1. BlackHat DC 09 Wouters

http://www.blackhat.com/presentations/bh-dc-09/Wouters/BlackHat-DC-09-Wouters-Post-Dan-Kaminsky-slides.pdf


1.1. Two phase deployment

• First release a generic fix for the Kaminsky attack that does not leak information to the bad guys
 (source port randomization)

• Then release the bug and patches specifically against the Kaminsky attack


1.2. The inevitable: Fix recursive nameservers

  Port randomization
  Sanitize TTL's
  Use more IP addresses per DNS server
  Harden against bogus size packets
  Harden glue
  Additional queries for infrastructure data
  0x20


1.3. Hardening infrastructure queries

(extra work is only needed once, then we use caching – minimum impact)