Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DNS Problem Linked To DDoS Attacks Gets Worse

Soulskill posted more than 4 years ago | from the i-blame-the-schools dept.

Security 69

itwbennett writes "The percentage of devices on the Internet that are configured to accept DNS queries from anywhere — what networking experts call an 'open recursive' or 'open resolver' system — has jumped from around 50 percent in 2007 to nearly 80 percent this year, according to research sponsored by DNS appliance company Infoblox. As more consumers demand broadband Internet, service providers are rolling out modems configured this way to their customers, said Cricket Liu, vice president of architecture with Infoblox. Georgia Tech researcher David Dagon agreed that open recursive systems are on the rise, in part because of 'the increase in home network appliances that allow multiple computers on the Internet. ... Almost all ISPs distribute a home DSL/cable device. Many of the devices have built-in DNS servers. These can sometimes ship in "open by default" states.' What's worse, says Dagon, is that many of these devices do not include patches for a widely publicized DNS flaw discovered by researcher Dan Kaminsky last year."

Sorry! There are no comments related to the filter you selected.

For starters (2, Insightful)

sopssa (1498795) | more than 4 years ago | (#30105554)

Why would a cable/adsl modem have an open recursive DNS server? There's not a single reason for that - either use your ISP's autodefined DNS servers, change them to something else or set up your own.

Re:For starters (0)

Anonymous Coward | more than 4 years ago | (#30105684)

Well, setting up your own is the same as using the one that's set up for you in the box, wouldn't you say?

Re:For starters (1)

Runaway1956 (1322357) | more than 4 years ago | (#30107132)

Very very much the same. Of course, I can't customize the server on the box that's set up for me as easily as I can customize my own DNS server - but the results are about the same.

GP should be aware that a variety of ills with internet connectivity are cured by having your own server - starting with the serious lag experienced when the ISP's server is screwed up somehow. I can send DNS queries halfway around the world, and get a response, faster than I can get answers from my local ISP's DNS server. I've often wondered if they have their server set up on a satellite - halfway to the moon.

Re:For starters (1)

Architect_sasyr (938685) | more than 4 years ago | (#30109760)

Very very much the same. Of course, I can't customize the server on the box that's set up for me as easily as I can customize my own DNS server - but the results are about the same.

Rubbish. Customisation aside, the open relay on the router is accessible on the outside, whereas one you set up on the inside has to have the ports forwarded through the NAT device on your average home LAN.

Re:For starters (1)

socsoc (1116769) | more than 4 years ago | (#30110900)

Far from the same. There is no need for a home router to be a DNS server to the outside, at most a repeater to the LAN from the ISP's DHCP assigned addys or for a customer with a bit more savvy, the IPs for OpenDNS.

Re:For starters (1)

Runaway1956 (1322357) | more than 4 years ago | (#30111168)

"Well, setting up your own is the same as using the one that's set up for you in the box, wouldn't you say?"

There is the GP's question that I responded to. In fact, the DNS server in my router is no different than the DNS server on my gateway machine - except for configuration. The major reason I disabled the server on the router, was so that I could more easily update the server, and so that I could more easily configure it.

If I saw a reason, I could configure my firewall to allow queries to come in from the outside, in which case, my server would respond. What you really mean to say is, the server on the router is misconfigured if it responds to outside requests - and I would tend to agree with that.

Re:For starters (1)

Alnitak73 (739151) | more than 4 years ago | (#30112608)

Very very much the same.

Actually, not the same at all. The DNS proxy servers in most home routers are very buggy.

Re:For starters (2, Informative)

Anonymous Coward | more than 4 years ago | (#30105750)

One reason is to cut the # of queries coming into the ISP's servers. The modem can be a local cache.

Re:For starters (4, Insightful)

TheRaven64 (641858) | more than 4 years ago | (#30105932)

Devices like this should only accept DNS requests from the local network (not from the Internet) and should, unless explicitly configured to perform recursive queries, forward them to the ISP's cache.

Re:For starters (1, Informative)

Anonymous Coward | more than 4 years ago | (#30110306)

Why would a cable/adsl modem have an open recursive DNS server? There's not a single reason for that - either use your ISP's autodefined DNS servers, change them to something else or set up your own.

They don't. What the article is trying to say is that many ISP's are now distributing routers either stand-alone or as a modem/router combo unit. Which are almost always set to the ISP's DNS servers and not just hanging wide open as the article is claiming. Hell, most of these don't have the capability to do more than support either a hardcoded DNS number, or auto-learn it from the cable company's CMTS. I have never seen one that will just take updates from 3rd party DNS, although there is a possiblity if the ISP's DNS is hanging open that it would pass along shoddy information.

More FUD. For some reason I'm really not surprised.

Re:For starters (1)

Alnitak73 (739151) | more than 4 years ago | (#30112638)

Umm, say what?!

This is not FUD. The routers have DNS proxies in them. Some of those routers do the equivalent of "listen" on 0.0.0.0:53 and don't block queries arriving on the external interface.

A small query sent to the router from the outside is then forwarded to the ISP's DNS server, which duly sends the answer back to the router, which the router then sends back to the original UDP source address, which was probably spoofed. That response packet can be much larger than the original request, and as far as the victim was concerned it was sent from your router!.

Re:For starters (1)

turbidostato (878842) | more than 4 years ago | (#30111520)

"Why would a cable/adsl modem have an open recursive DNS server?"

Why not? In fact, why any DNS over there shouldn't be opened to recursive searchs? I know why I don't want an opened resolver on my facilities and I know why buggy software shouldn't be opened to the Internet, but that is not what I'm asking.

Re:For starters (1)

Alnitak73 (739151) | more than 4 years ago | (#30112600)

Actually most routers don't have a fully recursive server - they have a "proxy" (or "forwarder").

See my RFC 5625 [ietf.org] for more details, and some explanation for why the router even has this feature. The short answer is that it's so that the router can give a consistent DHCP OFFER before it knows what the upstream DNS servers are. See also slides I presented at the IETF DNSOP working group last week: http://tools.ietf.org/agenda/76/slides/dnsop-5.ppt [ietf.org]

If the proxy is open on the WAN port then it'll forward all queries to the ISP's real recursive servers, and that's where the recursion happens. It may look as if the router's DNS proxy is recursive, but in most cases it isn't.

The DNS query results from the ISP will go back up the DSL / cable line back to the router, which will then send then back down the line to the (probably spoofed) source IP address of the original request.

is this a problem (2, Insightful)

hey (83763) | more than 4 years ago | (#30105564)

Open DNS servers don't seem so bad to me.
Like an open website -- OMG everyone can access it.

Re:is this a problem (4, Informative)

RiotingPacifist (1228016) | more than 4 years ago | (#30105686)

1) If there is a flaw in the software, i can tell you DNS server that I slashdot is at 80.65.228.129 or that your bank resolves to my MITM attack site.
2) I can use up all of your routers resources and then you can't lookup any sites yourself

Re:is this a problem (1)

sopssa (1498795) | more than 4 years ago | (#30105778)

There's also a DDoS possibility, since the remote computer can send a 50 byte message that results in the DNS server getting 4 kilobytes of data back to query it. DDoS'r does many of those and your network is filled with that crap.

Re:is this a problem (1)

commodore64_love (1445365) | more than 4 years ago | (#30106456)

I don't understand. Are you saying you can hijack my DSL modem and make it point to your website, instead of my bank website? Does this flaw also affect traditional 33k or 56k dialup modems? Would swapping-out the hijacked modem for a new one eliminate this "hole"?

Another semi-related question:

If I swap my current DSL modem with the spare modem in my drawer, would that change my IP address?

Re:is this a problem (1)

mengel (13619) | more than 4 years ago | (#30106902)

Real dialup modems don't do anything nearly as smart as DNS.

DSL "Modems" are really full-blown routers, and generally have NAT routing setup, and DNS and DHCP servers. So yes, they can be vulnerable to DNS cache poisoning, and then you'll get some Phisher-pholk's server instead of your bank's.

Re:is this a problem (1)

socsoc (1116769) | more than 4 years ago | (#30110972)

these can't be serious questions from someone with your username. if they are, ask your bff jill.

Re:is this a problem NOT WITH A GOOD HOSTS FILE (0)

Anonymous Coward | more than 4 years ago | (#30109858)

"1) If there is a flaw in the software, i can tell you DNS server that I slashdot is at 80.65.228.129 or that your bank resolves to my MITM attack site.
2) I can use up all of your routers resources and then you can't lookup any sites yourself"
- by RiotingPacifist (1228016) on Sunday November 15, @09:38AM (#30105686)

RP, that is why I use a custom HOSTS file & not only to blockout KNOWN "bad" adserves, maliciously coded sites or adbanners, and "botnet C&C servers" too, from reliable reputable lists but also for speed (more on that later & WHY/HOW (I use reliable lists for that, such as these HOSTS @ Wikipedia.com -> http://en.wikipedia.org/wiki/Hosts_file [wikipedia.org] or those from mvps.org (a good one this one))

I further populate my custom HOSTS file with up to date information in regards to all of those threats, via Spybot "Search & Destroy" updates (populates HOSTS and browser block lists), but also via sites like ZDNet's Mr. Dancho Danchev's blog -> http://ddanchev.blogspot.com/ [blogspot.com] or sites like FireEye -> http://blog.fireeye.com/ [fireeye.com] , stopbadware.org, & also SRI (just to name a few of my sources) & my HOSTS file incorporates ALL of the entries from the HOSTS files shown @ wikipedia (all duplicates removed via a Borland Delphi app I wrote to do so, and also change the default larger & SLOWER 127.0.0.1 blocking 'loopback adapter' IP address to either 0.0.0.0 (for VISTA/Windows Server 2008/Windows 7, smaller & thus faster than 127.0.0.1 default) or the smallest & fastest 0 "blocking 'IP ADDRESS'" (for Windows 2000/XP/Server 2003 which can STILL use it (& it was added in a service pack on Windows 2000, only on 12/09/2008 MS patch tuesday was it removed for VISTA onwards (& now all these "phunny little bugs" are showing up as FLAWS in this new NDIS6 approach via WFP as well in the firewall, which ROOTKIT.COM has stated (with code too no less on how it is done) -> http://www.rootkit.com/newsread.php?newsid=952 [rootkit.com] that it is EASIER TO UNHOOK (than was the design used in Windows 2000/XP/Server 2003))

HOWEVER, to "CIRCUMVENT" THAT WHICH YOU NOTE? WELL - I use another "technique" called "hardcoding" an IP address to domainname/hostname in my HOSTS files, for my FAVORITE websites:

This allows me to FIRST bypass any remote/external DNS lookups, which also would in theory @ least, make me "proofed" vs. DNS request logs by my ISP/BSP (especially since I use external DNS servers too, beyond my hardcoded favs in my HOSTS file because I can't ping & resolve the ENTIRE internet after all), making it harder for them to track me... sure, they could do a "reverse DNS lookup" via pings &/or traceroutes & the top level domain that does nothing BUT cache reverse DNS lookups does the rest, but that is harder to do, than looking up my URL requests via a log on a DNS server))

ALSO, AS A "BONUS" in HOSTS FILES:

It speeds you up, for one thing, & a buddy of mine says it has (verbatim quote) "DOUBLED MY SPEED ONLINE, BUT I VALUE THE SECURITY PART MORE", because he used to get over 200++ viruses a week, now? Only maybe 2 a years, & he is convinced it is largely due to the HOSTS file I send him weekly (he is my "lab rat #1" due to his previous infestation rate), & if that "anecdotal evidence" is not enough? See this then, from a published security guru on a respected site for it:

====

RESURRECTING THE KILLFILE:

(by Mr. Oliver Day)

http://www.securityfocus.com/columnists/491 [securityfocus.com]

PERTINENT EXCERPTS/QUOTES:

"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet particularly browsing the Web is actually faster now."

"From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

====

  (a nice bonus beyond blocking adbanners via HOSTS too, because these have been shown to harbor malscripted content too & more than just a few times the past 4-5 yrs now no less), because you don't waste between 30-N ms calling out to an external DNS (one that MAY be poisoned per Dan Kaminsky the past few years now & others also noting it), & you can STILL GET TO YOUR FAV. SITES IF HARDCODED in your HOSTS FILE (a good thing, but one you may have to periodically alter, easily, via notepad.exe edits of your HOSTS file & a ping to update their new address (sites change hosting providers due to better services or prices, rare, but they do & MOST let you know they are about to do so anyhow, so you can amend a HOSTS file)).

APK

P.S.=> NICEST PART IS, THOUGH, PER YOUR STATEMENT (in addition to the benefits of HOSTS file I note above, alongside others like Mr. Oliver Day of SECURITYFOCUS.COM)?

I will STILL get to where it is that I WANT TO GO, not the router's onboard DNS server doing hostname/domainname resolutions or potential hijacked redirects... in theory @ least, because I am controlling the hostname/dommainname resolutions @ AN OS + IP STACK LEVEL, not via my routers' onboard DNS server... apk

Re:is this a problem (1)

arielCo (995647) | more than 4 years ago | (#30105748)

Like an open website -- OMG everyone can access it.

This is more like an open website running on IIS 4.0 because it's what it's built into the server.

Only these devices do not auto-update - funny thing considering that their function requires being connected to the Internet. The only problem would be prompting for authorization.

Re:is this a problem (2, Insightful)

iLogiK (878892) | more than 4 years ago | (#30106210)

I'm not sure how the DNS flaw works, but I just thought of something (feel free to mod me down if this is stupid) If you were to target someone specifically that was using a router that supported auto-update, but it didn't update itself with a fix for the vulnerability yet, couldn't you possibly use the DNS flaw to fool it into getting the update from one of your servers? Meaning, you could get the router to do pretty much anything you want, and a router can do a lot of bad stuff.

Re:is this a problem (1)

arielCo (995647) | more than 4 years ago | (#30106834)

Oh, oh, by "auto-update" I meant software updates. (Kids, that's what happens when you post without having had enough sleep).

My concern is that the software driving modems and routers is rarely updated, but they're standing between you and the wide, wild Internet. Sure they could check for new versions, but how do they prompt you for permission? (I think technically minded consumers would be a bit miffed if the manufacturer pushed patches behind your back)

Re:is this a problem (0)

Anonymous Coward | more than 4 years ago | (#30108096)

My concern is that the software driving modems and routers is rarely updated, but they're standing between you and the wide, wild Internet. Sure they could check for new versions, but how do they prompt you for permission? (I think technically minded consumers would be a bit miffed if the manufacturer pushed patches behind your back)

That's exactly how it works - they don't prompt the client, and they do phone home. Here's an example of an AT&T DSL modem [dslreports.com] doing it. (Ignore the fact that most of the people in the thread are thinking that the reason the poster's miffed is because of the blinking light, rather than why the light is blinking.)

I noticed similar behavior in the modem's logs at http:/// [http] (an-IP-address-associated-with-a-similar-device) /logs.htm , and proved that it was doing so unplugging the Ethernet cable from behind it (there's no way any traffic generated on my side was getting to the modem through an air gap!) before going away for a weekend. When I came back, the router had spontaneously started several sessions with the outside world for updates, and then shut them down a few moments later.

And yeah, I was also miffed.

Re:is this a problem (1)

TheRaven64 (641858) | more than 4 years ago | (#30105940)

No, more like an open proxy. This isn't about authoritative DNS servers responding to everyone (they do; that's what they're for) it's about DNS caches responding to queries from everyone (not just those on the local net), which wouldn't be so bad except that many of them are insecure.

Re:is this a problem (0)

Anonymous Coward | more than 4 years ago | (#30110636)

I think the point is open clients, not servers.

Normal for security (1)

Bentov (993323) | more than 4 years ago | (#30105682)

Open by default, instead of closed.

Trying to make something from nothing. (2, Insightful)

danwesnor (896499) | more than 4 years ago | (#30105734)

Yeah, but these devices are designed to name serve on the intranet, not the internet. Mine came with the default to ignore all traffic coming from the outside world.

Re:Trying to make something from nothing. (0)

Anonymous Coward | more than 4 years ago | (#30105754)

exactly... that's how all routers with DHCP/DNS servers work... this article is a farce.

Re:Trying to make something from nothing. (1)

Alnitak73 (739151) | more than 4 years ago | (#30114290)

Yes, they're supposed to do this DHCP and DNS stuff on the LAN interface.

What they're not supposed to do is respond to DNS queries received on the WAN interface. That's what the survey and article is about.

Re:Trying to make something from nothing. (3, Insightful)

icebraining (1313345) | more than 4 years ago | (#30105818)

No, they're not, according to the summary: "devices on the Internet that are configured to accept DNS queries from anywhere", "Almost all ISPs distribute a home DSL/cable device. Many of the devices have built-in DNS servers. These can sometimes ship in "open by default" states.'

Just because yours is closed by default, doesn't mean all are.

Re:Trying to make something from nothing. (2, Interesting)

danwesnor (896499) | more than 4 years ago | (#30106120)

OK, you're right, 1 of 1 is not enough to make an assumption. But of the 5 I've bought over the years from 3 different vendors, all 5 were shipped configured to accept DNS request from the intranet but block all requests of any type from the internet.

Re:Trying to make something from nothing. (0)

Anonymous Coward | more than 4 years ago | (#30109992)

You're also assuming that the software has no flaws. Even if it's configured not to allow external DNS requests, that doesn't mean anything if the software is not respecting that configuration fully.

Re:Trying to make something from nothing. (1)

greed (112493) | more than 4 years ago | (#30116212)

Note the difference between "ones you've bought" and "ones provided by the cable Internet vendor".

My experience has been, any software provided by an ISP is to be treated as worse than malware.

Since I never used 16-bit Windows, I never understood "Internet Dialler" software that Windows users seemed to always install from their ISP... and was always the first thing in the way when trying to fix a busted system. But it has served to convince legions that ISP-provided software is necessary to get on the Internet. (Whereas even Windows 95 had enough stuff to dial a modem and set up PPP or SLIP. For non-PPPoE broadband--typically cable--you need no extra software on any Ethernet capable OS.)

More recently, "Internet Security Suites" provided by ISP should be never installed. If found installed, it should be removed by re-formatting the system from read-only media. (Should of serious registry hacking, that's the only way to get rid of the stuff Bell Sympaticrap provides.)

So I'm not surprised they ship modems or routers with "PWN ME!" as the default setting.

Buying your own router immediately puts you in the top percentiles of "tech skill".

Is that why Slashdot was down? (1)

ironicsky (569792) | more than 4 years ago | (#30105772)

Slashdot got DDoS'd or Slashdotted?

Re:Is that why Slashdot was down? (1)

MickyTheIdiot (1032226) | more than 4 years ago | (#30105820)

Does anyone else thinks it's funny that this story was posted while /. was showing "guru meditation" errors?

Re:Is that why Slashdot was down? (1)

rvw (755107) | more than 4 years ago | (#30105838)

Does anyone else thinks it's funny that this story was posted while /. was showing "guru meditation" errors?

No

Re:Is that why Slashdot was down? (0)

Anonymous Coward | more than 4 years ago | (#30107118)

It was. I even looked up the backend software linked to in that error page, but quickly lost interest after finding no references there to slashdot so they could plug their reliability.

And in a prophetic twist of fate... (1)

macraig (621737) | more than 4 years ago | (#30105814)

... the RSS feed for this article fails to load!

Error 503 Service Unavailable

Service Unavailable

Guru Meditation:

XID: 1704629829

Varnish [varnish-cache.org]

Re:And in a prophetic twist of fate... (1)

sopssa (1498795) | more than 4 years ago | (#30105848)

You kids and your RSS feeds... That was on the whole site.

Re:And in a prophetic twist of fate... (1)

macraig (621737) | more than 4 years ago | (#30105922)

What's not to love about RSS feeds? It's like the Web for e-mail! :-) No blockage at the Web site proper, though... I clicked through to it from the feed immediately after, and not even so much as a pregnant pause.

Re:And in a prophetic twist of fate... (1)

macraig (621737) | more than 4 years ago | (#30105930)

I think there must have been a crack in the Varnish.

Re:And in a prophetic twist of fate... (1)

TheRaven64 (641858) | more than 4 years ago | (#30106260)

What's not to love about RSS feeds?

Unlike the normal Slashdot front page, it is not possible to block stories by kdawson from the RSS feeds (or, wasn't last time I tried).

Re:And in a prophetic twist of fate... (1)

commodore64_love (1445365) | more than 4 years ago | (#30106472)

>>>Guru Meditation:

You're surfing the net from a Commodore Amiga? Isn't that 400 megahertz PPC processor kinda slow? ;-)

Re:And in a prophetic twist of fate... (1)

macraig (621737) | more than 4 years ago | (#30106922)

They weren't before my time, but I never laid a finger on anything branded Commodore, so the humor you see in it just confuses me! Maybe I should change my account to SinclairQL_love?

Re:And in a prophetic twist of fate... (1)

commodore64_love (1445365) | more than 4 years ago | (#30107004)

"Guru Meditation" is the Amiga's version of a kernal panic, and dates back to 1985. That's why I thought you making some in-joke about that machine (or else the website owner was). The screen looks like this:
http://en.wikipedia.org/wiki/Guru_Meditation [wikipedia.org]

Re:And in a prophetic twist of fate... (1)

macraig (621737) | more than 4 years ago | (#30107160)

Nice funny story about the origins of it. I'm sure the homage must make a few old Commodore coders feel warm and fuzzy. Hey, did you edit the Trivia section to include the mention of the Varnish homage, or was it already there? Ah, wait, checking History... nope, it's actually been there for a while.

Re:And in a prophetic twist of fate... (1)

osu-neko (2604) | more than 4 years ago | (#30108296)

>>>Guru Meditation:

You're surfing the net from a Commodore Amiga? Isn't that 400 megahertz PPC processor kinda slow? ;-)

God gods, that would be blazing fast. IIRC, my Amiga had a 7 MHz 68000.

Re:And in a prophetic twist of fate... (1)

jgrahn (181062) | more than 4 years ago | (#30108824)

>>>Guru Meditation:

You're surfing the net from a Commodore Amiga? Isn't that 400 megahertz PPC processor kinda slow? ;-)

That message got removed after Kickstart 1.3, when an Amiga had a 8MHz MC68000. Not that it matters -- the Amiga compensated for slow hardware with fast, well-written software.

No-one is truly safe... (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30106148)

Cache poisoning is something you do by returning an answer to a DNS server that's doing a lookup on your behalf. Lets say I was able to sniff your traffic and see that you go to your Bank's web site based on the last DNS query your router did on your behalf. What I can then do is bombard your router back with answers for your bank's web site being a different IP address so that when your router finally does the DNS lookup again at some point, the potential is there for it to accept MY answer for their site that will send you elsewhere and you'd never know it.

This has NOTHING to do with having open ports because the issue is that your router asked another DNS server somewhere on the internet for a lookup - so its already waiting for a return answer... of which you can now attempt to provide it the wrong one. So if anything you DON'T have to be an open recursive DNS server to be attacked - all you have to be doing is a recursive query of which most if not ALL routers do as they do the lookup for you. Hence therein lies the issue... Oh and setup your own patched recursive DNS server that you now think makes you "safe"... odds are your router won't randomize the outbound ports that DNS is so you're back at square one again with this vulnerability

Re:No-one is truly safe... (1)

vlm (69642) | more than 4 years ago | (#30108162)

Lets say I was able to sniff your traffic and see that you go to your Bank's web site based on the last DNS query your router did on your behalf

What makes it worse, is you don't need such a precision attack. You could have a botnet randomly bombard everyone with "somebankname.com" is 1.2.3.4, and eventually you'd get a hit. Hit rate too slow, get more bots...

Some better insight... (0)

Anonymous Coward | more than 4 years ago | (#30106342)

Whether or not the DNS on your router is open externally to DNS matters not with this vulnerability. If you have a router that's doing recursive lookups for internal users - its awaiting an answer back from whomever it asked. If a hacker happens to flood your router with answers for a common DNS query such as Google or Yahoo - there's a good chance that it could poison the answer if your router/DNS happens to ask for that and it gets the port number right... not impossible.

That's the problem with this vulnerability. You don't have to be openly recursive to be poisoned - just doing recursive queries.

Name and Shame (1)

Midnight Thunder (17205) | more than 4 years ago | (#30106360)

The problem I have seen is a mixture of ISPs which take years to react to anything and suppliers of these devices not taking responsibility and simply blaming it on the ISP. Because of this I would appreciate a role call of ISPs and hardware involved in this, so that we can either avoid them or get them to fix the problem.

Re:Name and Shame (1)

jerimiahf (1678968) | more than 4 years ago | (#30106432)

You could not be any more wrong on this with that statement. The ISP is not the issue and the hardware is not the issue. If you are to build a recursive DNS server and have it do recursive queries on the internet completely bypassing your Router and ISP's DNS setup - you are still vulnerable.

Re:Name and Shame (1)

Alnitak73 (739151) | more than 4 years ago | (#30112692)

If you are to build a recursive DNS server and have it do recursive queries on the internet completely bypassing your Router and ISP's DNS setup - you are still vulnerable.

Actually, only if you use NAT.

If you have a fixed IP range internally and don't use any NAT then you can use the source port randomisation introduced on most servers after Kaminsky and remain very well protected against cache poisoning.

The real problem is that if you're using NAT each outbound query will have (some of) its source header fields rewritten. So even if the internal recursive server properly picks a random source port, the NAT process in your router might de-randomise it.

It's very common for NAT processes to just pick sequential source ports. The original source port sequence might go 53271, 1095, 37451, but the router might re-write that as 1024, 1025, 1026, ...

This predictable source port selection algorithm leaves you back where we were pre-Kaminsky.

Forget this... (0)

Anonymous Coward | more than 4 years ago | (#30106534)

Forget this issue, many ISP have their DSL router's web config interface accessible from "anywhere" and many devices have hidden built-in super user which cannot be deleted or its passwd be changed. Here with my ISP, I can just scan an IP range, connect to any DSL router and change any setting I wish, no matter what the user's admin passwd for the router is. Then its trivial to change DNS and hijack sessions.

How does one test for this vulnerability? (2, Interesting)

fragMasterFlash (989911) | more than 4 years ago | (#30106562)

Several online tools were available to test for vulnerabilities on individual PCs back when Kaminsky discovered the sad state of DNS security. Is there a similar test for available for cable modems? How about a list of susceptible devices? I'd rather not put blind faith in my ISP to keep me out of harms way.

Re:How does one test for this vulnerability? (0)

Anonymous Coward | more than 4 years ago | (#30107724)

I am probably wrong so until some one confirms this take with less then a grain of salt.
can't you just do a dig for google.com using your public IP address as the DNS server:
  If you get no response you are fine,
  If you get a response from your public IP address, then your running a would accessible DNS server,

Change your settings or get a new device.

Example: dig@ google.com

Re:How does one test for this vulnerability? (0)

Anonymous Coward | more than 4 years ago | (#30108004)

This would only detect weather you are open to the DoS attack.
As already mentioned the cache poising issue is much more complicated.

Also guessing your example command got cut:

dig @ROUTER_IP dnsname

Source ? (1)

dbcad7 (771464) | more than 4 years ago | (#30107574)

Ok, they list 2 ISP's as the leading "culprits".. in Spain, and France I guess.. then they go on to say something about DSL modems supplied with DNS servers ???.. what's that about ? really ? a DNS server on the modem ? .. a hard coded link to a DNS server maybe.. If your going to report a problem, then report a problem.. like the names of the manufacturers, models, and ISP's and give people something to look out for.

Re:Source ? (1)

Tony Hoyle (11698) | more than 4 years ago | (#30109744)

DNS cache proxies are common on cuonsumer routers.

Of course almost universally these are set to block all requests from outside, so can't really be accused of causing a jump of open resolvers from 50% to 80% on their own.

Also any network running authoritative DNS will have an open DNS.. that's unavoidable - although you normally rate limit it with iptables to stop magnification attacks.

Re:Source ? (1)

Alnitak73 (739151) | more than 4 years ago | (#30112730)

DNS cache proxies are common on cuonsumer routers.

Actually most of them don't cache - mostly they just forward. Of the ones I've tested only Apple's Airports had a real cache in them.

Of course almost universally these are set to block all requests from outside, so can't really be accused of causing a jump of open resolvers from 50% to 80% on their own.

The increase is interesting, and unexpected. I do know of some brands that are open by default from the outside, but had hoped that the recent research and various realted RFCs might have reduced the incidence of this.

Also any network running authoritative DNS will have an open DNS.. that's unavoidable - although you normally rate limit it with iptables to stop magnification attacks.

The number of authoritative servers on the internet isn't that large, and certainly not on the scale of the problem that Wessels et al have found. It's these dumb proxies that don't have the rate limiting etc that are the problem.

Dagon (1)

jgrahn (181062) | more than 4 years ago | (#30108932)

Is it just, me, or does anyone else have an issue with the name "David Dagon"? I keep imagining the interview taking place with him sitting on a giant basalt throne off the New England coast, at low tide ...

Re:Dagon (1)

sudog (101964) | more than 4 years ago | (#30109106)

No, it's not just you. I see Dagon and I think Shadow Over Innsmouth, or Dagon (2001) every time. It would be cool to have a name like that.. sort of like being Fred Cthulhu, or Samson Yog-sothoth.

Re:Dagon (1)

SQL Guy (1144141) | more than 4 years ago | (#30148866)

And where does Cricket Liu fit in all this?

how is this news (0)

Anonymous Coward | more than 4 years ago | (#30113810)

apart from false advocacy for dnssec that will even simplify amplification attacks ?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?