World's biggest ISPs drag feet on critical DNS patch
More than two weeks after security researchers warned of a critical defect in the net's address lookup system, some of the world's biggest internet service providers - including AT&T, Time Warner and Bell Canada - have yet to install a patch inoculating their subscribers against attacks, according to an informal survey of …
Configuring my router to use the DNS cache at 194.168.8.100:
Your name server, at 194.168.8.109, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 225.
Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds.
Requests seen for 27e658dcb4c1.toorrr.com:
194.168.8.109:32901 TXID=41131
194.168.8.109:32851 TXID=63188
194.168.8.109:32796 TXID=9462
194.168.8.109:33009 TXID=10296
194.168.8.109:32784 TXID=60013
And again (this time with 194.168.4.100 configured as secondary):
Your name server, at 80.7.128.36, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 194.
Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds.
Requests seen for 1817ba74d9ed.toorrr.com:
80.7.128.36:15532 TXID=36617
80.7.128.36:15726 TXID=49120
80.7.128.36:15605 TXID=34601
80.7.128.36:15700 TXID=14672
80.7.128.36:15604 TXID=50260
Switching to OpenDNS (208.67.222.222):
Your name server, at 208.69.34.8, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.Requests seen for de290b751743.toorrr.com:
208.69.34.8:31815 TXID=37200
208.69.34.8:4651 TXID=52861
208.69.34.8:54638 TXID=29577
208.69.34.8:41802 TXID=59604
208.69.34.8:19492 TXID=1674
For reference,
194.168.8.109 is winn-dnsbep-1.server.virginmedia.net
80.7.128.36 is oxfd-dnsany-1.server.virginmedia.net
To VirginMedia: it's no good the DNS cache randomising request ports if it's behind a NAT which just maps the ports back to something more predictable. As I understand the vulnerability, unpredictability of port numbers needs to be maintained across each network boundary, or else an attacker on the predictable side (outside the NAT in this case, if it is indeed a NAT that's the problem here and not the DNS cache) can still spoof responses.
It's also not much good randomising ports if you're still in a 200-ish range (adding only 8 bits of uncertainty to the 16 in the TXID, when the recommendation is to go to almost 32 bits).
Finally, there's no need to be so proud of starting work on it a month before Kaminsky published. Daniel Bernstein has been saying since at latest 2001 that DNS request ports should be randomised: http://cr.yp.to/djbdns/forgery-cost.txt
The article incorrectly states that Bell Canada is vulnerable. I used the test when I first heard about the problem and it said everything was fine. Just re-checked with the same result. As much as I despise Bell, they must have done the right thing. Either that, or the tool to check for the exploit is not working properly.
Thanks. Does this mean that subscribers who are getting the "port range too narrow" or "ports may follow a predictable pattern" test error are using name servers that are not patched properly?
Or is the test error an artifact of how NAT treats DNS lookup requests between the unwashed masses and the hopfully heavily armored DNS and LAN/WAN infrastructure of our trusty ISP of choice who shares much public space with many many NATed addresses?
If the narrow range, or patterned port assignments test errors behind every NAT wielding ISP are still a vulnerabilty, then I must be missing something.
I blame supernetting for the error, bring on IPV6 already!
<orderlies quickly descend to escort the anonymous coward into a wrap-around jacket and away from the computer in the recreation room, there is great struggle>
Anonymous Coward said:
"Does this mean that subscribers who are getting the "port range too narrow" or "ports may follow a predictable pattern" test error are using name servers that are not patched properly?"
Well, my latest tests of Demon produce:
"Your ISP's name server, 194.159.187.38, appears to be using the name server written by Nominum, which has effective protection against the newly discovered attacks despite the limited port range. Nominum is working to expand the port range for even greater protection, but there is no reason for concern at this time."
but also
"Your name server, at 194.159.187.34, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 171."
(which is the same as previously reported for this server)
So now I'm confused. Are Demon using different versions of Nominum on different servers? Or is their patching not complete? Perhaps someone who is more savvy than me could explain what's going on here.
"Demon Internet was reported as potentially being vulnerable, because a Firewall or NAT in front of the DNS server "appears to be interfering with its port selection policy," according to Kaminsky's test."
I would guess Demon's firewalls INTENTIONALLY interfere with the port selection. Our Checkpoint firewalls alter both the port and the Id number used, specifically to mitigate the issue under discussion (and the server guys have applied the necessary patch) but the Check My DNS site still thinks we are vulnerable.
Your name server, at 195.186.1.110, appears vulnerable to DNS Cache Poisoning.
All requests came from the following source port: 47043
Swisscom (Switzerland) primary DNS server for ADSL customers
My understanding is that if you randomise the port but only within a range of (say) 256 ports, then you have 24 bits of randomness including TXID. So even if the attacker can only get one packet in before the valid response, then they have a better than 1 in 17 million chance of success. According to Kaminsky's blog, the attacker can make a couple of thousand attacks (on different subdomains) per second - presumably this depends mostly on connection speeds. 8 thousand seconds is over 2 hours.
Now, 2 hours is a moderately long time to flood a server without anyone noticing. It's a very long time if there's something looking for such attacks in real time, although what a server can usefully do if it detects a series of attacks I'm not sure.
However, if my rough calculation is orders of magnitude out in the bad direction (for instance, suppose the attacker can reliably get 100 spoof responses in before the genuine response) then I don't see how the protection is adequate. It might take under a minute of activity to poison a DNS cache. That activity might conceivably be distributed across time and/or a botnet to reduce the chances of detection. If a large botnet were to devote its time to attacking such "24 bit" DNS servers, then it would successfully poison some of them, wouldn't it?
Perhaps Kaminsky can explain why a range of a couple of hundred ports is good enough. I haven't analysed the issue at all, I'm just repeating what I've read from Kaminsky and others. But my suspicion is that the warning is there for a reason, and the reason is that a narrow port range is not a full fix.
On the NAT issue: it doesn't matter whether the port randomisation is done by the DNS resolver or by the NAT, except that:
1) If the resolver is less random than the NAT, then you're somewhat more vulnerable to an attacker inside the NAT than outside (this is what happens if the NAT is fixed and the resolver isn't).
2) If the NAT constricts the port range of the resolver, then you're somewhat more vulnerable to an attacker outside the NAT than one inside.
Combining the two cases, if there are attackers both inside and outside the NAT then you're as protected as the worst case of port predictability. So what we want is for all resolvers and all NATs to randomise ports across as wide a range as possible.
Presumably if there's a "bad" NAT between you and a "good" DNS server, then Kaminsky's test would report you clean (because it only sees the requests from the fixed caching resolver), but actually you'd be vulnerable even if the non-caching resolver in your OS is patched, because the randomised port choice is rendered predictable by the NAT. So depending on network topology, there may be cases where your own domestic firewall/router makes you vulnerable to an attacker inside your ISP's subnet, even though everything else is fixed. Do ISPs route packets directly from one customer IP to another? What brands of firewall/router randomise ports adequately?
I'm sure Kaminsky will have all the answers at Black Hat. Or someone else will provide them sooner.
Your name server, at 80.58.61.250, appears vulnerable to DNS Cache Poisoning.
Telefonica couldn't care less about its subscribers. Fortunately the show equal care as to what their subscribers do.
This is suprising...
Your name server, at 68.28.242.91, appears vulnerable to DNS Cache Poisoning.
All requests came from the following source port: 45521
Due to events outside our control, details of the vulnerability have been leaked. Please consider using a safe DNS server, such as OpenDNS. Note: Comcast users should not worry.
--------------------------------------------------------------------------------
Requests seen for d143efecae0d.doxdns5.com:
68.28.242.91:45521 TXID=5971
68.28.242.91:45521 TXID=14822
68.28.242.91:45521 TXID=5783
68.28.242.91:45521 TXID=39914
68.28.242.91:45521 TXID=34212
It is a wireless broadband link, would that be why they do not randomize the port?
I am ashamed of you ElReg - only a white Paris? Please make an icon out of this so we can truly express our opinions:
w w w.rude.com/steverudeman - take out the spaces
Just exactly how is disclosing this vulnerability to the wild making the internet safer? Maybe the name Blackhat has the insinuated connotation for these security researchers.
We (where I work) have the joy of outsourcing our network management to ****. This seems insanity to me, but it's obviously a choice for upper management, not us techies.
Anyway - the responsef from **** was that we are not vulnerable because the servers only serve answers for trusted clients.
Which totally misses the point - if you allow your clients access to the internet, then they're vulnerable.
So - if your company has external people managing your DNS (or other core services) - don't forget to JUMP ON THEM.
Anonymous & blanked company name for (hopefully) obvious reasons.
I shouldn't really expect anything less to be honest.
Average 8% packet loss and 35 UK notes a month here in sunny Montevideo for a 1.5 smeg connection ;-)
Your name server, at 200.40.220.226, appears vulnerable to DNS Cache Poisoning.
All requests came from the following source port: 33208
Requests seen for 7a29f8f05811.doxdns5.com:
200.40.220.226:33208 TXID=23352
200.40.220.226:33208 TXID=39952
200.40.220.226:33208 TXID=41029
200.40.220.226:33208 TXID=3363
200.40.220.226:33208 TXID=57739
Thumbs down as Paris is always getting thumbs up.
Only certain regions. Also at risk in Canada are Navigata and Westel:
204.244.3.129
204.244.3.130
Testing my recursive DJB servers produces "great!" results, semingly (from mailing list comments) it was DJB who suggested randomising the source ports as a security measure in the first place.
(Tux as DJB is a *nix only app)
Sign up, sign up for The Register's weekly IT security newsletter - click here
