Re: BIND Nuking

Thomas H. Ptacek (tqbf@enteract.com)
Tue, 29 Jul 1997 20:38:04 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Thomas H. Ptacek: "Re: Shared Secret Recovery in RADIUS"
Previous message: David Sacerdote: "Re: mSQL vulnerabilities"
Maybe in reply to: Aveek Datta: "BIND Nuking"

> when executed as "bind_nuke bogus.org" on a host, that bogus.org's
> primary NS is configured to accept updates from, will cause named
> to silently die. Nothing in the logs, nothing on the console.

... and of course, we all realize that there is no such thing as a BIND
denial-of-service-only attack. Anything that can cause an arbitrary
nameserver to die, or even not answer queries for a significant amount of
time, allows for trivial brute-force ID-guessing attacks.

Until DNSSEC is fully deployed on the net, or the BIND maintainers
integrate real ID-guessing countermeasures, the stability of the BIND
named service is security-critical.

Just some food for thought.

----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com]
----------------
"If you're so special, why aren't you dead?"

Next message: Thomas H. Ptacek: "Re: Shared Secret Recovery in RADIUS"
Previous message: David Sacerdote: "Re: mSQL vulnerabilities"
Maybe in reply to: Aveek Datta: "BIND Nuking"