Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 




      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FYI: Some Firewall Software Undoes DNS Patch Port Randomizing

-Some Firewall Software Undoes DNS Patch Port Randomizing (August 4, 2008) 
Firewall vendors are "scrambling" to update their products to address a problem 
in the software that undoes the source port randomization component of the 
recently released DNS patches.  The problem lies with some firewalls that do IP 
address translation.  The DNS patches have reportedly been causing some other 
minor problems - particularly slowing down traffic on some servers.
[Editor's Note (Skoudis): This one could get ugly, folks.  Widely available 
tools exploit this flaw to trick software update features into installing 
malware, and surely the bad guys have many other equally nasty tricks up their 
sleeves.  And, tomorrow (August 6), Dan Kaminsky will deliver his full 
presentation, which will likely provide insights into optimizing the attack 
even further.  Patch your DNS servers... and push your firewall vendors on this 
too.  If your firewall unrandomizes the source port, someone can still poison 
the DNS server behind the firewall.  Ironically, such a firewall is actually 
weakening security here, exposing your whole network to attack.
(Guest Editor and Internet Storm Center Handler Donald Smith): Actually it is 
the PAT, Port Address Translation, function that is causing this issue.  That 
is often used in conjunction with NAT, Network Address Translation,  but then 
it should be called NAT/PAT.  The functions are separate logical functions even 
if used together in most NAT/PAT implementations.
- From http://isc.sans.org/diary.html?storyid=4687
"The patch will impact your server performance. Test carefully before patching 
a very busy server. Internet Storm Center (isc.org) mentions 10,000 queries/sec 
as a problem. "
- From http://isc.sans.org/diary.html?storyid=4777
"Home firewall NAT devices are also proving to be vulnerable as many don't seem 
to randomize the source port."
- From http://isc.sans.org/diary.html?storyid=4780
Conclusion: So is this bad: yes, it is unless your DNS clients, name-servers 
and the name-servers you forward to are up-to-date on patches, and your NAT 
devices (routers, firewalls, etc) in between do not randomize source ports.]


Copyright © Lexa Software, 1996-2009.