Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Security

Submission + - Kaminsky DNS Bug Fixed by Single Character Patch?

An anonymous reader writes: According to this thread on the bind-users mailing list ( http://marc.info/?t=121981071400003 ) there is nothing inherent in the DNS protocol that would cause the massive vulnerability discussed at length here and elsewhere.

As it turns out, it appears to be a simple off-by-one error in BIND, which favors new NS records over cached ones (even if the cached TTL is not yet expired). The patch changes this in favor of still-valid cached records, removing the attacker's ability to succesfully poison the cache outside the small window of opportunity afforded by an expiring TTL, which is the way things used to be before the Kaminsky debacle.

Source port randomization is nice, but removing the root cause of the attack's effectiveness is better...

Slashdot Top Deals

"It's when they say 2 + 2 = 5 that I begin to argue." -- Eric Pepke

Working...