http://media.blackhat.com/webinars/blac ... erence.mp3
Seems to be something like this:
paul vixie in 1995 wrote:
With only 16 bits worth of query ID and 16 bits worth of UDP port number, it's hard not to be predictable. A determined attacker can try all the numbers in a very short time and can use patterns derived from examination of the freely available BIND source code. Even if we had a white noise generator to help randomize our numbers, it's just too easy to try them all.
djb 2001 wrote:
> Randomising the port number for each query achieves precisely nothing.
Wrong. Randomizing the port number makes a huge difference in the cost
of a forgery for blind attackers---i.e., most attackers on the Internet.
Here's the picture:
normal colliding sniffing
blind attack blind attack attack
------------ ------------ --------
nothing 1 1 1
ID (BIND) 65536 256 1
ID+port (djbdns) 4227727360 65020 1
It's funny that the BIND company has gone to so much effort to move from the first line to the second, but now pooh-poohs the third line.