[aklug] Re: DNS Exploit

From: barsalou <barjunk@attglobal.net>
Date: Thu Jul 10 2008 - 07:41:09 AKDT

Leif, thanks for the response.

Does your statement below imply that the poisoner would have to be =20
able to sniff traffic?

This means she'd have to be in-line or on the same physical subnet as =20
you, right?

There was some statement in the notice that Jon posted that you could =20
do some mitigation with blocking spoofed traffic.

My personal problem with all this is that, if you use a boxed router, =20
like I do, what is the likelihood that they will patch this very =20
quickly?

This may not really be a concern, however, because those devices =20
aren't typically open to the outside world so that folks could do =20
anything with those servers.

So I guess the question I'm trying to answer is:

  What circumstances would someone have to be in to be vulnerable?

It seems from the article that you would not be vulnerable if one or =20
more of the following were true:

  - You block DNS queries to your DNS server from non-local nets
  - You block all traffic not from your own subnets (You should do this anyw=
ay)
  - DNSSEC as Leif suggested.
  - You patch your version of bind.
  - Disable recurrsion on your DNS server (Are there side effects?)
  - enable randomization for source ports (Are there side effects?)

Did I miss anything?

Mike B.
Quoting "Jenkinson, John P (SAIC)" <John.Jenkinson@bp.com>:

> i think it's the protocol that's vulnerable.=3D20
> the DNS protocol is old 16-bit request id good when=3D20
> machines were 16-bit or smaller.=3D20
> reminder
> dns query is udp (save for large responses using tcp)
> the source port is usually 53, can use other ports in more
> recent implementations BUT the response needs to reappear on the
> source request port.
> so you either don't have a DNS server (utilize your ISPs or other)
> which places you at their mercy
> or you "patch" yours. patching is now known to incur a performance
> penalty,
> render zone alarm problems, etc.
> BUT your upstrean DNS server can still be vulnerable and pass you the
> "poisioned" dns response from their cache.
> so in theory a bad person can monitor traffic, capture the request ID
> and
> port, respond with a response that steers your bank transaction to their
> site
> instead of your banks. they just have to beat the real response
>
> bottom line (imho) the ends are still vulnerable if the patch is applied
> in the middle.
> ie its more of a client issue than media reports to date might indicate.
>
> -----Original Message-----
> From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org] On Behalf
> Of Leif Sawyer
> Sent: Wednesday, July 09, 2008 4:31 PM
> To: aklug
> Subject: [aklug] Re: DNS Exploit
>
>
> 1) Check to see if you're vulnerable using the website
> www.doxpara.com
>
> 2) If you are, you can upgrade to the latest bind patch level
> from ISC.
> or
> 3) you can wait until your vender issues a patch.
>
> 4) You can enable DNSSEC on your server. This really will
> mitigate the entire issue.
>

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Jul 10 07:41:21 2008

This archive was generated by hypermail 2.1.8 : Thu Jul 10 2008 - 07:41:21 AKDT