More cache poisoning fun
Paul Vixie
vixie at isc.org
Sun Aug 10 05:42:47 UTC 2008
Lars Hecking <lhecking at users.sourceforge.net> writes:
> So, what about Polyakov? Is it a threat to the real world, or is it just
> a matter of DNSSEC or die now?
when folks on slashdot asked that question, i said:
http://tech.slashdot.org/comments.pl?sid=640993&cid=24537509
while i think it's bad that anybody who can hammer you at GigE speed for
ten hours can poison your cache, it's not a threat to the real world the
way 11 seconds at 10-megabit was. so while we all do have to do dnssec
and we will all eventually die, those two facts are unrelated.
note that any dns server with a host based firewall can implement a 100%
effective mitigation for the Polyakov attack, and it's possible that an
upstream/outboard firewall could also be made to do it. in freebsd ipfw
it looks like this:
add pipe 1 udp from any 53 to 204.152.188.20 in
pipe 1 config mask src-ip 0xffffffff buckets 32768 bw 56Kbit/s queue 1
at some point ISC will have to put logic like this into BIND, of course.
but protecting against the Polyakov attack is like synflood protection in
that it's a rate-limit problem.
--
Paul Vixie
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the bind-users
mailing list