jonathan de Boyne Pollard
J.deBoynePollard at tesco.net
Wed Sep 3 19:05:27 UTC 2003
JR> Randomly changing the source port number for outgoing queries
JR> does ABSOLUTELY NOTHING "to make it harder to spoof queries".
False. It makes it harder for an attacker with no access to the original
query datagram to guess at the correct response datagram to send. When only
randomising the message ID, such an attacker has a 1-in-65536 proability of
making the correct guess. When choosing both a random message ID and a random
port number from (say) a set of 200 numbers, this is decreased to
1-in-13107200.
Of course, over a fast link it doesn't take inordinately long to transmit even
13107200 DNS/UDP datagrams. However, transmitting that lot over the link
between (say) the machine I am typing at right now and the rest of Internet
would still take a lot longer than the DNS/UDP transaction timeout period of
most DNS client and server softwares.
JR> An attacker will see the query as it goes by.
False. Not all attackers will. There are two sorts of attackers, those with
access to the original query datagram (i.e. those capable of sniffing network
traffic along the relevant links) and those without (i.e. those who are just
flooding the victim blindly from afar). Indeed, my experience is that the
latter kind of attacker is far the more common.
More information about the bind-users
mailing list