Evgeniy Polyakov reportedly used two desktop computers and a high-speed network link to fool the patch into returning a spoofed address in just 10 hours.

According to Polyakov, a typical attack server generates approximately 40,000-50,000 fake replies before hitting on the right one. Polyakov also noted that if the port is matched “the probability of successful poisoning is more than 60 per cent”.

Alarmed insecurity experts warned the patch could be exploited to redirect Internet traffic and collect user passwords.

The hacker appears to state on a Russian Blog, “DJBDNS does not suffer from this attack. It does. Everyone does. With some tweaks it can take longer than BIND, but overall problem is there.”

Read the full story at New York Times.