Vulnerability to cache poisoning -- the rest of the solution
G.W. Haywood
bind at jubileegroup.co.uk
Tue Jul 15 09:00:42 UTC 2008
Hi there,
On Tue, 15 Jul 2008, Mark Andrews wrote:
> > Will BIND randomize query TCP source ports as well (when TCP is
> > required) with these new patches?
>
> TCP doesn't need to randomise the port. Your TCP stack
> should be randomising the 32 bit TCP sequence number it
> uses when establishing a connection. If it doesn't, get a
> new OS as the one you have is ancient and full of security
> holes.
>
> This makes TCP much harder, but not impossible, to spoof
> than UDP.
As an interim measure, I take it that using TCP only isn't an option?
--
73,
Ged.
More information about the bind-users
mailing list