norwegian
Premium
join:2005-02-15
Outback
 ·WestNet Broadband
| reply to timcuth
Re: Exploit Code for Kaminsky DNS Bug Goes Wild
quote:
Here is the explanation as best as I can understand it. The "fix" to DNS servers is not really a fix. The exploit is still possible, but with a much smaller (millions of times smaller) chance of success.
It is mentioned port 53 for DNS as being an issue because the port is known. Is it because of inherent design? If so firmware updates are how easy for this? I doubt my router is even supported any more, even though the company at the time, supplied a great service on making sure I recieved the security update firmware it needed. As I asked about the use of a router doing DNS lookup to the ISP's DNS server's and if there was a flaw it seems there may be then. It was noted Microsoft did the O/S level in a patch with last updates.
If only there was a way to check the IP's at all levels including your router; as it seems by comments of the site, people are asking already but there isn't anything available at present, unless I'm missing a setting I don't know about. Then that isn't hard some days. 
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke |
|
Kayrac
Premium
join:2001-09-29
Rochester, NH
| reply to SUMware
While i have absolutely 0 verification of this, i just heard from a source i trust very much, quoted
"A DNS server belonging to SBCGlobal (AT&T) is providing xx.xxx.xx.xx.x.x as an answer to www.google.com."
Like i said, no proof, but i trust where i heard it from
just figured i'd let you guys know |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
 ·Verizon FIOS
| reply to TheWiseGuy
said by TheWiseGuy  :Also your behavior does not have to be risky for as Advertisement to do a large number of DNS lookups via your browser. All the more reason to use a well-stocked and updated Hosts file, eh?
--
Courage is being scared to death but saddling up anyway.
|
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to stefaanE
said by stefaanE :It's a bit like the whole virus problem - if you engage in risky behaviour you get into trouble. Given that most people are using their ISPs DNS server, for them, if the DNS server is owned it will have nothing to do with their behavior. Also your behavior does not have to be risky for as Advertisement to do a large number of DNS lookups via your browser. Without the patches the risk of the DNS server being owned was much higher, so yes this was a severe problem.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·AT&T Southeast
 ·Vonage
 ·Cingular Wireless
·AT&T CallVantage
| reply to Cabal
This is hopefully going to end up like the assorted Y2K problems. The majority of public DNS servers will be patched before a major ISP gets their DNS servers owned, and people who were not involved with the process will simply think that the "problem" was indeed "overhyped".
If not, then there will be those who will blame the messenger instead of the ISPs and other organizations who failed to heed the warning.
There is a good reason for the old saying that "No good deed goes unpunished".
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
Cabal
Premium
join:2007-01-21
Boston, MA
| reply to stefaanE
said by stefaanE :The DNS cache has to be configured to resolve addresses for all comers. Any cache configured like that deserves to be poisoned. Nonsense. This flaw is a problem for any ISP with a recursive resolver available to more than one customer. The combination of botnets with access to a lot of networks, along with being easily exploitable, makes for an enormous potential attack surface.
said by stefaanE :The flaw is real, the exploit works, but the problem is not as humongous as it's hyped up to be. It's a bit like the whole virus problem - if you engage in risky behaviour you get into trouble. This has nothing to do with risky behavior, anyone that shares a DNS server is a potential target. It was "overhyped" (the word you're looking for is MITIGATED) because 80+ vendors and countless ISPs worldwide got together in advance to attack it proactively.
It's pretty clear you're haven't yet wrapped your mind around the implications of this problem, either willfully or otherwise. Best of luck.
--
Interested in open source engine management for your Subaru? |
|
stefaanE
Premium
join:2002-07-10
Luxembourg
 ·Redwood Virtual
| reply to TheWiseGuy
said by TheWiseGuy :I agree with Kaminsky, the problem is that requests to a cache can be made from a surfer's browser when you access a site. If you're visiting a honeypot there are worse things that can and will happen.
The flaw is real, the exploit works, but the problem is not as humongous as it's hyped up to be. It's a bit like the whole virus problem - if you engage in risky behaviour you get into trouble.
Take care,
Stefaan
--
"Technically, Windows is an 'operating system,' which means that it supplies your computer with the basic commands that it needs to suddenly, with no warning whatsoever, stop operating." -Dave Barry |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY | reply to stefaanE
I agree with Kaminsky, the problem is that requests to a cache can be made from a surfer's browser when you access a site. |
|
stefaanE
Premium
join:2002-07-10
Luxembourg
·Redwood Virtual
| reply to SUMware
Excuse me, but am I the only one who feels that the exploits (at least the description provided in the Register links »www.caughq.org/exploits/CAU-EX-2008-0002.txt and »www.caughq.org/exploits/CAU-EX-2008-0003.txt are not all that impressive?
The DNS cache has to be configured to resolve addresses for all comers. Any cache configured like that deserves to be poisoned.
The real challenge is to subvert a properly configured cache, which requires access to a machine in the network the cache is serving. Granted, given the number of pwned machines there must be quite a few access providers that need to protect themselves from their customer's systems.
Anyone running their own DNS cache that does not respond to queries on port 53 from the Internet should be absolutely safe from the published exploit, randomized ports or not.
Take care,
Stefaan
--
"Technically, Windows is an 'operating system,' which means that it supplies your computer with the basic commands that it needs to suddenly, with no warning whatsoever, stop operating." -Dave Barry |
|
B
Premium,MVM
join:2000-10-28
| reply to SUMware
Looks like the researcher has answered my IP address question, but in a strange way. Rather than admitting "I'm too cheap to pay for dedicated hosting", he writes:
To Answer A Couple Of Questions
Some people would like to have the IP address of www.doxpara.com, so that if their DNS server is compromised, they can still find out if it’s vulnerable (the theory being, if it’s compromised, it won’t actually go to Doxpara).
Here’s the problem: I’m watching you look up Doxpara’s names. That’s how I can see what ports you’re using! If you don’t use DNS to find Doxpara, I can’t watch you finding Doxpara, and thus I can’t tell you if you’re always using the same ports.
Also, people want to have the ability to ask for a particular name server to be tested. My problem here is that I probably don’t have access to your name server, except through you — so I need your web browser to poke your name server to look up a name from me. Then, and only then, can I tell you if there’s a problem.
Finally. some people think that if their name server only accepts requests from Internet IP’s, it’s safe. No. As alluded to in the last paragraph, I may not have access to your nameserver, but your browser does, and I do have access to your browser.
So, in conclusion: Patch, and verify the patch is working (NATs continue to be a headache). If it’s not working, forward to something that is. OpenDNS has capacity to spare. Uh, so his site couldn't accept a connection by IP address and then test via further DNS queries? At least one of us is not as smart and/or honest as he or she thinks he or she is. (Yeah, it's probably me...)
-- B
--
In a realm outside causality and function |
|
timcuth
Braves Fan
Premium
join:2000-09-18
Pelham, AL
clubs:
·AT&T Southeast
|  reply to norwegian
Here is the explanation as best as I can understand it. The "fix" to DNS servers is not really a fix. The exploit is still possible, but with a much smaller (millions of times smaller) chance of success. This is due to the much larger set of possible ports used by a patched DNS server.
I think there is a clearer, more rigorous explanation by Dan Kaminski at the site »www.doxpara.com which is also his blog page as well as a "Check your DNS" site.
Tim
--
"Life is like this long line, except at the end there ain't no merry-go-round." - Arthur on The King of Queens
~ Project Hope ~ |
|
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
| reply to Link Logger
That is what I get at my end, so that is good then.
Because I'm back to the question no one seems to have gotten close to yet. Can someone explain this to me in layman terms.
To me here it seems to be a cure on randomization of ports?
I remember this topic by Daniel that, to me isn't all that different, maybe totally different topic, but there is a very distinct pattern in that is this;
There is a set number of ports, set patterns etc, but to randomize them is only to defer from conforming to using certain blocks for only certain behaviours and thus restricting your practices and limiting options. But as a layer, it is good, better odds for no getting infected. But as mentioned though not to be used as the main layer. What is it about DNS that makes it easy to poison? Why has this not become resolved why hasn't a system been made to counter this.
Now after my ramble, what else is different about this, other than extending port range and random process. If that's my first line of defense, well, what can you say.... Not sure why this exploit has me feeling apprehensive, even though it is just another patched hole!?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to SUMware
For what it is worth considering I used a URL to get to the test site, it appears that Shaw in Calgary is 'Great' (I always rather liked Shaw). Now certainly he who controls DNS for the most part controls the internet, but lets put on our thinking caps (an exercise in thinking evil if you may) and see if we can think of another way to do this, without actually owning someone else's DNS server. Remember the internet is based on 30+ year technology where the goal wasn't security, but actually just making it work so there are so many assumptions involved in the internet its enough to fill the heart of any hacker with glee.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool |
|
timcuth
Braves Fan
Premium
join:2000-09-18
Pelham, AL
clubs:
·AT&T Southeast
|  reply to TheWiseGuy
PS - I tested the other PC's in the house and they all tested good and it showed that they are all hitting the OpenDNS IP. So, in my LAN anyway, just pointing the router there did indeed suffice for all my LAN nodes.
Thanks again,
Tim
--
"Life is like this long line, except at the end there ain't no merry-go-round." - Arthur on The King of Queens
~ Project Hope ~ |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA | reply to FiOS Dan
That's how my setup works, and so far so good.
OT, but perhaps not..I noticed there were several updates for IPcop recently too. |
|
KC_User
@swbell.net
| reply to KC_User
Me thinks I posted too soon. I made changes to the file, added servers, and it seems to work fine on my XP machine. When a change is made, it takes effect at once, so I can click retest on the dns-oarc.net to see the changes. Should be useful for someone wanting to test a series of DNS servers for this vulnerability. |
|
KC_User
@swbell.net
| reply to SUMware
I made a batch file to switch the DNS servers over for the command prompt junky, as I am. Natually, use at your OWN RISK. OS: Win XP (sp-2), dns is hardcoded into the network settings, not obtained through DHCP. The batch file, as written, depends on the connection being named "Local Area Connection". In the file, I call certain DNS servers "gte" that I've seen referred to in this thread as "Level3".
Naturally, the batch file can be modified, and the underlying command, netsh, in combination with a batch file, can be used to script complete configuration of a network connection. In this case, this file deals with DNS only.
The file will have to be changed from .txt to .bat and in the path of your command prompt. My commmand prompt opens in the directory where my batch files are located. |
|
timcuth
Braves Fan
Premium
join:2000-09-18
Pelham, AL
clubs: | reply to SUMware
Ok, I think I've got it. Thanks.
Tim |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to timcuth
said by timcuth :Until I went through this thread, I was using TreeWalk DNS and 127.0.0.1 as my primary DNS. I perceive this as "not safe" under the new threats so, after absorbing the info in this thread, I tried the recommended tests. I am puzzled, because they both detected my static WAN IP address as my DNS server and determined it to be unsafe. Treewalk was acting as the server and actually doing the lookups.
said by timcuth :So, since my router now uses OpenDNS, do I need to update the TCP/IP config on the rest of the PC's in my home? Tim It depends on whether you have entered DNS servers, in the past, into the network configuration for those computers. If you have them set to obtain the DNS servers via DHCP then the computers are simply asking the router for the DNS servers and you are fine.
On a computer you either set the DNS server IPs manually, or you tell it to obtain them via DHCP. If you have set the IPs in the computer manually the computer will use the IPs you have set manually as the servers.
If you tell it to obtain them via DHCP, depending on the router, the router may pass the IP of the router or the IPs it has as DNS servers. (What those IPs are follows the same logic as with the computer, they can be set manually or obtained via DHCP.) As long as the computer is set to obtain DNS servers via DHCP then the computer will end up using the servers in the router.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
·Verizon FIOS
| reply to timcuth
said by timcuth :So, since my router now uses OpenDNS, do I need to update the TCP/IP config on the rest of the PC's in my home? Based upon the knowledgeable feedback I have received here at BBR the past couple of weeks timcuth I would say that your router settings trump the TCP/IP config in your PCs, so just set the latter to automatic.
--
Courage is being scared to death but saddling up anyway.
|
|
