Cabal
Premium
join:2007-01-21
Boston, MA
| Poor NAT design leaves some patched DNS servers vulnerable
Follow-up from Vixie to last week's DNS spoofing vulnerability. And the bad news, discussed briefly in ATU:
quote:
Now for a news bulletin: Tom Cross of ISS-XForce correctly pointed out that if your recursive nameserver is behind most forms of NAT/PAT device, the patch won't do you any good since your port numbers will be rewritten on the way out, often using some pretty nonrandom looking substitute port numbers. Dan and I are working with CERT/CC on a derivative vulnerability announcement since it appears that most of the NAT/PAT industry does indeed have this problem. The obvious workaround is, move your recursive DNS to be outside your NAT/PAT perimeter, or enable your NAT/PAT device to be an ALG, or use TSIG-secured DNS forwarding when passing through your perimeter.
Stay tuned, I guess...
--
Interested in open source engine management for your Subaru? |
|
33591094
join:2002-11-19
Canada
| I'm trying to wrap my brain around the following....
quote:
Please do the following. First, take the advisory seriously—we're not just a bunch of n00b alarmists, if we tell you your DNS house is on fire, and we hand you a fire hose, take it. Second, take Secure DNS seriously, even though there are intractable problems in its business and governance model—deploy it locally and push on your vendors for the tools and services you need. Third, stop complaining, we've all got a lot of work to do by August 7 and it's a little silly to spend any time arguing when we need to be patching.
I see a bunch of words, but no 'fire hose', as it were.... Perhaps they are noob alarmists after all? 'Do the following' is usually followed constructive steps to workaround a problem, and not the blurb I quoted above. |
|
qrkx
Premium
join:2003-04-26
Montreal, QC
1 edit | reply to Cabal
Hmmm...
Why would any NAT designer bother to enforce source port translation unless explicitly configured by the operator?!
I know of reserved pools of source ports (e.g. 50k and up) used in NAT code, although I never understood why it was implemented in the first place. I understand not using 0-1024 but other than that?
So yes, they are right - if the NAT code limits the number of src ports then the whole randomization of roughly 64k ports becomes one of 5-10k.
rgds.
P.S.
I remember the issue leading to "reserved" srcport pools. In the event there is a conflict between a request originating from the NAT device itself with one translated. |
|
qrkx
Premium
join:2003-04-26
Montreal, QC
| reply to Cabal
With the risk of this being a monologue...I now rememeber the "fix" to the conflict issue.
The NAT device will have to add into its translation table the interface where the original UDP datagram initiated (if the entry was created by a UDP datagram was created on interface X match the "response" accordingly - as in forward it according to NAT/PAT rules or forward it up the stack (as in this is a response to a locally originated request).
In essence, the client side of the patch will be negated(to a certain degree) by them soho NAT boxes until they are "patched".
However - I do believe the DNS server side is much more serious.
rgds. |
|
swhx7
Premium
join:2006-07-23
Elbonia
 ·RoadRunner Cable
| reply to Cabal
Thanks qrkx and Cabal, and thanks to the writers in the thread following the linked page, which is very informative.
I'm still wondering about some things and would like to get more clarification for myself and others. Consider the range of typical SOHO routers (say, under-$100 type of models).
1. The router takes the DNS request from the PC, notates which PC to give the reply to, and sends the request on to the server - and the source port for the request from the router to the DNS server will be chosen according to the router's software, replacing the source port number that was in the original request from the PC (unless it rarely happens to coincide), correct?
If so, then the LAN is subject to spoofing if the router doesn't have the needed port range and randomness, unless it's firmware-upgraded.
2. I don't see that it matters (not that anyone said it did) whether the user has specified DNS server addresses in the router configuration and/or in the PC's networking configuration, or whether he has instead set the router to "get DNS server address automatically" from the ISP - in which case (if I understand correctly) the PC treats the router as a DNS server. Either way, the effect of the patch on the PC is negated by the rewriting at the router - right?
3. I don't think it's necessarily less serious for clients than for DNS servers. Once the bad guys figure out whatever Kaminsky found, they'll have it automatically trying to poison cache for random PCs, and users careful enough to use a router and patch the PC may feel safe, but may be actually more vulnerable than those who have the PC wired to the modem and installed the patch on the PC OS.
4. If you have a WRT54G v.1-4 or L, or certain other models, you can swap in good OSS firmware; and if you have a recent enough model of any router you may be able to get patched firmware from the vendor. Older models that can't use the OSS firmware (like my super-reliable Netgear) are out of luck, apparently. Not to mention that large proportion of broadband users have no idea of the problem or how to load firmware, etc.. |
|
qrkx
Premium
join:2003-04-26
Montreal, QC
| #1
Correct.
#2
In this particular case the "router" plays the role of a DNS proxy. Translation doesn't take place and the onus is placed on the router's own randomization of srcports&TIDs.(and not on the translation table limits)
Correct.
#3
I think Dan's finding will demonstrate the server side is more serious from a practical perspective. Let us revisit this issue after BH.
#4.
Correct.
rgds. |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
 ·AT&T Southwest
1 edit | reply to Cabal
Looks like the Kaminsky guy is acknowledging the NAT problem now. On the Doxpara Research site where you can check your DNS for any problem it has now changed to reflect this fact if behind a NAT router. This is what I see now:
quote:
Your name server, at 68.87.xxx.xxx, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 495.
Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds.
MS patch has been applied to this system. This report was not there when this initially broke.
Also I'm reading where the flaw was mistakenly posted today. Google cached it before it was brought down. So the warning is out there to be sure and patch now. Looks like the bad guys may have the flaw.
Edit...Added Read details here: »www.doxpara.com/?p=1176 |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
 ·Vonage
·AT&T Southeast
 ·Cingular Wireless
·AT&T CallVantage
1 edit | Maybe you need to upgrade your RV082's firmware, or use a different DNS server? Here are my results (without the NAT/Firewall warning):
DNS using local W2k server, but still using Linksys RV082 NAT router with latest f/w 1.3.98-tm
Your name server, at 66.134.0.234, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.
------------------------------------------
Requests seen for e18546ae22e0.toorrr.com:
66.134.0.234:54509 TXID=8231
66.134.0.234:50714 TXID=64325
74.245.184.227:62442 TXID=45509
66.134.0.234:50323 TXID=10205
74.245.184.227:52425 TXID=64504
Your name server, at 74.245.184.227, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.
------------------------------------------
74.245.184.227:56954 TXID=62490
66.134.0.234:51570 TXID=33051
74.245.184.227:64941 TXID=29991
66.134.0.234:65015 TXID=33460
74.245.184.227:60806 TXID=52486
DNS forwarding to OpenDNS, but still using Linksys RV082 NAT router with latest f/w 1.3.98-tm
Your name server, at 208.69.32.13, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.
------------------------------------------
Requests seen for b74008fa640a.toorrr.com:
208.69.32.13:31506 TXID=29292
208.69.32.13:10035 TXID=41242
208.69.32.13:23535 TXID=46244
208.69.32.13:40148 TXID=29386
208.69.32.13:39546 TXID=26965
I have not looked at the latest RV082 source code, so I don't know what UDP port limitations are currently being used by its NAT firewall, but apparently it is not small enough a pool to trigger the doxpara.com NAT warning message.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
 ·Verizon FIOS
| reply to Cabal
Screenshot shows results for an XP SP2 system without the latest patch installed, behind a D-Link 624 router,with OpenDNS hardwired into the router settings. How does that port randmization look, my fellow BBR gurus? I am not being a wiseguy here because I can not tell just by looking at it.
--
Courage is being scared to death but saddling up anyway.
|
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·AT&T Southeast
·Cingular Wireless
·AT&T CallVantage
| said by FiOS Dan  :Screenshot shows results for an XP SP2 system without the latest patch installed, behind a D-Link 624 router,with OpenDNS hardwired into the router settings. How does that port randmization look, my fellow BBR gurus? I am not being a wiseguy here because I can not tell just by looking at it. Looks reasonable to me, and apparently Mr. Kaminsky is also satisfied. To truly test the range and randomness, you would need to keep records of doing this or similar tests over a long period since five samples are hardly a good base from which to draw accurate statistics.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
Its a Secret
Whatever
Premium
join:2008-02-23
U B Funny
·Shaw
| reply to FiOS Dan
I agree with NF, it looks good so far but 5 isn't a good cross section of results.
Mine as follows:
Your name server, at 64.59.135.143, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.
--------------------------------------------------------------------------------
Requests seen for 1f5b4f62d4fd.toorrr.com:
64.59.135.143:5140 TXID=6382
64.59.135.143:35105 TXID=39332
64.59.135.143:63156 TXID=18296
64.59.135.143:41930 TXID=59828
64.59.135.143:56441 TXID=9102
--
"In the future, that which is not madatory will be illegal" |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·AT&T Southeast
·Cingular Wireless
·AT&T CallVantage
3 edits | It would seem that Shawcable has stepped up to the plate. I can think of a few other ISPs who would do well to follow that example. Kudos to the canucks.
I can't help but muse that perhaps the leak of Kaminsky's attack vector might have been as much an inducement to recalcitrant ISPs as it was a leak.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
| reply to NetFixer
said by NetFixer :Maybe you need to upgrade your RV082's firmware, or use a different DNS server? Well I'm shocked. I flashed to the latest RV082 firmware thinking that would fix my report but got the same message. So I changed my DNS to OpenDNS and now the warning message is gone. When I first tested using Comcast servers the warning about NAT was not there so I assumed it must have been talking about my router, but looks like I was mistaken. So something has changed either with the test performed or Comcast changed something to warrant the NAT warning. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| If the server is supposed to pick a source port randomly, the source port of your query to the server should not have an effect, ie changing your routers firmware will not make a difference.
My guess is the NAT warnings, is whether the range of source ports from the server does not seem random over the whole expected space but seems to be a reduced range as if the server were behind NAT.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
| said by TheWiseGuy :If the server is supposed to pick a source port randomly, the source port of your query to the server should not have an effect, ie changing your routers firmware will not make a difference. My guess is the NAT warnings, is whether the range of source ports from the server does not seem random over the whole expected space but seems to be a reduced range as if the server were behind NAT. You may be right but some of this stuff is above me. The point of this thread was a possible issue with NAT routers also being an issue even if the DNS servers are patched. So what we're seeing is all the home/small business users behind SOHO NAT router devices may still have issues with this DNS flaw. When I initially tested using Comcast DNS servers I passed. When I tested again I see the NAT warning which to me meant something has changed. My assumption was well if it passed the first time why would Comcast do something to cause it to fail? Remove patches? lol So I immediately came to the conclusion the test must be looking at more now like home NAT devices. Netfixer passed the test using the latest firmware so again my assumption was perhaps Linksys must have fixed the issue with the latest firmware for the RV082.
Obviously based on my post that was not the issue. So that still begs the question is what has changed since the test was first released to cause it to fail now when it passed before? Changing from Comcast DNS to OpenDNS I get a pass now. Curious as to what other Comcast users are seeing. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| said by jbob :When I initially tested using Comcast DNS servers I passed. When I tested again I see the NAT warning which to me meant something has changed. My assumption was well if it passed the first time why would Comcast do something to cause it to fail? Remove patches? More likely the test was changed to look not just at whether the port changed but whether the range for the source port was narrow. It is also possible with that small of a sample to get different readings when nothing has changed. To get a better idea you could run it several times check the source ports and see whether they seem to be from a narrow range or a wide range.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
1 edit | reply to jbob
By the way for the SOHO user I am not sure the NAT situation is significant. It would depend on the range of ports that NAT utilizes as the source port. If qrkx is correct that it uses 5-10k ports, this is not a significant reduction from what seems to be a range of 15k ports used with the patch.
EDIT
Though a concern would be that even though the range is not that much smaller, that the ports are not chosen randomly but sequentially!
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| said by TheWiseGuy :If qrkx is correct In my experience, he usually is =)
--
Overpower, overcome. |
|
ravencajun
Premium
join:2004-08-12
Houston, TX
| reply to Cabal
the doxpara test has changed or at least the results for me have changed. I originally was getting a result much like the one fios Dan posted stating my name server appears to be safe but make sure the ports listed below aren't following an obvious pattern. Now as I test today it gave the result about the NAT/Firewall interfering with its port selection policy etc. I have not changed anything here.
However the dnsstuff test is still giving me the response that I am not vulnerable.
»www.dnsstuff.com/ |
|
qrkx
Premium
join:2003-04-26
Montreal, QC
| reply to TheWiseGuy
said by TheWiseGuy :By the way for the SOHO user I am not sure the NAT situation is significant. It would depend on the range of ports that NAT utilizes as the source port. If qrkx is correct that it uses 5-10k ports, this is not a significant reduction from what seems to be a range of 15k ports used with the patch. As a matter of fact - I do not think the client side poses a "big" problem(NAT or no NAT). As I have stated before - this is a serious issue on the server side. Practically, tactically and metaphorically. I also wonder how long will it take for moaning to begin over the pseudo-random algs used for srcPort/TIDs...
rgds.
P.S.
Isn't there a warning not to start sentences with "as"?! I shall have to revise my typo-etiquette in zee near future... |
|
