Feeds

back to article World's biggest ISPs drag feet on critical DNS patch

More than two weeks after security researchers warned of a critical defect in the net's address lookup system, some of the world's biggest internet service providers - including AT&T, Time Warner and Bell Canada - have yet to install a patch inoculating their subscribers against attacks, according to an informal survey of …

COMMENTS

This topic is closed for new posts.

Page:

Coat

All your DNS

are belong to us.

It can't be that bad, can it?

Tweed with the patches on the elbows, thanks.

0
0

Suprise suprise

At least one of Telstra's name servers are vulnerable.

203.215.3.43

0
0
Pirate

Virgin Media status

I wonder if Virgin Media would mind me injecting my own subdomain onto their DNS to replace the boring ubr.locale.blueyonder.co.uk format? :)

0
0
Paris Hilton

AT&T Wireless' DNS

According to the site, AT&T Wireless is susceptible when using the isp.cingular APN. Not sure about the wap.cingular APN, but I would venture to guess the condition is the same. DNS server assigned is 209.183.35.2.

Paris, possibly susceptible, but the firewall or nat router may be interfering with her port selection policy.

0
0
Thumb Up

Canada's Shaw Cable OK

Shaw Cable in Canada seems OK:

Your name server, at 64.59.184.15, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.Requests seen for b14aed6a1cd3.toorrr.com:

64.59.184.15:21877 TXID=14695

64.59.184.15:23901 TXID=9436

64.59.184.15:30578 TXID=50420

64.59.184.15:20735 TXID=39373

64.59.184.15:9712 TXID=46561

0
0
Thumb Down

Insecure DNS

Over here in SK, my ISP is wide open.

59.0.159.86

Korean Telecom/KORNET

0
0
Thumb Up

Orange France

I am on holydays in France and connected to Orange and it seems safe ...

0
1
Thumb Down

PCCW in Hong Kong remains vulnerable

Your name server, at 218.102.23.228, appears vulnerable to DNS Cache Poisoning.

I sent this by email to PCCW execs weeks ago, but no response, and no change.

0
0

Add OCN Japan to the blackened ISPs listing...

DNS needs to be "patched" here too

but I can bet NTT is on to it...

0
0
Thumb Up

Tiscali

I know Tiscali has been something of a target for bad press before but their servers are all good according to the Check My DNS widget.

0
0

Time to patch

The fact that some organisations take a month to roll out an urgent security patch isn't an excuse. It's just another problem that those organisations needs to sort out.

Taking time to test thoroughly is good, but there needs to be a sliding scale of risk due to not testing and risk due to not patching.

0
0
Coat

50/50 result

I checked my Virginmedia DNS last night and it reported okay.

I tested the one at work this morning and its not patched (but I'm not surprised at that result).

Okay... mine's the one with the CV's in the pockets....

0
0

TalkTalk & AOL were patched a while back ..

You list OPAL as bein unpatched but AOL & TalkTalk were patched a while back and pass the "Check Your DNS" test.

0
0
Dead Vulture

KORNET!

Silo - Good luck to you mate, knowing KORNET, the DNS might be patched some time in the next 10 years (along with the rest of the korean infrastructure).

0
0

Zen

A big well done to Zen for getting theirs done so quickly. I ran the test the first time it was announced and it came up with the "safe" notice.

Another reason to be happy wtih moving from BT in my own personal "phorm" protest :)

0
0
Thumb Up

Eclipse ISP is OK :)

Top marks to my ISP, Eclipse. The test shows they pass :)

0
0

@lord_farquaad

Stop reading the reg and get back to your holidays, Geek!

0
0
Bronze badge

In SSL we trust

It's high time users should learn to verify SSL certificates of sites of any importance to them. This also nullifies most dangerous effects of DNS poisoning - which is not a new attack type, BTW.

0
0
Bronze badge

Don't bother with open DNS on Virgin

IIRC they snat you away to their own servers anyway, we need dns over ssl...

0
0
Silver badge

Merula passes OK

Err - wot the title says

0
0
Thumb Up

Server patch

Did wonders for me, updated the linux servers bind daemon and it killed everything i really enjoyed manually rebuilding what the patch had done...

JOY.

6 months to bring out this patch jeez...... fair played to the guy who found it though and kept it hush hush instead of taking advantage of the problem.

0
0

TM Net in Malaysia apparently affected

Your name server, at 203.121.65.39, appears vulnerable to DNS Cache Poisoning.

0
0

3 in UK are vulnerable

195.27.150.140 used by 3 is vulnerable... and if you are using their wireless broadband modem you cant hardcode DNS server addresses

0
0
Anonymous Coward

MegaVista... near Alicante, Spain

small ISP... got WiMax air interface... works tops... but urgh! not when their DNS's are vulnerable... 213.172.33.34 and 213.172.33.35... sent their admins an email this morning...

Qu: large ISP or small ISP more responsive to something like this?

0
0
Thumb Up

o2 Broadband seems OK

Your name server, at 87.194.0.66, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.

Requests seen for 0fdf9cf5fbac.toorrr.com:

87.194.0.66:23676 TXID=55910

87.194.0.66:45831 TXID=52634

87.194.0.66:22724 TXID=59957

87.194.0.66:35609 TXID=51197

87.194.0.66:5856 TXID=45189

0
0
Unhappy

Well done work ... gotta check Be* when I get home

Your name server, at 213.130.128.31, appears vulnerable to DNS Cache Poisoning.

g0-1-41.ac3-u1-sal-uk.as15444.net -> netdnscache01.eng.net

0
0
Heart

Virgin Media DNS

Firstly, Virgin started patching for this bug a *month* before the public announcement. We're really friendly with our DNS supplier :-)

Secondly, OpenDNS works fine on Virgin Media, we don't "snat you away" (whatever that means) in any way. I suggest you update your memory with a fact or two :-)

0
0
Happy

Virgin Media and Pipex are patched

I can confirm that VM and Pipex seem ok.

0
0

Bethere?

Have Bethere patched this yet?

0
0
Thumb Down

UK Online are vulnerable

UK Online's DNS servers are vulnerable. They're owned by Sky but I don't know if they use the same servers as Skybroadband.

0
0
Tom
Silver badge

@AC + Steven Foster

Be are in the clear (unsurprising, since they are the same as O2).

0
0
Happy

Karoo OK

Karoo's 'opt-out' DNS servers check out OK. Not sure about the default one's though.

0
0
Anonymous Coward

Griffin Internet - patched

Griffin Internet's recursive DNS servers are patched. Testing passes.

0
0

RE: Bethere?

As any Be customer knows, their DNS is crap and you should be using OpenDNS anway :o)

0
0

This post has been deleted by its author

Thumb Down

AT&T Refuses To Acknowledge This Is A New Vulnerability

In case you have not seen it, here is AT&T's official statement on this vulnerability:

"AT&T Response: US-CERT DNS Security Alert- announced July 8, 2008

On July 8, 2008, US-CERT issued a Technical Cyber Security Alert TA08-190B with the title 'Multiple DNS implementations vulnerable to cache poisoning.' This alert describes how deficiencies in the DNS protocol and common DNS implementations facilitate DNS Cache poisoning attacks. This vulnerability only affects caching DNS servers, not authoritative DNS servers. This alert instructed administrators to contact their vendors for patches.

The DNS community has been aware of this vulnerability for some time. CERT technical bulletin http://www.kb.cert.org/vuls/id/252735 issued in July, 2007, identified this vulnerability but at the time no patches were available from vendors.

AT&T does not disclose the name of its DNS vendors as a security measure but has implemented a preliminary patch that was available in January, 2008. The latest patch for alert TA08-190B is currently being tested and will be deployed in the network as soon as its quality has been assured.

AT&T employs best practices in the management of its DNS infrastructure. For example, the majority of AT&T's caching DNS infrastructures have load balancers. Load balancers decrease the risk significantly because hackers are unable to target specific DNS servers. As with all patches to software affecting AT&T's production networks and infrastructure, AT&T first tests the patches in the lab to ensure they work as expected and then certifies them before deploying them into our production infrastructure.

Conclusion:

Security is of paramount importance to AT&T. AT&T has a comprehensive approach to the security of its networks and supporting infrastructures. AT&T is meeting or exceeding our world-class DNS network performance measures. We will continue to monitor the situation and will deploy software upgrades, as warranted, following our structured testing and certification process."

End of quote.

Note that:

1) They claim this is the same problem reported a year ago and for which they have already patched.

2) They claim load balancers will protect against this bug. All evidence to the contrary, they have not changed their statement.

3) They claim they do not disclose the vendor of their DNS, but also claim this is a bug in BIND which they have also patched.

4) They do not acknowledge that this is an issue with the DNS protocol, rather they act as if it is a bug in a software application.

Verizon patched everything on July 10th. What is taking AT&T so long?

0
0
Thumb Down

Not all of comcast is patched

I'm on comcast, and I just failed the test. A little disconcerting considering they state at their test site "Note: Comcast users should not worry.". What amazes me is that these companies dont get it and carry on just as they did before....

0
0
Happy

UKOnline no longer vulnerable

UKOnline/Easynet seem to have patched their DNS servers within the past few hours.. so all is okay here now!

0
0
Go

BT seems fine to me

We have BT here (albeit a business line), and 194.72.0.98 comes up clean (haven't tried our secondary which is 194.72.9.38).

0
0
Alert

Verizon

Your name server, at 68.238.96.36, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 36.

Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds.

--------------------------------------------------------------------------------

Requests seen for 87bba0bc964e.toorrr.com:

68.238.96.36:39655 TXID=27775

68.238.96.36:39670 TXID=11599

68.238.96.36:39646 TXID=23973

68.238.96.36:39682 TXID=39241

68.238.96.36:39652 TXID=32366

Other repeat runs of the test give a port range no larger than 70, and as few as 23. Doesn't this make it easier for the bad guy to win the race, or is it the router I am sitting behind that is doing this?

0
0

re: Verizon

Running the test on my Verizon connection got me the "appears to be safe" message, along with the "make sure the ports ..." bit.

I didn't get the port range message you got, so it might well be your router settings.

0
0
Go

AT&T U-Verse okay? Maybe?

Your name server, at 151.164.14.196, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.

--------------------------------------------------------------------------------

Requests seen for 4f5029e03184.toorrr.com:

151.164.14.196:18902 TXID=4222

151.164.14.196:44489 TXID=45620

151.164.14.196:2701 TXID=65443

151.164.14.196:57187 TXID=34670

151.164.14.196:1526 TXID=56490

Note: dnsnode1-x4.stlsmo.sbcglobal.net [151.164.14.196]

0
0
Thumb Up

Entanet

Appears to be sorted

Your name server, at 195.74.113.58, appears to be safe,

Requests seen for f3050306b5b3.toorrr.com:

195.74.113.58:13414 TXID=52945

195.74.113.58:49222 TXID=48220

195.74.113.58:45941 TXID=16935

195.74.113.58:26171 TXID=13951

195.74.113.58:50179 TXID=10996

0
0
Boffin

DNS patch

Your list may not be that accurate AOL runs on the Carphone Warehouse servers and appears not to be suseptible to this attack.

Boffin for obvious reasons

0
0

RE: Verizon and DEMON

"Demon Internet was reported as potentially being vulnerable"

No. It produces similar messages to that produced by Verizon e.g

'Your name server, at 194.159.187.34, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 247.

Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds.'

0
0

Looks good to go here

Your name server, at 195.93.61.23, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.

--------------------------------------------------------------------------------

Requests seen for 9184eaf37373.toorrr.com:

195.93.61.23:29828 TXID=42138

195.93.61.23:20642 TXID=48288

195.93.61.23:36031 TXID=14818

195.93.61.23:51089 TXID=49774

195.93.61.23:46036 TXID=9067

As I said in earlier post this is Carphone whorehouse server

0
0
Paris Hilton

Update on AT&T Wireless

Per dns-oarc.net,

209.183.35.23 (alpinetdns.mycingular.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.

But it still fail's Kaminsky's (Doxpara) test.

Paris, a great source of port randomness.

0
0
RW
Go

Telus okay

Somewhat to my surprise. Somebody at Telus is paying attention.

The thing I find interesting is that some very large ISPs seem to have no mechanism in place for fast tracking critical changes. Sometimes a patch is so important and so urgent that if it makes the system fall over, that's still a better situation than running without the patch.

0
0

TWTelecom here

Your name server, at 64.128.189.114, appears vulnerable to DNS Cache Poisoning.

0
0
Thumb Up

Grande Communications

Looks like they have fixed theirs as well:

Your name server, at 66.90.132.162, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.

--------------------------------------------------------------------------------

Requests seen for 73f58c44c681.toorrr.com:

66.90.132.162:7606 TXID=61558

66.90.132.162:23192 TXID=64573

66.90.132.162:1926 TXID=37783

66.90.132.162:58791 TXID=26127

66.90.132.162:36230 TXID=12505

0
0

Page:

This topic is closed for new posts.