Hi All,
The following information was sent by Ryan Connolly of Team Cymru
regarding this major vulnerability that affects recursive DNS servers
and can dramatically increase the potential danger of a cache poisoning
attack. Operators are advised to act immediately to apply the relevant
patches in order to mitigate this vulnerability.
Hope this information is of help
Regards
Cecil
-----------------------------------------------------------------------------------------------------------------------
Although DNS cache poisoning is not a new attack, Dan Kaminsky recently
found a much faster way to implement such attacks, essentially
drastically reducing the number of "guesses" an adversary must make when
trying to poison a DNS server's cache. In the past, an attacker had to
guess the DNS transaction ID number in order to implement a DNS cache
poising attack, which meant picking the ID out of a possible combination
of approximately 215 numbers in a correct implementation. By using a,
"birthday attack," which has also been around for some time, this may be
feasible. Recently, however, Kaminsky basically found a way to reduce
the number of "guesses" to a very small number, making the vulnerability
a serious issue.
The patches that were released by major network device vendors again
increase the number of "guesses" an attacker would have to run through
to effectively conduct a DNS cache poisoning attack by randomizing the
source port used to make DNS requests. Now not only does an attacker
have to correctly guess the transaction ID number associated with the
DNS request, but the attacker also must guess the source port. In
total, this returns the number of "guesses" necessary by an attacker
back to roughly 216.
This is a potentially very serious issue because of the scope and
because the end effect if an attacker is successful is that the attacker
could redirect all traffic destined for a certain internet sever to a
server controlled by the attacker, transparently to an end user.
For a comprehensive analysis and for more methods of reducing exposure
to this vulnerability, please see the following:
http://www.kb.cert.org/vuls/id/800113
Source port randomization is a practical solution that makes executing
DNS cache poisoning attacks more difficult given the new vulnerability
but does not completely solve the underlying problem, which is with the
DNS specification. The wide scope of this vulnerability highlights the
need to address the underlying issue by applying DNSSEC, which provides
a robust method of preventing various methods of DNS cache poisoning.
For more information on DNS cache poisoning, please see the below URL:
http://en.wikipedia.org/wiki/DNS_cache_poisoning
=========================================================================================
Jon Leeman wrote:
This is a good test site;
https://www.dns-oarc.net/oarc/services/dnsentropy
Some further info from the 'discoverer' of the vulnerability is at;
http://www.doxpara.com/
Rgds.,
Jon
Ioteba Buatia wrote:
HI
Well, I went to this site www.www.doxpara.com and clicked on Check my DNS and recived the following message
Your name server, at 202.6.120.10, appears vulnerable to DNS Cache Poisoning.
All requests came from the following source port: 32768
Do not be concerned at this time. IT administrators have only recently been apprised of this issue, and should have some time to safely evaluate and deploy a fix.
Requests seen for 47ab418bbd81.toorrr.com:
202.6.120.10:32768 TXID=35630
202.6.120.10:32768 TXID=49875
202.6.120.10:32768 TXID=18127
202.6.120.10:32768 TXID=51668
202.6.120.10:32768 TXID=23799
Is this a major problem that I should be concerned about or not.
Would appreciate any feedback.
Ioteba
TSKL, Kiribati
pacnog mailing list
pacnog@pacnog.org
http://mailman.apnic.net/mailman/listinfo/pacnog
pacnog mailing list
pacnog@pacnog.org
http://mailman.apnic.net/mailman/listinfo/pacnog
