[aklug] Re: DNS Exploit (fwd)

:-P Bloody multiple addresses...

          --Arthur Corliss
            Live Free or Die

---------- Forwarded message ----------
Date: Thu, 10 Jul 2008 10:12:31 -0800 (AKDT)
From: Arthur Corliss <acorliss@corlissfamily.org>
To: barsalou <barjunk@attglobal.net>
Cc: "Jenkinson, John P (SAIC)" <John.Jenkinson@bp.com>, aklug <aklug@aklug.org>
Subject: Re: [aklug] Re: DNS Exploit

On Thu, 10 Jul 2008, barsalou wrote:

> Leif, thanks for the response.
>
> Does your statement below imply that the poisoner would have to be =20
> able to sniff traffic?
>
> This means she'd have to be in-line or on the same physical subnet as =20
> you, right?

If you put a script kiddie in a position to sniff traffic even he could
screw you so hard it'd take you a year to start walking upright again. As
John stated, we won't know definitively until after the presentation this
fall, but as a betting man I don't believe it is. Being able to sniff
traffic is such an unfair advantage that it's almost lethal.

> There was some statement in the notice that Jon posted that you could =20
> do some mitigation with blocking spoofed traffic.

This comes to firewalling at the routing layer. In a nutshell, you should
only be allowing the right subnet to be passed *if* it comes in the right
interface. Doing that makes it very hard for someone to inject forged
packets from off-net, unless they're on the exact same subnet as you.

> My personal problem with all this is that, if you use a boxed router, =20
> like I do, what is the likelihood that they will patch this very =20
> quickly?

Your boxed router is typically using an upstream DNS server. If your ISP
hasn't updated, you're vulnerable by proxy. If, however, it runs a true
caching DNS then you're not vulnerable since it'll be talking to
authoritative DNS servers only.

Again, in the event the hacker is in a position to sniff your traffic all bets
are off.

> This may not really be a concern, however, because those devices =20
> aren't typically open to the outside world so that folks could do =20
> anything with those servers.
>
> So I guess the question I'm trying to answer is:
>
> What circumstances would someone have to be in to be vulnerable?
>
> It seems from the article that you would not be vulnerable if one or =20
> more of the following were true:
>
> - You block DNS queries to your DNS server from non-local nets

You can't do this if you're hosting your own DNS for a public domain.

> - You block all traffic not from your own subnets (You should do this anyw=
> ay)

See previous note.

> - DNSSEC as Leif suggested.
> - You patch your version of bind.
> - Disable recurrsion on your DNS server (Are there side effects?)

You can't disable recursion if you're acting as a DNS server for your local
clients without causing some significant problems. You'd only be able to do
that if you're running an authoritative-only DNS server.

> - enable randomization for source ports (Are there side effects?)

Performance.

          --Arthur Corliss
            Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Jul 10 10:41:32 2008