- http://www.darknet.org.uk/2016/02/the-l ... d-to-know/
Our suggested mitigation is to limit the response (i.e., via Dnsmasq or similar programs)
An alternative like Musl "could" also help.- http://arstechnica.com/security/2016/02 ... ulnerable/
Meanwhile, Glibc maintainers provided the following additional mitigation details:
Mitigating factors for UDP include:
- A firewall that drops UDP DNS packets > 512 bytes.
- A local resolver (that drops non-compliant responses).
- Avoid dual A and AAAA queries (avoids buffer management error) e.g.
Do not use AF_UNSPEC.
- No use of `options edns0` in /etc/resolv.conf since EDNS0 allows
responses larger than 512 bytes and can lead to valid DNS responses
- No use of `RES_USE_EDNS0` or `RES_USE_DNSSEC` since they can both
lead to valid large EDNS0-based DNS responses that can overflow.
Mitigating factors for TCP include:
- Limit all replies to 1024 bytes.
(see also... https://access.redhat.com/errata/RHSA-2016:0175 )One Linux-based package that's not vulnerable is Google's Android mobile operating system. It uses a glibc substitute known as Bionic and isn't susceptible, a company representative said.
A Contingency plan is a plan devised for an outcome other than in the usual (expected) plan.
Posted by 188.8.131.52 via http://webwarper.net
This is added while posting a message to avoid misusing the service