DNS protocol vulnerability

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I'm surprised that I see absolutely no chatter about this here. This is a huge vulnerability. It affects the entire internet as everyone is dependent on dns.

Something that has probably been overlooked in this is how the patch fares when the dns traffic is run through NAT. In my case the NAT devices both at home and at work completely destroy the effectiveness of the fix by lowering the standard deviation of port variation to somewhere between 4 and 100, depending on the individual test. That's when the patched machines themselves have a standard deviation of source port variation of over 10,000 as tested using tcpdump to capture source ports from the machine itself

So, if you are behind a NAT device better check to see if the effectiveness of the patch is being destroyed by your NAT device. The people at oarc.net have been good enough to provide a way to test the effectiveness of the fixes in a real world situation.

dig +short porttest.dns-oarc.net TXT

or

dig +short porttest.dns-oarc.net TXT @your.dns.server

You should get back something like this:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"xxx.xxx.xxx.xxx is FAIR: 26 queries in 0.1 seconds from 25 ports with std dev 3843.00"

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Huh! Nerd or Geek



Both, just kidding but am sure it wouldn't be all that bad after all.

 

Presumably this is why Microsoft included a DNS patch a couple of days ago.

Harry.

 

Huh? DNS is a single point of failure for the entire internet, and this vulnerability is in the DNS protocol itself. It affects every vendor, and every machine, that uses DNS. That's the entire internet. And, this allows an attacker to blackhole you, i.e. not let any of your dns requests go anywhere so that in effect you are DoS'ed. It also allows attackers to redirect traffic anywhere they wish as the attacker would control what IP address the dns points to.

This is very big, and very serious.

 

There seems to an awful lot of shouting going on about this.

It *seems* to me that 'only' BIND descended software has the flaw (I say only here as it is a pretty big percentage of the total) and the flaw has been known about for a *long* time.

The only 'new' thing is that someone claims to have found a way of compromising DNS faster than before. However, he isn't revealing how for 30 days.

There are also a lot of people wondering why the proposals for a more robust DNS haven't been pushed on faster.

Harry.

 

81 vendors released patches yesterday, including MS. But, if you're behind a NAT device the efficacy of the patch needs to be checked as many NAT devices choose their own ports. If they get a source port request on the LAN side on 55000 they may choose to forward it on 25000, and the entropy, i.e. the standard deviation they use, is not nearly as good as what this patch provides for dns. The entire efficacy of the patch relies on source port variation so that an attacker can't guess which source port is going to be used next. So, you screw with the entropy of the source port variation and you screw with the effectiveness of the patch....

 

Freddy, I understand this is very serious but at the same time the article or companies that presumably figured this smoked DNS hole hasn't mentioned how its used to infiltrate the internet.

Obviously, yes it is a bit worrying but I still think there is some scaremongering going on too

 

That's not my understanding. This is in the DNS protocol itself from my understanding. If it was Bind only, then why would MS be putting out a patch on this? Are you saying MS uses Bind?

Just to make sure we're talking about the same thing....

http://www.kb.cert.org/vuls/id/800113

 

Really....
1. Kaminsky works with vendors for a full year in private on this.

2. All vendors who released patches met in one place months ago to discuss how to implement this.

3. 81 vendors released patches simultaneously for the same vulnerability.

This is just scaremongering over a vulnerability that just isn't all that serious.... Hmmmm..... There sure are some vacuous vendors then aren't there? They just worry over nothing.

Just ordinary everyday behavior from vendors isn't it....

 

It's interesting. I have gone to several forums, most of which have guys with the level of experience Harry has, only theirs is mostly in systems administration not programming, and none of these guys are downplaying the seriousness of this vulnerability.

This is the only forum I've seen which does. I guess that's just the mindset MS engenders in it's techs for you.... If you can't point-and-click it, it's not worth knowing, and security is just an afterthought.

 

I'm with Freddy on this one. This is damned serious. The reason no one heard much about it up until now was that the consortium of major vendors/developers had to make sure that their synchronized patches were released before tipping off the black hat community.

 

Its a fair point. First and foremost, this is a site for IT Certification. Whilst we have people here of varying technical levels. A lot of the members arent technical enough (yet) to even understand what the hell is going on. I certainly dont have much of an understanding about the issue.

Even if I did, from what I understand, theres nothing I can do about it. If I worried about everything in the world I had no control over, I would never leave the house. To my eyes, the only thing I can do, is just not use the internet. Since thats not an option, I'll let the vendors take care of things, and get on with my life. If and when it starts getting to a level where I can/must do something, then I'll worry about it.

 

Ok - I'm old. I've seen so many *serious* scares that somehow didn't mean the end of the world as we know it that I'm somewhat inured to this. So allow me to be somewhat sceptical! It isn't that I've bought into the MS ****, it is just that I've got used to how things hit the fan.

While I am not an expert in DNS there are a number of things about this particular problem that aren't making me run in circles and scream.

Where is the major exploitation of this? I remember some serious stuff from bygone years that justified the panic/hype because people were exploiting it. But this problem has been there for years.

The statement that we won't be told about it for 30 days has both good and bad things about it. Good - fix it before people (in theory) abuse it. Bad - after 30 days people have forgotten it so when the details are released and they turn out to be poor nobody notices.

Can you tell that I am cynical yet? <grin>

The major reason I'm not overwhelmed by this is that the info so far released only indicates a patch to a broken system. Not an effort to replace it.

Harry.

 

3 things I'm certain of:

1. This, like other DNS cache poisoning exploits, are very serious, even if they are relegated to BIND.

2. It is important to us, if only to do our job and patch our DNS servers, as well as get the word out (especially to those that handle your recursion).

3. Insulting everyone on this forum is just plain wrong

 

Ok, a few things on this. Firstly, whilst I may not agree with the way Freddie has used the topic to bash 'Microsoft techs' again, he is dead right - this IS a serious flaw, and does affect all platforms, not just BIND or BIND related ones. Its an inherent flaw in the way DNS is written, not in the way a particular vendor implements it.

That said, this vulnerability has been rumoured for some time, indeed there is some weight of evidence that suggests the exploit Kaminsky claims, or an exploit related to it, may be behind a number of recent high profile attacks.

I think the hype in the media about 'the entire internet' being at risk is probably a bit extreme, but painful experience has told me in the past that at least a few ISPs will be hit by it when the exploit goes mainstream.

Kudos to Kaminsky for not going the usual disclosure route - if something like this got into script kiddie hands it could be a real problem.

Anyway, I'm off to check our raq4... I guess its pretty old and probably vulnerable

 

In 1998 the world as we knew it would end due to the millenium problem. Many firm spend millions of dollars to create patches for that event. Some companies could not afford that much and virtually did nothing. Guess what happened the first of januari 2000...

 

Lol can always rely on you for a laugh , dont you ever get bored though?

 

A bug popping out of everyone's computer when switched on first thing in the morning reading millennium bug

 

I just fixed a major problem nobody is having. Can't give you any details about it, but feel free to send me money as thanks.