
Patch for Internet Security Hole May Not Do the Job - ksvs
http://www.nytimes.com/2008/08/09/technology/09flaw.html?_r=1&partner=rssnyt&emc=rss&oref=slogin
======
sysop073
Am I the only person that's annoyed that he just blogged this? When Kaminsky
discovered the original flaw he kept it quiet and got a ton of nameservers
patched before it leaked. Now this guy finds a problem with the patch, so he
posts it on his blog immediately with helpful exploit code attached. What the
hell?

------
tptacek
The attacker in this scenario appears to be able to deliver 40kpps to the
target _before_ the legitimate server's response lands. The writer says he's
on a GigE link --- presumably, he means "on the same GigE as the target
resolver".

In the real world, attackers with that vantage point have better ways to
hijack the DNS; for instance, they can usually reconfigure the target server.

Your LAN is way, way more owned than the Internet at-large is. Pretty much
every network attack devised since 1992 still works on an internal network.
The reason this doesn't kill you is, you don't let strangers on your internal
network.

~~~
sysop073
Oh, you're right, I really shouldn't skim. That does seem useless, it says
right in the article the attackers were connected directly to the nameserver

