US Cable Support > Comcast HSI > [DNS] Comcast and the DNS Server flaw issue

reply to Comcast_DNS

Re: [DNS] Comcast and the DNS Server flaw issue

OK. my previous test display was 24 hours old, so I just repeated it, and the DNS warning is no longer there. However, the port range also seems to have been increased, which indicates to me that perhaps there were changes in the Comcast DNS infrastructure as well as possible changes in Dam Kaminsky's test. If so, then Comcast deserves praise for being so responsive, but instead we get typical Comcast denials, I guess some parts of the Comcast corporate culture are hard to shed.

reply to Sandy Wilbourn

reply to Comcast_DNS
I'm not sure that I understand this post.

I have worked closely with Comcast on this whole thing since May (I am not a Comcast employee). They have been one of the most concered ISPs since that time. Comcast was very proactive and patched their DNS servers before the CERT advisory. That's a hugely positive thing and took moving a lot of parts around to get it done.

Then web-based tests to approximate the exploit were developed and released by multiple security analysts. BUT, if web-based tests do not accurately reflect a vulnerability that they expressly test for, do you not think they should be updated for accuracy? What you see is not those analysts being pressured by anyone. If you doubt that, you should contact Dan and others and ask them. Our interest should be in people having tests that accurately reflect whether or not a DNS is patched.

Sandy

just copy/pastin' my way through life

$ dig +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"68.87.76.179 is POOR: 26 queries in 0.2 seconds from 26 ports with std dev 316.71"
 

Here's the results of the same test. Dang results all over the place:

»550534c6b13985d060430715.et.dns-oarc.net/

Oh and this is with Comcasts's DNS nameservers

Same test using OpenDNS nameservers.

»9656593288a74b47aa1c9010.et.dns-oarc.net/

Much better

So what are us lowly non network engineer types supposed to make of this. Is this a flawed test of Comcast or is the DoxPara test more accurate?

reply to rolfp
If you have sufficient transaction ID randomness, then to a certain degree the source port randomness is just an academic bonus.

The issue with Bind was that both the source port and the transaction ID for the requests were predictable, which made the poisoning not just possible, but actually quite likely if you scripted things correctly.

OK, however, the folks at the thread in ATU I link are reporting 'GOOD' results when they apply the patch or update their dns server software. Wouldn't such a 'GOOD' result be expected from a patched Comcast server?

reply to rolfp
Verizon still has not addressed the issue for the source port randomness on their DNS servers either:

»7079aa1c5d30a1b7ccc245e6.et.dns-oarc.net/

I'm considering removing the forwarders I use for my caching nameserver, until Verizon gets their act together.
--
perl -le 'print $i=pack(c5,(8**2+3**2),42-10,sqrt(3600),oct(63),(unpack(c, "&")-6)),pack(c7, (70,114,101,101,66,83,68))'

reply to rolfp

reply to jbob
To me it looks as though the test performed by OARC is using too small a sample size to give accurate standard of deviation numbers (the results seem precise, just not accurate). Standard deviation seems to be the only difference between results on the servers tested, and the difference is quite slight. As mentioned, the fact that some randomness has been added to the mix is a good thing, and makes exploiting the flaw much less likely. Could it be better? -Sure. Is it better than not patching at all -you bet. What would be a sufficient sample size to judge the randomness of the DNS resolver? -Ask a statistician...
--
[/home/USA]$rm -rf /bin/bible_beaters

reply to espaeth

Transaction ID is just not enough (even if 100% "random")