On Fri, 13 Nov 1998, Marc Slemko wrote: > On Thu, 12 Nov 1998, John Fraizer wrote: > > > You weren't hacked. It was NetSol/InterNIC showing us just how lame they > > are again by corrupting root servers. > > > > http://www.news.com/News/Item/0,4,28664,00.html?st.ne.fd.mdh > > The above is unrelated to the below, AFAIK. > > > At 11:47 AM 11/11/98 -0500, you wrote: > > >Anyone running MS's DNS notice, overnite or so, their cache files > > >(specifically the root name servers) replaced with a handful of entries for > > >allegro.net ... ? > > > The only thing that the Internic being idiots would have done, as far as I > have any evidence of, is claim that .com domains do not exist. > > If your nameserver's cache was corrupted to think that allegro.net is > authoritative for .com (or .), then that is NOT related. While I would > need exact output from sample queries to the server to tell for sure, it > would appear that, if what the poster above said is true, the software > they are running is vulnerable to cache pollution, just like old versions > of BIND are. This is quite bad, both because someone with malicious > intent can do evil things and because there are an increasing number of > accidental situations where people somehow misconfigure their servers to > claim false authority. For some reason, my first message on this topic was not accepted by Aleph1. Hence, I will attempt to repeat what I sent upon the first report of this problem to this list: Microsoft's DNS server is vulnerable to two different types of cache-poisoning attacks, while the latest versions of BIND are only known to be vulnerable to one type: "cache corruption through attachment of unrelated additional records" is the simpler of the two methods, and is the one most likely used to corrupt your server. As far as I know, there is no Microsoft fix for this. BIND used to be vulnerable to this, but the latest versions of it are not. "cache corruption through sequence ID prediction" is a more complex attack. Both Microsoft and BIND are vulnerable to this. Luckily, there aren't many crackers attempting to use this, as far as I can tell. There is no complete protection for this attack, even though vendors of DNS software have known about the vulnerability for years.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:10 PDT