[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Major DNS Vulnerabilities

From: "Mike Fratto" <mfratto@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Major DNS Vulnerabilities
Date: Wed, 9 Jul 2008 12:54:43 -0400

I am interested to see what the actual problem is. I have seen alot of
analysis like this one, but that analysis may be focused on the
efficacy of the fix, which is to randomize UDP port numbers to make
guessing more difficult. A fix that Kaminsky indicates is a workaround
to the actual issue. The advisory even notes that the problem is
related to transactionID guessing, but also says the details are
different.

On Wed, Jul 9, 2008 at 7:40 AM, Johannes B. Ullrich, Ph.D.
<jullrich@xxxxxxxx> wrote:
> I have no real insider information, but even without that, the problem is kind of obvious. You got a single source port, and a small number of query IDs, making it reasonable easy to spoof a response. Add a decent tool to attack this problem (maybe that's the part that is going to be released at Blackhat?), a bunch of motivated users for such a tool (Phishing/Pharming?) and you got a big problem.
>
> The overall issue has been discussed for a while (for example see this paper http://www.sans.org/reading_room/whitepapers/dns/1567.php).
>
> If you would like to implement DNSSEC (the real solution to this problem), try "DNSSEC Look Aside Validation" (https://secure.isc.org/index.pl?/ops/dlv/) as an interim solution.
>
> To bring this back to web-application security: The only real defense from a web application standpoint is HTTPS (and using "real" certificates). Remember that HTTPS is not just about encryption, but its also about authentication.
>
> Final note about the DNS patch: It will hurt performance of your DNS server. Its yet one more random number the server has to come up with for each query.
>
>
>
>
> ----- Original Message -----
> From: "Michael S. Menefee" <mmenefee@xxxxxxxxxxxxxxx>
> To: robert@xxxxxxxxxxxxx, websecurity@xxxxxxxxxxxxx
> Sent: Wednesday, July 9, 2008 12:19:34 AM GMT -05:00 US/Canada Eastern
> Subject: RE: [WEB SECURITY] Major DNS Vulnerabilities
>
> Robert,
>
> Kindly disregard my last post. Apparently the idea is for Kaminsky to
> announce more about the details at black hat in august. Although I can
> understand the approach, its frustrating as a security professional to
> simply accept that "you need to patch this" or even worse: "customer you
> need to patch this" without more details...blackhat's next month and
> this story is news today...not sure I *agree* with the approach,
> although I can *understand* it, but why wait for the hype of blackhat to
> make the details known? I for one need more plausable justification to
> recommend most things--this included.
>
> Anyways, thanks again for the headsup, although this story quickly
> exploded damn near everywhere all at once :)
>
>
> --
> Michael S. Menefee, CISSP (#43728)
> Principal Consultant
> Secure Solve, Inc.
> Phone: (919) 439-3598
> Fax: (919) 287-2570
> mmenefee@xxxxxxxxxxxxxxx
> www.securesolve.com
>
> -----Original Message-----
> From: robert@xxxxxxxxxxxxx [mailto:robert@xxxxxxxxxxxxx]
> Sent: Tuesday, July 08, 2008 4:37 PM
> To: websecurity@xxxxxxxxxxxxx
> Subject: [WEB SECURITY] Major DNS Vulnerabilities
>
>
> Looks as though its time to patch again. This time against 81 different
> products
>
> http://it.slashdot.org/article.pl?sid=08/07/08/195225
> http://securosis.com/publications/CERT%20Advisory.doc
> http://securosis.com/publications/DNS-Executive-Overview.pdf
>
> Regards,
> - Robert
> http://www.webappsec.org/
>
>
>
> ------------------------------------------------------------------------
> ----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- Re: [WEB SECURITY] Major DNS Vulnerabilities
  - From: Johannes B. Ullrich, Ph.D.

Prev by Date: Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Next by Date: Re: [WEB SECURITY] Major DNS Vulnerabilities
Previous by thread: Re: [WEB SECURITY] Major DNS Vulnerabilities
Next by thread: Re: [WEB SECURITY] Major DNS Vulnerabilities
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site