On Tue, Mar 24, 2009 at 09:18:24PM +0100, Florian Weimer wrote: > * Gerrit Pape: > > The attack under discussion is a bruteforce attack. > > No, it's not, it's about 100 times faster than brute force.
We're discussing the birthday attack. A birthday attack is a special type of brute force attack. http://www.google.com/search?q=%22birthday+attack%22+type+of+%22brute+force%22 My statement was in response to the suggested analogy to sniffing telnet. > > o Don't apply a patch against the djbdns binary package, but document the > > fact more prominently. In fact it's already documented for years by > > upstream, and again detailled in his 'Februar 2009 comments'. > > This is incorrect, the old version cannot be reasonably interpreted to > mean that a resolver running dnscache can be poisoned within > 20 minutes. Since years the docs say 'tens of millions of guesses are adequate with a colliding attack;' With the 15000 packets/s assumption from Day you get to 22 minutes. I'd say it definitely can be 'reasonably interpreted' so. > > o Apply a patch to dbndns, the Debian fork of djbdns, that limits > > concurrent outgoing SOA queries to 20. I'm of the opinion that this > > makes the attack significantly harder. > > No, it doesn't. Any cache miss will do. There is just a slight > inefficiency when you have to switch names to get the next round of > cache misses. CVE-2008-4392 doesn't detail such an attack. Can you point to more details, a paper, or an implementation of this attack, that back up the claim? Specifically I doubt the 'slight inefficiency'. > > AFAIK from private discussion, the Debian security team doesn't agree > > with my assessment. I don't know what their plans are for stable. > > I still hope to get a better patch. While we wait for who knows how long, I suggest we get the fix for #518169 into stable; packages still are available through http://niequai.smarden.org/ruGho2e/ Regards, Gerrit. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org