[asterisk-users] OT: DNS security

C F shmaltz at gmail.com
Wed Jul 9 12:19:48 CDT 2008


On second note after reading CERT it looks like thats exactly what it
is. Another case where the media is over dramatizing something.

On Wed, Jul 9, 2008 at 1:17 PM, C F <shmaltz at gmail.com> wrote:
> I don't think that this is the exploit that they are talking about.
> What you say is too simple and requires too much to achieve (do it the
> right time when a request is asked and quicker than the intended DNS
> server).
>
> On Wed, Jul 9, 2008 at 12:01 PM, Alexander Lopez <Alex.Lopez at opsys.com> wrote:
>> Snip
>>
>> On Wed, Jul 9, 2008 at 10:50 AM, C F <shmaltz at gmail.com> wrote:
>>
>> Very interesting article. I guess we won't know much more for another few
>> weeks:
>> http://www.breitbart.com/article.php?id=080709124916.zxdxcmkx&show_article=1
>>
>> I thought this was common knowledge.  I remember hearing about the flaw
>> around 2000 or so.
>>
>> Thanks,
>> Steve T
>>
>> Knowledge yes, but common, I don't think so.  Cache Poisoning has been
>> around since before 2000.
>>
>>
>>
>> A properly designed DNS server with the right amount of randomness in its
>> request would be a difficult target. The attack exploits the fact that many
>> sequential packets had sequential numbers do that it was easy to send a
>> malformed packet back as a response to a query.
>>
>>
>>
>> It works like this:
>>
>>
>>
>> Badman requests the address for www.digium.com from a name server, the
>> server does not have it in its cache or it has expired. Name server requests
>> the information from its forwarders, or the root domain. Badman sends a
>> packet with the address of the forwarder or root domain server forged with
>> an incremented sequence number. The name server thinks that it is a valid
>> response and adds it to its cache… the Cache is poisoned…
>>
>>
>>
>> Clearing the cache, would clean out the poison entry, and unless the Badman
>> was able to guess the precise time your name server was to request the
>> information, your server should get the correct entry.
>>
>>
>>
>> Ever since Windows 2003, Bind 9.0+, and all versions of TinyDNS have random
>> numbers been used for the sequence in the packet. There is always a brute
>> force attack that can be done, to simply overwhelm the DNS server and
>> possibly 'guess' the next sequence number but that would be time consuming,
>> and most intrusion detection systems will pick it up as a DOS or DDOS attack
>> and start to shut down access.
>>
>>
>>
>> Best solution is to use a trusted DNS server, don't have your master DNS
>> server (the one that resolves your domain for the rest of the world) set to
>> do recursive lookups, and as I do. Hide your DNS server behind a NAT'ed
>> firewall that randomizes outgoing ports and sequence numbers.
>>
>>
>>
>>
>>
>> Alex
>>
>> _______________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
>> Register Now: http://www.astricon.net
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>



More information about the asterisk-users mailing list