dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
9419

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
·Comcast XFINITY
Asus GT-AX6000
Asus RT-AC66U B1

jbob

Premium Member

[DNS] Comcast and the DNS Server flaw issue

Just the let others know it might pay for those still using Comcast DNS servers that the updated DoxPara DNS test here:
»www.doxpara.com/?p=1176 Now shows a possible issue with the Comcast DNS servers and some kind of NAT issue. Or at least it did yesterday.

I have been using the Comcast DNS servers for a long time now and have not had any issues. However after something either on the test was changed or Comcast did something if you run the test now you get a warning of a possible issue. I changed to OpenDNS and now the warning is gone. So for the time being I am choosing to move away from the Comcast DNS servers until a later date. This may or may not be an issue but just to be safe I'd recommend consider changing as well.

Maybe soon Comcast will make some changes and allow the DoxPara test to pass without any warnings.

I advise others to use the test to help determine if and when things are fixed, if needed.

jlivingood
Premium Member
join:2007-10-28
Philadelphia, PA

jlivingood

Premium Member

The Comcast DNS servers were patched in advance of the CERT advisory. Some of the test tools may have limitations that do not show all of the possible protections. The NAT issue you see may be because you are behind a NAT box.

Feel free to visit »forums.comcast.net/comca ··· d.id=322 as well.

JL

Comcast_DNS
@aol.com

Comcast_DNS

Anon

said by jlivingood:

The Comcast DNS servers were patched in advance of the CERT advisory. Some of the test tools may have limitations that do not show all of the possible protections. The NAT issue you see may be because you are behind a NAT box.
Certainly the Comcast DNS servers have been patched (and kudos to them for doing so), but perhaps the infrastructure they are behind is limiting the effectiveness.

I just hijacked borrowed a neighbor's WRT54G/Comcast connection, and I got these results:
Your name server, at 68.87.68.165, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 297.
Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds.

------------------------------------------
Requests seen for 3fb39d027c49.toorrr.com:
68.87.68.165:16992 TXID=62773
68.87.68.165:16929 TXID=3653
68.87.68.165:17226 TXID=4680
68.87.68.165:16972 TXID=28772
68.87.68.165:17178 TXID=669
After temporarily changing the DNS to point to Level3's AnyCast servers, I got these results (nice to see that Level3 has updated):
Your name server, at 209.244.5.159, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.
------------------------------------------
Requests seen for c1a7d2cdc9d8.toorrr.com:
209.244.5.159:50422 TXID=20587
209.244.5.159:43684 TXID=36013
209.244.5.159:44105 TXID=38976
209.244.5.159:42347 TXID=31019
209.244.5.159:41916 TXID=1615
Here is an example with OpenDNS, but still using the Linksys NAT router.
Your name server, at 208.69.32.13, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.
------------------------------------------
Requests seen for b74008fa640a.toorrr.com:
208.69.32.13:31506 TXID=29292
208.69.32.13:10035 TXID=41242
208.69.32.13:23535 TXID=46244
208.69.32.13:40148 TXID=29386
208.69.32.13:39546 TXID=26965
One of these things is not like the other, can you tell which one?
Comcast_DNS

Comcast_DNS to jlivingood

Anon

to jlivingood
said by jlivingood:

Feel free to visit »forums.comcast.net/comca ··· d.id=322 as well.
Feel free to visit »www.doxpara.com/ for more information on the NAT problem straight from the horse's mouth.

Sandy Wilbourn
@comcast.net

Sandy Wilbourn

Anon

It's been a great service to see these various testers on the Internet. However, different folks have used different implementations at different times and have gotten inconsistent results.

Dan's test is the best one out there, but even Dan has gone through a couple of iterations as we all try to warn people about this DNS vuln.

1. On July 8th, it reported that Comcast servers were protected.
2. A few days later, Dan became concerned with some issues having to do with firewalls and NATs. He changed the test so that Comcast servers received the results from the first message above.
3. Tuesday, he changed his test again to account for the capabilities in the Comcast servers.

I tried the tool tonight on my home Comcast connection, and it showed Comcast's servers as being protected!

Sandy Wilbourn
VP Engineering, Nominum

Comcast_DNS
@aol.com

Comcast_DNS

Anon

OK. my previous test display was 24 hours old, so I just repeated it, and the DNS warning is no longer there. However, the port range also seems to have been increased, which indicates to me that perhaps there were changes in the Comcast DNS infrastructure as well as possible changes in Dam Kaminsky's test. If so, then Comcast deserves praise for being so responsive, but instead we get typical Comcast denials, I guess some parts of the Comcast corporate culture are hard to shed.
Your name server, at 68.87.68.164, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.
------------------------------------------
Requests seen for d1df9c73c1f1.toorrr.com:
68.87.68.164:17824 TXID=2180
68.87.68.164:16908 TXID=31062
68.87.68.164:17486 TXID=58678
68.87.68.164:17804 TXID=43870
68.87.68.164:17734 TXID=59408

jlivingood
Premium Member
join:2007-10-28
Philadelphia, PA

jlivingood

Premium Member

said by Comcast_DNS :

OK. my previous test display was 24 hours old, so I just repeated it, and the DNS warning is no longer there. However, the port range also seems to have been increased, which indicates to me that perhaps there were changes in the Comcast DNS infrastructure as well as possible changes in Dam Kaminsky's test. If so, then Comcast deserves praise for being so responsive, but instead we get typical Comcast denials, I guess some parts of the Comcast corporate culture are hard to shed.
Your name server, at 68.87.68.164, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.
------------------------------------------
Requests seen for d1df9c73c1f1.toorrr.com:
68.87.68.164:17824 TXID=2180
68.87.68.164:16908 TXID=31062
68.87.68.164:17486 TXID=58678
68.87.68.164:17804 TXID=43870
68.87.68.164:17734 TXID=59408
That may also reflect an evolution of the tests themselves.

JL

Comcast_DNS
@aol.com

-1 recommendation

Comcast_DNS

Anon

said by jlivingood:

That may also reflect an evolution of the tests themselves.
Wow, the Comcast culture is simply amazing.

First Dan Kaminsky faked the port range used by the Comcast DNS (and only the Comcast DNS), but after pressure from Comcast, he stopped doing it. Of course this is what happened, how could anyone think otherwise.

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
·Comcast XFINITY
Asus GT-AX6000
Asus RT-AC66U B1

jbob to Sandy Wilbourn

Premium Member

to Sandy Wilbourn
said by Sandy Wilbourn :

It's been a great service to see these various testers on the Internet. However, different folks have used different implementations at different times and have gotten inconsistent results.

Dan's test is the best one out there, but even Dan has gone through a couple of iterations as we all try to warn people about this DNS vuln.

1. On July 8th, it reported that Comcast servers were protected.
2. A few days later, Dan became concerned with some issues having to do with firewalls and NATs. He changed the test so that Comcast servers received the results from the first message above.
3. Tuesday, he changed his test again to account for the capabilities in the Comcast servers.

I tried the tool tonight on my home Comcast connection, and it showed Comcast's servers as being protected!

Sandy Wilbourn
VP Engineering, Nominum
Good info Sandy

Hopefully I made it clear in my Topic post that may or may be an issue as things seem to be changing which is exactly what we have seen. I wonder however if Dan will change his test again? lol
Looks like it might be ok to go back to Comcast DNS servers. I just wanted Comcast users to be informed of any possible issues.

Sandy Wilbourn
@nominum.com

Sandy Wilbourn to Comcast_DNS

Anon

to Comcast_DNS
I'm not sure that I understand this post.

I have worked closely with Comcast on this whole thing since May (I am not a Comcast employee). They have been one of the most concered ISPs since that time. Comcast was very proactive and patched their DNS servers before the CERT advisory. That's a hugely positive thing and took moving a lot of parts around to get it done.

Then web-based tests to approximate the exploit were developed and released by multiple security analysts. BUT, if web-based tests do not accurately reflect a vulnerability that they expressly test for, do you not think they should be updated for accuracy? What you see is not those analysts being pressured by anyone. If you doubt that, you should contact Dan and others and ask them. Our interest should be in people having tests that accurately reflect whether or not a DNS is patched.

Sandy

rolfp5
join:2001-09-12
Oakland, CA

rolfp5

Member

just copy/pastin' my way through life

afaict, this issue is being discussed, also, at ATU, with another diagnostic test for the vulnerability:
»CERT VU#800113 DNS Cache Poisoning Issue

This is not my bailiwick but that test seems not to give positive results for me.

$ dig +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"68.87.76.179 is POOR: 26 queries in 0.2 seconds from 26 ports with std dev 316.71"
 

dns-oarc has a web-test, also: »www.dns-oarc.net/



[..]

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
·Comcast XFINITY
Asus GT-AX6000
Asus RT-AC66U B1

2 edits

jbob

Premium Member

Here's the results of the same test. Dang results all over the place:

»550534c6b13985d060430715 ··· arc.net/

Oh and this is with Comcasts's DNS nameservers

Same test using OpenDNS nameservers.

»9656593288a74b47aa1c9010 ··· arc.net/

Much better

So what are us lowly non network engineer types supposed to make of this. Is this a flawed test of Comcast or is the DoxPara test more accurate?

SpaethCo
Digital Plumber
MVM
join:2001-04-21
Minneapolis, MN

SpaethCo to rolfp5

MVM

to rolfp5
If you have sufficient transaction ID randomness, then to a certain degree the source port randomness is just an academic bonus.

The issue with Bind was that both the source port and the transaction ID for the requests were predictable, which made the poisoning not just possible, but actually quite likely if you scripted things correctly.

rolfp5
join:2001-09-12
Oakland, CA

rolfp5

Member

OK, however, the folks at the thread in ATU I link are reporting 'GOOD' results when they apply the patch or update their dns server software. Wouldn't such a 'GOOD' result be expected from a patched Comcast server?

pflog
Bueller? Bueller?
MVM
join:2001-09-01
El Dorado Hills, CA

pflog to rolfp5

MVM

to rolfp5
Verizon still has not addressed the issue for the source port randomness on their DNS servers either:

»7079aa1c5d30a1b7ccc245e6 ··· arc.net/

I'm considering removing the forwarders I use for my caching nameserver, until Verizon gets their act together.

Dan Kaminsky
@speakeasy.net

Dan Kaminsky to jbob

Anon

to jbob

Re: [DNS] Comcast and the DNS Server flaw issue

This is Dan Kaminsky, the original finder of the bug.

ComCast is using Nominum, the company that employs the inventor of DNS. Nominum has some extra protections that slow my attack down by a couple hundred times. (I called BS on Nominum and they were only too happy to give me a server to try to break. I eventually did, but not in 10 seconds like everyone else but DJB/power.)

A couple hundred times harder to attack corresponds to ~8 bits of entropy, which is how short they are right now. They're investigating now if they can get a couple of bits more in, just for added security. But I do think Nominum, and ComCast by extension, need some credit for working to develop more intensive protections against this attack -- even if it's much less convenient for those of us building test tools.

I am a little amused at the comments re: strong arming. It's not every day that Comcast and I are on the same side of the fence (ahem, net neutrality). This is however a much graver threat, and frankly more ISP's need to follow Comcast's lead here (now there are words I never thought I'd write!).
Dan Kaminsky

Dan Kaminsky to jbob

Anon

to jbob
This being said, whatever ports you see, are the ports I'm seeing. I don't have time to fake records

SpaethCo
Digital Plumber
MVM
join:2001-04-21
Minneapolis, MN

SpaethCo to rolfp5

MVM

to rolfp5

Re: just copy/pastin' my way through life

said by rolfp5:

OK, however, the folks at the thread in ATU I link are reporting 'GOOD' results when they apply the patch or update their dns server software. Wouldn't such a 'GOOD' result be expected from a patched Comcast server
It would depend on what DNS server it is. These tools are for testing Bind, so they are assuming Bind post-patch behavior. The 3 key problems with Bind specifically are:

1) Transaction IDs were predictable
2) Source ports were predictable
3) There was no limit to the number of response "attempts" that would be processed for a query before a valid response is received.

For this exploit to work, you need to get a spoofed response packet shot into the DNS server before the real server's packet made it in. With bind you could predict what the next source port and transaction ID would be, so once you saw one query you could predict what the next would be.

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
·Comcast XFINITY
Asus GT-AX6000
Asus RT-AC66U B1

1 edit

jbob to Dan Kaminsky

Premium Member

to Dan Kaminsky

Re: [DNS] Comcast and the DNS Server flaw issue

Hi Dan Thanks for stopping by and welcome to DSLR.

So I take what you're saying is Comcast has been doing a good job and probably that using their DNS servers is perhaps ok!

After reading what Eric SpaethCo See Profile wrote about the dns-oarc test I suppose it's more geared toward BIND and may not be as accurate testing the Comcast DNS nameservers?

Still it's disconcerting for us non network engineer types to see one test pass and another show issues.

Glad you could join in.

CableUZR5
Cuidado, Hay Llamas
join:2003-02-04
Mount Holly, NJ

CableUZR5 to jbob

Member

to jbob

Re: just copy/pastin' my way through life

To me it looks as though the test performed by OARC is using too small a sample size to give accurate standard of deviation numbers (the results seem precise, just not accurate). Standard deviation seems to be the only difference between results on the servers tested, and the difference is quite slight. As mentioned, the fact that some randomness has been added to the mix is a good thing, and makes exploiting the flaw much less likely. Could it be better? -Sure. Is it better than not patching at all -you bet. What would be a sufficient sample size to judge the randomness of the DNS resolver? -Ask a statistician...

Alan Clegg
@rr.com

1 recommendation

Alan Clegg to SpaethCo

Anon

to SpaethCo

Transaction ID is just not enough (even if 100% "random")

If you have sufficient transaction ID randomness, then to a certain degree the source port randomness is just an academic bonus.

The issue with Bind was that both the source port and the transaction ID for the requests were predictable, which made the poisoning not just possible, but actually quite likely if you scripted things correctly.


You sir, are completely incorrect.

Alan Clegg
aclegg@isc.org

SpaethCo
Digital Plumber
MVM
join:2001-04-21
Minneapolis, MN

SpaethCo

MVM

said by Alan Clegg :

If you have sufficient transaction ID randomness, then to a certain degree the source port randomness is just an academic bonus.

You sir, are completely incorrect.
Completely ?

I will acknowledge that I overstated on source port randomness just being a bonus. Still, the most exploitable servers are those that are still using fixed source port queries, followed by the previous bind implementations that still had limited entropy for both the source port and transaction ID.

The servers being reported with "poor" source port randomness (ie, randomness within a fixed range) but "good" for transaction ID randomness are still better off than those servers out there still susceptible to »securitytracker.com/aler ··· 442.html .

Dan Kaminsky
@speakeasy.net

Dan Kaminsky to jbob

Anon

to jbob

Re: [DNS] Comcast and the DNS Server flaw issue

The new bug is much worse than the old one -- predictable TXID wouldn't override cache, since there wouldn't be another race.

OB1
Premium Member
join:2006-07-17
italy

OB1 to Dan Kaminsky

Premium Member

to Dan Kaminsky
said by Dan Kaminsky :

This is Dan Kaminsky, the original finder of the bug.
LOL... Hi there Dan, this world is really small, isn't it ?
said by Dan Kaminsky :

ComCast is using Nominum, the company that employs the inventor of DNS. Nominum has some extra protections that slow my attack down by a couple hundred times. (I called BS on Nominum and they were only too happy to give me a server to try to break. I eventually did, but not in 10 seconds like everyone else but DJB/power.)
Uhmmm... maybe not to the vanilla stuff... but since nominum and ISC BIND share some "codebase", I wonder if nominum may be vulnerable to a certain "collision attack"

Did you try it ?

swilbourn
@comcast.net

swilbourn

Anon

A previous poster wrote,

"Uhmmm... maybe not to the vanilla stuff... but since nominum and ISC BIND share some "codebase", I wonder if nominum may be vulnerable to a certain "collision attack""

Sorry, but BIND and Nominum don't share any code. Nominum's servers are not derived from BIND at all, and in fact, has a different underlying design.

Sandy Wilbourn
VP Engineering, Nominum
wilbourn@nominum.com

OB1
Premium Member
join:2006-07-17
italy

OB1

Premium Member

said by swilbourn :

Sorry, but BIND and Nominum don't share any code. Nominum's servers are not derived from BIND at all, and in fact, has a different underlying design.
Yes ok, I was somewhat "smokey" and probably not correct, but my post was directed to Dan, and I hope he understood what I meant