1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS protocol vulnerability

Discussion in 'Computer Security' started by ffreeloader, Jul 10, 2008.

  1. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I'm surprised that I see absolutely no chatter about this here. This is a huge vulnerability. It affects the entire internet as everyone is dependent on dns.

    Something that has probably been overlooked in this is how the patch fares when the dns traffic is run through NAT. In my case the NAT devices both at home and at work completely destroy the effectiveness of the fix by lowering the standard deviation of port variation to somewhere between 4 and 100, depending on the individual test. That's when the patched machines themselves have a standard deviation of source port variation of over 10,000 as tested using tcpdump to capture source ports from the machine itself

    So, if you are behind a NAT device better check to see if the effectiveness of the patch is being destroyed by your NAT device. The people at oarc.net have been good enough to provide a way to test the effectiveness of the fixes in a real world situation.

    dig +short porttest.dns-oarc.net TXT

    or

    dig +short porttest.dns-oarc.net TXT @your.dns.server

    You should get back something like this:

    z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
    "xxx.xxx.xxx.xxx is FAIR: 26 queries in 0.1 seconds from 25 ports with std dev 3843.00"
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  2. onoski

    onoski Terabyte Poster

    3,120
    51
    154


    Huh! Nerd or Geek:)



    Both, just kidding but am sure it wouldn't be all that bad after all.
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  3. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    Presumably this is why Microsoft included a DNS patch a couple of days ago.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  4. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Huh? DNS is a single point of failure for the entire internet, and this vulnerability is in the DNS protocol itself. It affects every vendor, and every machine, that uses DNS. That's the entire internet. And, this allows an attacker to blackhole you, i.e. not let any of your dns requests go anywhere so that in effect you are DoS'ed. It also allows attackers to redirect traffic anywhere they wish as the attacker would control what IP address the dns points to.

    This is very big, and very serious.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  5. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    There seems to an awful lot of shouting going on about this.

    It *seems* to me that 'only' BIND descended software has the flaw (I say only here as it is a pretty big percentage of the total) and the flaw has been known about for a *long* time.

    The only 'new' thing is that someone claims to have found a way of compromising DNS faster than before. However, he isn't revealing how for 30 days.

    There are also a lot of people wondering why the proposals for a more robust DNS haven't been pushed on faster.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  6. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    81 vendors released patches yesterday, including MS. But, if you're behind a NAT device the efficacy of the patch needs to be checked as many NAT devices choose their own ports. If they get a source port request on the LAN side on 55000 they may choose to forward it on 25000, and the entropy, i.e. the standard deviation they use, is not nearly as good as what this patch provides for dns. The entire efficacy of the patch relies on source port variation so that an attacker can't guess which source port is going to be used next. So, you screw with the entropy of the source port variation and you screw with the effectiveness of the patch....
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  7. onoski

    onoski Terabyte Poster

    3,120
    51
    154

    Freddy, I understand this is very serious but at the same time the article or companies that presumably figured this smoked DNS hole hasn't mentioned how its used to infiltrate the internet.

    Obviously, yes it is a bit worrying but I still think there is some scaremongering going on too:)
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  8. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    That's not my understanding. This is in the DNS protocol itself from my understanding. If it was Bind only, then why would MS be putting out a patch on this? Are you saying MS uses Bind?

    Just to make sure we're talking about the same thing....

    http://www.kb.cert.org/vuls/id/800113
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  9. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Really....
    1. Kaminsky works with vendors for a full year in private on this.

    2. All vendors who released patches met in one place months ago to discuss how to implement this.

    3. 81 vendors released patches simultaneously for the same vulnerability.

    This is just scaremongering over a vulnerability that just isn't all that serious.... Hmmmm..... There sure are some vacuous vendors then aren't there? They just worry over nothing.

    Just ordinary everyday behavior from vendors isn't it.... :rolleyes:
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  10. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    It's interesting. I have gone to several forums, most of which have guys with the level of experience Harry has, only theirs is mostly in systems administration not programming, and none of these guys are downplaying the seriousness of this vulnerability.

    This is the only forum I've seen which does. I guess that's just the mindset MS engenders in it's techs for you.... If you can't point-and-click it, it's not worth knowing, and security is just an afterthought.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  11. neutralhills

    neutralhills Kilobyte Poster

    366
    28
    64
    I'm with Freddy on this one. This is damned serious. The reason no one heard much about it up until now was that the consortium of major vendors/developers had to make sure that their synchronized patches were released before tipping off the black hat community.
     
    Certifications: Lots.
    WIP: Upgrading MS certs
  12. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    Eh? :blink

    Also I thought this was a forum about IT certification :tongue
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  13. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    Its a fair point. First and foremost, this is a site for IT Certification. Whilst we have people here of varying technical levels. A lot of the members arent technical enough (yet) to even understand what the hell is going on. I certainly dont have much of an understanding about the issue.

    Even if I did, from what I understand, theres nothing I can do about it. If I worried about everything in the world I had no control over, I would never leave the house. To my eyes, the only thing I can do, is just not use the internet. Since thats not an option, I'll let the vendors take care of things, and get on with my life. If and when it starts getting to a level where I can/must do something, then I'll worry about it.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  14. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    Ok - I'm old. I've seen so many *serious* scares that somehow didn't mean the end of the world as we know it that I'm somewhat inured to this. So allow me to be somewhat sceptical! It isn't that I've bought into the MS ****, it is just that I've got used to how things hit the fan.

    While I am not an expert in DNS there are a number of things about this particular problem that aren't making me run in circles and scream.

    Where is the major exploitation of this? I remember some serious stuff from bygone years that justified the panic/hype because people were exploiting it. But this problem has been there for years.

    The statement that we won't be told about it for 30 days has both good and bad things about it. Good - fix it before people (in theory) abuse it. Bad - after 30 days people have forgotten it so when the details are released and they turn out to be poor nobody notices.

    Can you tell that I am cynical yet? <grin>

    The major reason I'm not overwhelmed by this is that the info so far released only indicates a patch to a broken system. Not an effort to replace it.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  15. fortch

    fortch Kilobyte Poster

    408
    21
    35
    3 things I'm certain of:

    1. This, like other DNS cache poisoning exploits, are very serious, even if they are relegated to BIND.

    2. It is important to us, if only to do our job and patch our DNS servers, as well as get the word out (especially to those that handle your recursion).

    3. Insulting everyone on this forum is just plain wrong
     
    Certifications: A+,Net+,Sec+,MCSA:Sec,MCSE:Sec,mASE
  16. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Ok, a few things on this. Firstly, whilst I may not agree with the way Freddie has used the topic to bash 'Microsoft techs' again, he is dead right - this IS a serious flaw, and does affect all platforms, not just BIND or BIND related ones. Its an inherent flaw in the way DNS is written, not in the way a particular vendor implements it.

    That said, this vulnerability has been rumoured for some time, indeed there is some weight of evidence that suggests the exploit Kaminsky claims, or an exploit related to it, may be behind a number of recent high profile attacks.

    I think the hype in the media about 'the entire internet' being at risk is probably a bit extreme, but painful experience has told me in the past that at least a few ISPs will be hit by it when the exploit goes mainstream.

    Kudos to Kaminsky for not going the usual disclosure route - if something like this got into script kiddie hands it could be a real problem.

    Anyway, I'm off to check our raq4... I guess its pretty old and probably vulnerable :(
     
    Certifications: A few
    WIP: None - f*** 'em
  17. Tinus1959

    Tinus1959 Gigabyte Poster

    1,539
    42
    106
    In 1998 the world as we knew it would end due to the millenium problem. Many firm spend millions of dollars to create patches for that event. Some companies could not afford that much and virtually did nothing. Guess what happened the first of januari 2000...
     
    Certifications: See my signature
    WIP: MCSD, MCAD, CCNA, CCNP
  18. JonGlory

    JonGlory Byte Poster

    212
    6
    22
    Lol can always rely on you for a laugh :D, dont you ever get bored though?
     
    WIP: LIFE
  19. onoski

    onoski Terabyte Poster

    3,120
    51
    154

    A bug popping out of everyone's computer when switched on first thing in the morning reading millennium bug:)
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  20. Crito

    Crito Banned

    505
    14
    0
    I just fixed a major problem nobody is having. Can't give you any details about it, but feel free to send me money as thanks. :p
     
    Certifications: A few
    WIP: none

Share This Page

Loading...