[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: More Re: [cobalt-developers] Fwd: CERT Advisory CA-2002-15 Denial-of-Service Vulnerabilityin ISC BIND 9
- Subject: Re: More Re: [cobalt-developers] Fwd: CERT Advisory CA-2002-15 Denial-of-Service Vulnerabilityin ISC BIND 9
- From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
- Date: Tue Jun 4 20:40:00 2002
- List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>
JL> Date: Tue, 04 Jun 2002 17:05:36 -0700
JL> From: Jeff Lasman
JL> So you can always write one. If you've got a second DNS
JL> server (or more) and automatically restart bind within 15
JL> minutes, then you're probably reasonably safe until a fix
JL> comes out, even if you are running bind 9.x.
I disagree. Someone could DoS it once every five seconds.
UDP is much easier to forge than TCP. (Anyone else recall remote
NTP exploit not too long ago?) Too many networks don't filter
egress. Backtracing packets can be challenging; with the wrong
upstream, it's nigh on impossible.
Even if you backtrace, will you get all the sources? There are
some ugly botnets out there. What's to say someone won't write a
BIND-killing module? Perhaps the chances are small, but it's
well within reason. Tracing hundreds or thousands of compromised
hosts just isn't feasible.
Run non-vulnerable software. Consider running honeypots.
--
Eddy
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.