On Wed, Jul 30, 2008 at 18:39, Thomas Jacob <jacob@xxxxxxxxxxxxx> wrote: > One of the main points of the Kaminsky exploits allegedly is > (but who knows for sure, it hasn't been published yet) The exploit _has_ been published and Dan confirmed it. The current Metasploit implementation is not as fast as Dan's version, but it works. Several people reported expoits in the wild that are actively abusing said security hole. > The question therefore is if you will really gain a lot > of security with respect to the exploit in question. Hmm.. Yes. You increase the entropy from 2^16 to 2^32 - 1025. This is not great security and DNSSEC is the only viable long-term solution, but right now, I am concerned to fully understand the impact of the exploit with regards to my three questions. > We'll know next week :) We know right now. You have a chance of approximately 1/3000 to successfully exploit an old DNS caching server. But you have to sit off the TTL each time so the attack vector is impractical for most uses. Now, you can mount a hundred attacks per second. That means you can chew through the 3000 tries you need on average in less than a minute. With the higher entropy, I don't know the chances for a successful exploit, but they are so low as to provide some protection. I am especially concerned about question 2: Do all versions of iptables available in kernels 2.4 and 2.6 use the original source port for their NAT traffic, by default? If not, what are the earliest versions that did this? Thanks, Richard -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
