[MaraDNS] MaraDNS update (December 14, 2014)

[Sam Trenholme]

> CERT vulnerability VU#264212 (Summary: MaraDNS is not vulnerable)

I spoke too soon. Thinking about it some more today, I realized that
Deadwood (MaraDNS 2.0) might be vulnerable.  That in mind, I have made
a new MaraDNS snapshot release with some code added to harden Deadwood
against this attack.  I have uploaded the changes to the MaraDNS Git
tree, as well as making a new Deadwood snapshot release (including a
Windows binary) with the hardening code added:

https://github.com/samboy/MaraDNS

http://maradns.samiam.org/deadwood/snap/

The early 2015 MaraDNS release will have this hardening code in it.

As an aside, this hardening code has finally made Deadwood too big to
fit in 64kib, so I will no longer compile it with "-Os", but have
started compiling it will "-03"; the -O3 binary is 150,671 bytes in
size, which is still tiny, and it's probably faster than the -Os
binary.

I do not feel this issue is critical enough to make an out-of-band new
MaraDNS release, nor is it critical enough for me to muck around in
the 1.4 codebase with.  The attack requires the attacker to devote a
lot of resources generating the "tarpit" DNS packets, and, since
MaraDNS does not support Edns, amplification should be fairly minimal.

- Sam