DNS protocol vulnerability

[ffreeloader]

I'm surprised that I see absolutely no chatter about this here. This is a huge vulnerability. It affects the entire internet as everyone is dependent on dns.

Something that has probably been overlooked in this is how the patch fares when the dns traffic is run through NAT. In my case the NAT devices both at home and at work completely destroy the effectiveness of the fix by lowering the standard deviation of port variation to somewhere between 4 and 100, depending on the individual test. That's when the patched machines themselves have a standard deviation of source port variation of over 10,000 as tested using tcpdump to capture source ports from the machine itself

So, if you are behind a NAT device better check to see if the effectiveness of the patch is being destroyed by your NAT device. The people at oarc.net have been good enough to provide a way to test the effectiveness of the fixes in a real world situation.

dig +short porttest.dns-oarc.net TXT

or

dig +short porttest.dns-oarc.net TXT @your.dns.server

You should get back something like this:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"xxx.xxx.xxx.xxx is FAIR: 26 queries in 0.1 seconds from 25 ports with std dev 3843.00"

[onoski]

Quote:

Originally Posted by ffreeloader

I'm surprised that I see absolutely no chatter about this here. This is a huge vulnerability. It affects the entire internet as everyone is dependent on dns.

Something that has probably been overlooked in this is how the patch fares when the dns traffic is run through NAT. In my case the NAT devices both at home and at work completely destroy the effectiveness of the fix by lowering the standard deviation of port variation to somewhere between 4 and 100, depending on the individual test. That's when the patched machines themselves have a standard deviation of source port variation of over 10,000 as tested using tcpdump to capture source ports from the machine itself

So, if you are behind a NAT device better check to see if the effectiveness of the patch is being destroyed by your NAT device. The people at oarc.net have been good enough to provide a way to test the effectiveness of the fixes in a real world situation.

dig +short porttest.dns-oarc.net TXT

or

dig +short porttest.dns-oarc.net TXT @your.dns.server

You should get back something like this:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"xxx.xxx.xxx.xxx is FAIR: 26 queries in 0.1 seconds from 25 ports with std dev 3843.00"

Huh! Nerd or Geek



Both, just kidding but am sure it wouldn't be all that bad after all.

[hbroomhall]

Presumably this is why Microsoft included a DNS patch a couple of days ago.

Harry.

[ffreeloader]

Quote:

Originally Posted by onoski

Huh! Nerd or Geek



Both, just kidding but am sure it wouldn't be all that bad after all.

Huh? DNS is a single point of failure for the entire internet, and this vulnerability is in the DNS protocol itself. It affects every vendor, and every machine, that uses DNS. That's the entire internet. And, this allows an attacker to blackhole you, i.e. not let any of your dns requests go anywhere so that in effect you are DoS'ed. It also allows attackers to redirect traffic anywhere they wish as the attacker would control what IP address the dns points to.

This is very big, and very serious.

[hbroomhall]

There seems to an awful lot of shouting going on about this.

It *seems* to me that 'only' BIND descended software has the flaw (I say only here as it is a pretty big percentage of the total) and the flaw has been known about for a *long* time.

The only 'new' thing is that someone claims to have found a way of compromising DNS faster than before. However, he isn't revealing how for 30 days.

There are also a lot of people wondering why the proposals for a more robust DNS haven't been pushed on faster.

Harry.

[ffreeloader]

Quote:

Originally Posted by hbroomhall

Presumably this is why Microsoft included a DNS patch a couple of days ago.

Harry.

81 vendors released patches yesterday, including MS. But, if you're behind a NAT device the efficacy of the patch needs to be checked as many NAT devices choose their own ports. If they get a source port request on the LAN side on 55000 they may choose to forward it on 25000, and the entropy, i.e. the standard deviation they use, is not nearly as good as what this patch provides for dns. The entire efficacy of the patch relies on source port variation so that an attacker can't guess which source port is going to be used next. So, you screw with the entropy of the source port variation and you screw with the effectiveness of the patch....

[onoski]

Quote:

Originally Posted by ffreeloader

Huh? DNS is a single point of failure for the entire internet, and this vulnerability is in the DNS protocol itself. It affects every vendor, and every machine, that uses DNS. That's the entire internet. And, this allows an attacker to blackhole you, i.e. not let any of your dns requests go anywhere so that in effect you are DoS'ed. It also allows attackers to redirect traffic anywhere they wish as the attacker would control what IP address the dns points to.

This is very big, and very serious.

Freddy, I understand this is very serious but at the same time the article or companies that presumably figured this smoked DNS hole hasn't mentioned how its used to infiltrate the internet.

Obviously, yes it is a bit worrying but I still think there is some scaremongering going on too

[ffreeloader]

Quote:

Originally Posted by hbroomhall

There seems to an awful lot of shouting going on about this.

It *seems* to me that 'only' BIND descended software has the flaw (I say only here as it is a pretty big percentage of the total) and the flaw has been known about for a *long* time.

The only 'new' thing is that someone claims to have found a way of compromising DNS faster than before. However, he isn't revealing how for 30 days.

There are also a lot of people wondering why the proposals for a more robust DNS haven't been pushed on faster.

Harry.

That's not my understanding. This is in the DNS protocol itself from my understanding. If it was Bind only, then why would MS be putting out a patch on this? Are you saying MS uses Bind?

Just to make sure we're talking about the same thing....

http://www.kb.cert.org/vuls/id/800113

[ffreeloader]

Quote:

Originally Posted by onoski

Freddy, I understand this is very serious but at the same time the article or companies that presumably figured this smoked DNS hole hasn't mentioned how its used to infiltrate the internet.

Obviously, yes it is a bit worrying but I still think there is some scaremongering going on too

Really....
1. Kaminsky works with vendors for a full year in private on this.

2. All vendors who released patches met in one place months ago to discuss how to implement this.

3. 81 vendors released patches simultaneously for the same vulnerability.

This is just scaremongering over a vulnerability that just isn't all that serious.... Hmmmm..... There sure are some vacuous vendors then aren't there? They just worry over nothing.

Just ordinary everyday behavior from vendors isn't it....

[ffreeloader]

It's interesting. I have gone to several forums, most of which have guys with the level of experience Harry has, only theirs is mostly in systems administration not programming, and none of these guys are downplaying the seriousness of this vulnerability.

This is the only forum I've seen which does. I guess that's just the mindset MS engenders in it's techs for you.... If you can't point-and-click it, it's not worth knowing, and security is just an afterthought.

[neutralhills]

I'm with Freddy on this one. This is damned serious. The reason no one heard much about it up until now was that the consortium of major vendors/developers had to make sure that their synchronized patches were released before tipping off the black hat community.

[Sparky]

Quote:

Originally Posted by ffreeloader

This is the only forum I've seen which does. I guess that's just the mindset MS engenders in it's techs for you.... If you can't point-and-click it, it's not worth knowing, and security is just an afterthought.

Eh?

Also I thought this was a forum about IT certification

[Fergal1982]

Quote:

Originally Posted by Sparky

Eh?

Also I thought this was a forum about IT certification

Its a fair point. First and foremost, this is a site for IT Certification. Whilst we have people here of varying technical levels. A lot of the members arent technical enough (yet) to even understand what the hell is going on. I certainly dont have much of an understanding about the issue.

Even if I did, from what I understand, theres nothing I can do about it. If I worried about everything in the world I had no control over, I would never leave the house. To my eyes, the only thing I can do, is just not use the internet. Since thats not an option, I'll let the vendors take care of things, and get on with my life. If and when it starts getting to a level where I can/must do something, then I'll worry about it.

[hbroomhall]

Ok - I'm old. I've seen so many *serious* scares that somehow didn't mean the end of the world as we know it that I'm somewhat inured to this. So allow me to be somewhat sceptical! It isn't that I've bought into the MS ****, it is just that I've got used to how things hit the fan.

While I am not an expert in DNS there are a number of things about this particular problem that aren't making me run in circles and scream.

Where is the major exploitation of this? I remember some serious stuff from bygone years that justified the panic/hype because people were exploiting it. But this problem has been there for years.

The statement that we won't be told about it for 30 days has both good and bad things about it. Good - fix it before people (in theory) abuse it. Bad - after 30 days people have forgotten it so when the details are released and they turn out to be poor nobody notices.

Can you tell that I am cynical yet? <grin>

The major reason I'm not overwhelmed by this is that the info so far released only indicates a patch to a broken system. Not an effort to replace it.

Harry.