About the impact of the BIND SRTT Vulnerability
Hi,
A recent blog post has misinterpreted or over-exaggerated a press release from the Technion.
The BIND SRTT Vulnerability that we discovered and presented in USENIX WOOT '13 is definitely NOT a critical security issue, which is exactly the reason why ISC has decided to only fix it in a future version.
So what is the real impact of the issue? As we stated in the whitepaper and the slides, the adversary can exploit this vulnerability in order to optimize off-path attacks by reducing a few bits of randomness. The vulnerability by itself does NOT make new attacks feasible.
-Roee
A recent blog post has misinterpreted or over-exaggerated a press release from the Technion.
The BIND SRTT Vulnerability that we discovered and presented in USENIX WOOT '13 is definitely NOT a critical security issue, which is exactly the reason why ISC has decided to only fix it in a future version.
So what is the real impact of the issue? As we stated in the whitepaper and the slides, the adversary can exploit this vulnerability in order to optimize off-path attacks by reducing a few bits of randomness. The vulnerability by itself does NOT make new attacks feasible.
-Roee