| I can give a specific example of that happening: The "Kaminsky Attack" from 2008 was an extension of a well known attack from the late 1990s (Kaminsky's innovation was to combine the two best-known attacks from the 90s: request ID prediction and authority record poisoning). When he announced it, Kaminsky's attack impacted BIND (the de facto standard server) but not djbdns. That's because djbdns randomized ports and request IDs, making the attack difficult (not impossible, but not practical). Djbdns started out randomized that way. Back in the 1990s, when request ID attacks were first being demonstrated, it was suggested on NANOG that BIND randomize ports as well. IIRC, Vixie even claimed to have performance numbers for a "scoreboarding resolver" that used randomization. But he objected to the deployment of that software, because the "right" solution was DNSSEC. (I was on NANOG at the time because I had written exploit code for both sets of problems). Fast forward a decade and Kaminsky has "broken the Internet", forcing BIND to finally fully randomize (a countermeasure that more or less killed his attack). The irony is: Kaminsky's attack was seized on as a reason to deploy DNSSEC! |