[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: correction! Re: The math of RFC3822.2.2-spoofing a randomising source port resolver

To: namedroppers@ops.ietf.org
Subject: Re: correction! Re: The math of RFC3822.2.2-spoofing a randomising source port resolver
From: Bryan Seitz <seitz@bsd-unix.net>
Date: Mon, 4 Aug 2008 15:23:37 -0400
In-reply-to: <34451.1217868477@nsa.vix.com>
References: <20080801124038.GA5994@outpost.ds9a.nl> <20080804104502.GA32568@outpost.ds9a.nl> <4896FA14.2030103@necom830.hpcl.titech.ac.jp> <82hca0khmq.fsf@mid.bfk.de> <18763.1217859761@nsa.vix.com> <20080804155217.GL18233@zaphods.net> <34451.1217868477@nsa.vix.com>
User-agent: Mutt/1.5.18 (2008-05-17)

On Mon, Aug 04, 2008 at 04:47:57PM +0000, Paul Vixie wrote:
> > From: Stefan Schmidt <zaphodb@zaphods.net>
> > 
> > On Mon, Aug 04, 2008 at 02:22:41PM +0000, Paul Vixie wrote:
> > > indeed, noone on earth knew that this could be done in 11 seconds until
> > > february 2008.  given the severe trauma caused by udp port randomization
> > > for firewalls and NATs and solaris-10 and so on, i think there was a real
> > > and correct cost-benefit tradeoff being made when this attack took days
> > > or weeks of sustained multimegabit traffic to pull off.
> > 
> > Tradeoff yes, trauma not really for that is something that requires a shock.
> > You knew that this patch needed some ironing out and that the best way of
> > achieving that is to just roll it out, no need to be shocked about that now.
> 
> let's be clear about this.  neither dnscache nor powerdns was creating as many
> simultaneous upstream flows in those years as the kaminsky defense requires,
> and the market size for these tools was in those years so small that many of
> the firewall / NAT / kernel instabilities BIND is running into as we deploy 
> UDP port randomization were simply not encountered until now.
> 

FYI,

   In early 2006 I migrated approximately 120 BIND nameserver installations down to
approximately 30 PowerDNS installations for a very large ISP.  This migration not only 
allowed us to scale down the number of servers and save money on server hardware, but 
also improved query latencies and increased security due to port randomization. Thus,
source port randomization did not have an impact performance and we were able to reduce 
our server count by a factor of 4.

> > "cron loves you too, that's why it sends you so much mail."
> > - Paul Vixie, author of Vixie Cron
> 
> :-).

it sure does ;)

-- 
             
Bryan G. Seitz

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- The math of kaminsky-spoofing a randomising source port resolver
  - From: bert hubert <bert.hubert@netherlabs.nl>
- correction! Re: The math of kaminsky-spoofing a randomising source port resolver
  - From: bert hubert <bert.hubert@netherlabs.nl>
- Re: correction! Re: The math of RFC3822.2.2-spoofing a randomising source port resolver
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
- Re: correction! Re: The math of RFC3822.2.2-spoofing a randomising source port resolver
  - From: Florian Weimer <fweimer@bfk.de>
- Re: correction! Re: The math of RFC3822.2.2-spoofing a randomising source port resolver
  - From: Paul Vixie <vixie@isc.org>
- Re: correction! Re: The math of RFC3822.2.2-spoofing a randomising source port resolver
  - From: Stefan Schmidt <zaphodb@zaphods.net>
- Re: correction! Re: The math of RFC3822.2.2-spoofing a randomising source port resolver
  - From: Paul Vixie <vixie@isc.org>

Prev by Date: Large EDNS0 buffer sizes and IPv6
Next by Date: NomCom call for volunteers
Previous by thread: Re: correction! Re: The math of RFC3822.2.2-spoofing a randomising source port resolver
Next by thread: Re: correction! Re: The math of RFC3822.2.2-spoofing a randomising source port resolver
Index(es):
- Date
- Thread