Dr. Joe and all, Thanks for also saving/archiving the original story. History if saved in this manner can never be truthfully revised. BTW, I and 200 odd other or our members also archived this story including all metadata for forensics purposes as well if needed in the future for legal purposes. I hope SANS will also be covering it as well as did NetworkWorld. FWIW, it may be time to keep a closer watch on Circleid, which I have also written for on occasion. Yellow journalism is not a good thing... Joe Baptista wrote:

The news story below was first published on CircleID. It has since been yanked and is no where to be found on CircleID. Maybe we are witnessing a bit of history revision. This makes me sad because CircleID was a publication I once wrote for. In fact I was one of the first paid writer for the organization. Probably the only one at the time. And it is sad to see revision at an organization I was once associated with.

However it is understandable considering Vixie, the sacred cow of DNS, made such a stupid and silly statement in the article.

Basically an internet researcher in Russia was able to break the Vixie patch and poison a servers cache after some 10 hours, billions of connections over a gigabit connection. Vixies response was "before somebody gets all excited about it let's be clear that it takes two billion packets on average to defeat UDP port randomization, which in this case was a fully utilized gigabit Internet connection for a period of ten hours." and proceeded to draw parallels that the level of risk was reasonably low because of this rationalization.

I think sometime Vixie lives in the dark ages of the net, when everything was low bandwidth and script kiddies were a novelty. Indeed Polyakov, the Russian researcher, should be congratulated for his success in this attack considering the poor russian was using such limited resources.

Unlike script kiddies or real internet criminals Polyakov did not have the resources required, being hundreds of thousands of computers connected through a maze of IRC botnets on hundreds of thousands of both DSL and gigabit connections to conduct a proper attack. Poor man had to do it with one computer and one high speed internet link. If he had better resources - like the kiddies - he could probably do it in much less time - 10 - 20 minutes?

Under these circumstances I'm not surprised the story was yanked. The quote makes Vixie look like an idiot.

In any case - here is the original story no longer published at CircleID.

Latest news postings on CircleID URL: http://www.circleid.com/news/ Updated: 10 hours 46 min ago

Emergency DNS Patch Still Vulnerable, Proves Russian Physicist

10 hours 19 min ago A Russian physicist has been able to successfully poison the latest BIND patch with fully randomized ports. In other words, the emergency fix put in place to patch the Domain Name System (DNS) vulnerability for BIND, Internet's most popular DNS software, has been demonstrated to be vulnerable—and still exploitable by criminals.

Evgeniy Polyakov from Moscow, Russia in a blog post today, has shown how using two fairly powerful computers and a fast broadband connection, one could successfully attack the patched DNS server in less than 10 hours. With a fast connection, "any trojaned machine can poison your DNS during one night" says Polyakov in his blog post.

As demonstrated by security expert, Dan Kaminsky on Wednesday at the Black Hat security conference, the vulnerability, if exploited by criminal, could be detrimental to the Web as well as services such as email.

Paul Vixie, president of the Internet Systems Consortium (ISC), the organization in charge of maintaining the BIND software has verified that Polyakov's exploit looks real. However "before somebody gets all excited about it," Vixie says, "let's be clear that it takes two billion packets on average to defeat UDP port randomization, which in this case was a fully utilized gigabit Internet connection for a period of ten hours." In other words, the probability of a successful attack is fairly minimal. On the other hand, in the case of an unpatched server, an attack was "narrowed down to six seconds," Vixie noted.

In the long term, Vixie says "we'll go on improving our forgery resilience, as will every recursive DNS implementor, while we continue pushing DNSSEC as the ultimate long term solution to the entire forgery problem including this off-path-attacker problem."

More under: DNS, DNSSEC, Security Categories: Net coverage

-- Joe Baptista www.publicroot.org PublicRoot Consortium ---------------------------------------------------------------- The future of the Internet is Open, Transparent, Inclusive, Representative & Accountable to the Internet community @large. ---------------------------------------------------------------- Office: +1 (360) 526-6077 (extension 052) Fax: +1 (509) 479-0084

Regards, Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827