With all this DNS stuff going around, obviously Dan Kaminsky has found something interesting, and the fix is to use random source ports. Now, that might simply mask the real vulnerability by upping the effort needed to leverage it. Or it might simply prevent some other avenue to be popped (someone on FD threw out ICMP responses..). I really don’t know, and am lookig forward to the outing at Black Hat (I won’t be there, but I’ll be waiting and watching from afar).
Halvar Flake has a blog post that can help put this issue into a bit of perspective, at least to the net geeks. He essentially says we shouldn’t have been trusting DNS anyway, so this isn’t a huge thing to worry about. To the rest of the world, unfortunately, that doesn’t necessarily apply quite as nicely…
1. Halvar will tell us we shouldn’t be trusting DNS anyway. The rest of the world does not understand that and will be asking either why we use it, or why we don’t use a secure implementation of it. Of course, at some point somewhere we have to deal with something we can’t trust if we are to interact…
2. C-levels wouldn’t understand it if this bug became weaponized and used to mass-poison servers, preventing them from trading their stocks (or their company’s stocks!). Untrusted or not, they’re affected and that will slide downhill and become our major headache.
Some people have been too quick to dismiss ICMP packets.