dig source port patch

[Barry Margolin]

In article <bj83kk$65h$1 at sf1.isc.org>, Jim Reid  <jim at rfc1035.com> wrote:
>Your arithmetic is correct. But your logic is flawed. And you're
>kidding yourself if you think randomising port numbers is a big help
>in preventing spoofing. It's a stupid assumption to believe attackers
>can't see query replies or responses as they go by. [This may be true
>on a secure VPN with "trusted" hosts, users and clients but the
>internet is not that animal.] Would someone expect their car to be
>thief-proof because they think nobody else will ever be able to see
>what the keys look like?

Most hackers don't have any way to sniff random traffic on the Internet.
You need a machine physically connected to one of the links along the way,
and most of the links on the Internet are either LANs at the end sites or
point-to-point serial/optical circuits.  Someone can put a sniffer on one
of the LANs, but they'll only see traffic from/to that LAN (and since most
LANs are switched these days, they'd also need to take over the switch to
make it mirror everything to the sniffer's port).  Sniffing on the ISP
backbone links would require tapping the leased lines, something only
really wizardly hackers would be able to do.

I work at a Tier-1 ISP and have access to all the routers, but it's not
easy for me to view our customers' traffic.  I can turn on packet displays
on a router, but that only shows a few fields from the IP and TCP headers.
I'd be able to see the port numbers on DNS queries, but not the transaction
IDs.

-- 
Barry Margolin, barry.margolin at level3.com
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.