back to article Black hats attack gaping DNS hole

Miscreants are actively exploiting a gaping hole in the internet's address lookup system that can cause millions of web surfers to receive counterfeit pages when they try to access online banking services and other types of websites. The first confirmed instance came on Tuesday, when security researcher H D Moore discovered a …

COMMENTS

This topic is closed for new posts.

Page:

Kelloggs Frosties

They'rrrrrrrrrrrrrreeee Grrrrrrrrrrrreat!

0
0
Unhappy

Freeddom2Surf aka pipex aka Tiscali

quoth www.doxpara.com, "Your name server, at 194.106.56.6, appears vulnerable to DNS Cache Poisoning. All requests came from the following source port: 32785"

0
0
Thumb Up

TeleDanmark

14, 16, 16 and 16 bits of randomness. Can't ask for much more than that. Well, a cold beer and some crisps would be nice...

0
0
Alien

Re: BT results

Although the standard deviation test for randomness seems to give BT a POOR rating all the time, if you look at the scatter plots, there don't seem to be any obvious patterns (leastways there weren't when I ran the tests here), so I suspect that the BT servers are probably patched for this one.

Perhaps they have some way to limit the port range that they use in requests/responses, so it's a random selection from a (relatively) small pool - hence POOR as far as a standard deviation test is concerned?

0
0

Orange DNS test

Orange. On the DNS-OARC test, the source ports for the 2 Orange DNS's looked nonrandom. The plots of Source ports showed two parallel lines. This happened both for 193.36.79.100 (cache0.orange.net) and 193.36.79.101 (cache1.orange.net). The transaction ID plots are well scattered for both IP addresses. As Simon van der Walt reported, DNS-OARC says the results are great, but advises an eye check for randomness. Doxpara thinks the DNS's are ok, but advises a check for pattern and DNS-OARC shows the pattern.

0
0
Anonymous Coward

Vodafone mobile 3G

My Vodafone UK 3G card gives me GOOD source port and GREAT transaction ID randomness.

0
0
Thumb Down

iPhone surfing in the UK STILL not safe

Seeing as o2 data are 'aware of the situation' but seemingly unwilling to do anything about it, they are still wide open (193.113.200.171) so anyone browsing the net on an iPhone could start to have fun in the very near future.

You can only imagine the fun I had trying to get an answer out of them on the phone about when they were going to patch, and no, not the phone, the server...

0
0
Thumb Up

job's a good'un

Our servers are all patched up and very happy. Cacti and Nagios confirm they're actually performing better.

0
0
Tom
Stop

oops

which idiot's idea was it to post vulnerable DNS severs here?!?

you've just given the blackhats a nice list of targets!

0
0
Alert

Virgin Media

1. 194.168.8.110 (winn-dnsbep-2.server.virginmedia.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

2. 194.168.8.109 (winn-dnsbep-1.server.virginmedia.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

Looking at the scatter plots it appears the source ports are randomised but within a very narrow range of 200 or so as opposed to the range of 65,000 or so which should be used. So the source port randomisation combined with the transaction ID randomness gives 8 + 16 = 24 bits of entropy compared to the 32 bits maximum possible. It is possible that Virgin Media may have other defences, e.g. against domains showing suspicious UDP packet storms involving many subdomains over a short duration.

0
0
Thumb Down

@Tom

"which idiot's idea was it to post vulnerable DNS severs here?!?"

Strong words based on a shallow analysis of the situation I feel.

a) The patch is available and, given it's severity, should have been implemented by now by anyone taking our money for ISP services - notwithstanding the possible costs or impact on network performance.

b) It's inevitable the 'baddies' will have access to this comments section - but that's offset by us mere mortal users being able to concur here and find out if we have a vulnerable ISP - there is no other source of reliable information other than the likes of this.

c) Do you honestly believe the 'black hat' community doesn't already have a comprehensive list already?

d) It's an unfortunate fact of life that an attack on an ISP, or an increase in suspicious traffic, is more likely to spur them to patch than a very clear technical warning - which they have already had.

Yes - on the face of it this exercise may appear foolish although to say so is plain crass. I see no horse in this stable - therefore I'll leave the door open as it stinks in here ....

0
0
Unhappy

Telenet in Belgium vulnerable

Your name server, at 85.255.197.4, appears vulnerable to DNS Cache Poisoning.

All requests came from the following source port: 32777

0
0
Thumb Down

Bloody black-hats

Well this is a pain in the arse,

Guess I'll be doing an nslookup and whois on all sites before I give them any passwords or personal information.

0
0
Thumb Up

DNS hole

Charles Johnson of LittleGreenFootballs [http://littlegreenfootballs.com/article/30617_DNS_Cache_Poisoning_Attacks]

posted an advisory Saturday, July 12. That day I made the switch in my router to OpenDNS.

DNS Resolver(s) Tested:

1. 208.69.36.14 (bld4.chi.opendns.com) appears to have GREAT source port randomness and GREAT transaction ID randomness.

Test time: 2008-08-01 12:19:59 UTC

0
0
Bronze badge
Happy

@Paul Taylor - F2S/Tiscali

194.106.56.6 was deprecated as a Freedom2Surf nameserver last November. They changed to 212.139.132.44 and 212.139.132.43, which were patched some time ago. If your router gets its nameservers dynamically it would have updated itself.

0
0

above and beyond

Your ISP's name server, 68.87.77.132, has other protections above and beyond port randomization against the recently discovered DNS flaws. There is no reason to be concerned about the results seen below.Requests seen for 1c512a407263.doxdns5.com:

68.87.77.132:17745 TXID=56457

68.87.77.132:18005 TXID=8509

68.87.77.132:17599 TXID=51463

68.87.77.132:17774 TXID=3155

68.87.77.132:17487 TXID=15795

ISNOM:ISNOM TXID=ISNOM

0
0
Thumb Down

Bell Canada still vulnerable

Bell in Canada seems vulnerable still.

Your name server, at 70.52.198.134, appears vulnerable to DNS Cache Poisoning.

0
0

Recursion - So Why This Focus on 'Your' DNS Servers?

Whether or not 'my' DNS server is patched, if it queries an unpatched server for the IP of an unknown domain and the unpatched server has been poisoned for this domain then surely 'my' DNS cache becomes poisoned too.

0
0

This post has been deleted by its author

Unhappy

Omsoft (local ISP in Davis CA)

1. 168.150.253.2 (spoke.dcn.davis.ca.us) appears to have POOR source port randomness and POOR transaction ID randomness.

2. 168.150.253.1 (wheel.dcn.davis.ca.us) appears to have POOR source port randomness and POOR transaction ID randomness.

3. 168.150.193.10 (indra.omsoft.com) appears to have POOR source port randomness and GREAT transaction ID randomness.

Actually, one of their DNS servers seems not to work at all (there should be four entries here).

I've added information to their entry in the Davis Wiki since this is kind of a local issue.

0
0

Verizon / FairPoint DSL iffy

When I originally tried the test on DoxPara, it said my name server looked ok, but to check that the port numbers didn't appear to follow a predictable pattern, which some of them did. Now it says "Your name server, at 71.250.0.38, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 65."

These are the results of the other test:

1. 71.250.0.36 appears to have POOR source port randomness and GREAT transaction ID randomness.

2. 71.250.0.38 appears to have POOR source port randomness and GREAT transaction ID randomness.

3. 71.250.0.39 appears to have POOR source port randomness and GREAT transaction ID randomness.

I do things like pay my bills online, so the other day I called my ISP, FairPoint, to ask if they had addressed this problem. The number on their website actually connected me to Verizon tech support (from whom FairPoint recently bought the phone / internet business in this area). I spent something like an hour on the phone with them doing a lot of waiting and getting bounced around from person to person, and ultimately I got no information. The tech support people at this company are morons and had no idea what I was talking about and were unable to put me in touch with anyone who did.

So what do these results mean, am I in good shape or not?

0
0
Thumb Up

moved my router to OpenDNS and got better results

The VM defaults were;

Ok on doxpara, and

poor/great on www.dns-oarc.net,

so I changed to OpenDNS servers;

doxpara seemed just as happy and

great/great on www.dns-oarc.net,

so happier here - unless this is all a great con and now my home network is getting added to another Bots'R'Us swarm.

ho hum

0
0
Boffin

@ System Administrator

"offset by us mere mortal users being able to concur here and find out if we have a vulnerable ISP - there is no other source of reliable information other than the likes of this."

Precisely stated logic, the mainstay of all that is computing. The fact that it was posted to El Reg solidifies the argument very nicely.

Everyone else on here with an ISP using unpatched DNS and a story like Johnny Utah's should go to the OpenDNS site. Simply point your router or dialup client application to the safe DNSs offered therein.

Waiting for a fix from a hamhanded ISP who simply wants your money at the expense of your security deserves neither. But, if they are the only game in town, you don't have to use their dodgy DNSs. You will likely have to reboot your router, and or your PC to get the new DNS addresses to work.

http://www.opendns.com/

0
0
Thumb Up

NTL Ireland (=UPC) looks OK

doxpara: Your ISP's name server, 89.101.160.5, has other protections above and beyond port randomization against the recently discovered DNS flaws.

dns-oarc: 1. 89.101.160.4 (ie-dub01a-dns01.upc.ie) appears to have GOOD source port randomness and GREAT transaction ID randomness. Test time: 2008-08-02 00:08:05 UTC

0
0
Thumb Up

Be Unlimited

Great for Both on dns-oarc

0
0
Thumb Down

Virgin Media

194.168.8.110 (winn-dnsbep-2.server.virginmedia.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

80.3.64.148 (brig-dnsany-1.server.virginmedia.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

194.168.8.109 (winn-dnsbep-1.server.virginmedia.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

0
0
Paris Hilton

How the DNS works

>> Whether or not 'my' DNS server is patched, if it queries an unpatched server for the IP of an unknown domain and the unpatched server has been poisoned for this domain then surely 'my' DNS cache becomes poisoned too.

No. The only way your server should query an unpatched server is when it is asking that unpatched server for authoritative data: ie when your server queries one of the name servers for google.com (say). Even if that google.com name server is unpatched, it will be serving authoritative data that it has loaded from disk. When it does that, the data it loads cannot be compromised by a cache poisoning attack. Besides, most authoritative servers don't *make* queries, they just answer them. If a DNS server doesn't make queries, it can't be spoofed and can't have its cache poisioned. Largely because it doesn't have a cache.

I've used the Paris icon because even she knows how DNS works

0
0

OpenDNS

All is *GREAT*! Yaaay!

0
0

This post has been deleted by a moderator

Linux

Videotron, Quebec

Your ISP's name server, 24.200.241.97, has other protections above and beyond port randomization against the recently discovered DNS flaws. There is no reason to be concerned about the results seen below.

Sweet.

0
0
Unhappy

Melita Cable

Malta's biggest ISP is unpatched:

"Your name server, at 212.56.128.196, appears vulnerable to DNS Cache Poisoning."

Time to move to OpenDNS methinks.

0
0
Happy

ADSL24/Entanet

1. 62.189.58.210 (lnd4eusosrv39.lnd.ops.eu.uu.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.

2. 62.189.34.89 (lnd10eusosrv175.lnd.ops.eu.uu.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.

Looking good :D

0
0
Alien

cox in arizona mostly good

68.105.28.51 (ip68-105-28-51.at.at.cox.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

68.2.16.27 (chnddnss06.ph.ph.cox.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.

0
0
Thumb Down

freedom2surf.net :: POOR

194.106.56.6 (server0009.freedom2surf.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

0
0
Thumb Down

No shock here

Rogers - Canada - Too busy counting money - no time to patch....

Your name server, at 64.71.246.85, appears vulnerable to DNS Cache Poisoning.

All requests came from the following source port: 34212

Due to events outside our control, details of the vulnerability have been leaked. Please consider using a safe DNS server, such as OpenDNS. Note: Comcast users should not worry.Requests seen for 61c747213638.doxdns5.com:

64.71.246.85:34212 TXID=60558

64.71.246.85:34212 TXID=14499

64.71.246.85:34212 TXID=39035

64.71.246.85:34212 TXID=36982

64.71.246.85:34212 TXID=20736

0
0

Page:

This topic is closed for new posts.

Forums