> > i am sick and bloody tired of hearing from the people who aren't impressed.
>
> Well, Paul, I'm not *too* impressed, and so far, I'm not seeing what is
> groundbreaking, except that threats discussed long ago have become more
> practical due to the growth of network and processing speeds, which was
> a hazard that ... was actually ALSO predicted.

11 seconds.

and at&t refuses to patch.

and all iphones use those name servers.

your move.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

On Thu, 24 Jul 2008, Joe Greco wrote:
>> downplay this all you want, we can infect a name server in 11 seconds now,
>> which was never true before. i've been tracking this area since 1995. don't
>> try to tell me, or anybody, that dan's work isn't absolutely groundbreaking.
>>
>> i am sick and bloody tired of hearing from the people who aren't impressed.
>
> Well, Paul, I'm not *too* impressed, and so far, I'm not seeing what is
> groundbreaking, except that threats discussed long ago have become more
> practical due to the growth of network and processing speeds, which was

Joe, you should be well aware most of what we face today and will face
tomorrow is based on concepts of old, and/or has been thought of/seen
before in a different format.

But as you well know, threats are still real, especially where the
practical vulnerability is hight. Further, this is especially true in the
operators communities where unless there is a power point presentation
about it, the threat is thought a pipe-dream.

> a hazard that ... was actually ALSO predicted.

Well, it's here now, and I am happy there is something to be done about
it, pro-actively.

Gadi.

>
> And you know what? I'll give you the *NEXT* evolutionary steps, which
> could make you want to cry.
>
> If the old code system could result in an infected name server in 11
> seconds, this "fix" looks to me to be at best a dangerous and risky
> exercise at merely reducing the odds. Some criminal enterprise will
> figure out that you've only reduced the odds to 1/64000 of what they
> were, but the facts are that if you can redirect some major ISP's
> resolver to punt www.chase.com or www.citibank.com at your $evil server,
> and you have large botnets on non-BCP38 networks, you can be pumping
> out large numbers of answers at the ISP's server without a major
> commitment in bandwidth locally... and sooner or later, you'll still
> get a hit. You don't need to win in 11 secs, or even frequently. It
> can be "jackpot" monthly and you still win.
>
> Which is half the problem here. Bandwidth is cheap, and DNS packets are
> essentially not getting any bigger, so back in the day, maybe this wasn't
> practical over a 56k or T1 line, but now it is trivial to find a colo with
> no BCP38 and a gigabit into the Internet. The flip side is all those nice
> multicore CPU's mean that systems aren't flooded by the responses, and they
> are instead successfully sorting through all the forged responses, which
> may work in the attacker's advantage (doh!)
>
> This problem really is not practically solvable through the technique that
> has been applied. Give it another few years, and we'll be to the point
> where both the QID *and* the source port are simply flooded, and it only
> takes 11 seconds, thanks to the wonder of ever-faster networks and servers.
> Whee, ain't progress wonderful.
>
> Worse, this patch could be seen as *encouraging* the flooding of DNS
> servers with fake responses, and this is particularly worrying, since
> some servers might have trouble with this.
>
> So, if we want to continue to ignore proper deployment of DNSSEC or
> equivalent, there are some things we can do:
>
> * Detect and alarm on cache overwrite attempts (kind of a meta-RFC 2181
> thing). This could be problematic for environments without consistent
> DNS data (and yes, I know your opinion of that).
>
> * Detect and alarm on mismatched QID attacks (probably at some low
> threshold level).
>
> But the problem is, even detected and alerted, what do you do? Alarming
> might be handy for the large consumer ISP's, but isn't going to be all
> that helpful for the universities or fortune 500's that don't have 24/7
> staff sitting on top of the nameserver deployment.
>
> So, look at other options:
>
> * Widen the query space by using multiple IP addresses as source. This,
> of course, has all the problems with NAT gw's that the port solution
> did, except worse.
>
> This makes using your ISP's "properly designed" resolver even more
> attractive, rather than running a local recurser on your company's
> /28 of public IP space, but has the unintended consequence of making
> those ISP recursers even more valuable targets.
>
> Makes you wish for wide deployment of IPv6, eh.
>
>> every time some blogger says "this isn't new", another five universities
>> and ten fortune 500 companies and three ISP's all decide not to patch.
>> that means we'll have to wait for them to be actively exploited before they
>> will understand the nature of the emergency.
>
> While I applaud the reduction in the attack success rate that the recent
> patch results in, I am going to take a moment to be critical, and note that
> I feel you (and the other vendors) squandered a fantastic chance. Just
> like the Boy Who Cried Wolf, you have a limited number of times that you can
> cry "vulnerability" and have people mostly all stand up and pay attention in
> the way that they did.
>
> Hardly the first (but possibly one of the most noteworthy), RIPE called
> for signing of the root zone a year ago.
>
> I note with some annoyance that this would have been a great opportunity
> for someone with a lot of DNS credibility to stand up and say "we need
> the root signed NOW," and to force the issue. This would have been a lot
> of work, certainly, but a lot of *worthwhile* work, at various levels.
> The end result would have been a secure DNS system for those who chose to
> upgrade and update appropriately.
>
> Instead, it looks to me as though the opportunity is past, people are
> falsely led to believe that their band-aid-patched servers are now "not
> vulnerable" (oh, I love that term, since it isn't really true!) and the
> next time we need to cry "fire," fewer people will be interested in
> changing.
>
> The only real fix I see is to deploy DNSSEC.
>
> I've tried to keep this message bearably short, so please forgive me if
> I've glossed over anything or omitted anything.
>
> ... JG
> --
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
> With 24 million small businesses in the US alone, that's way too many apples.
>

On Thu, Jul 24, 2008 at 9:35 AM, Joe Greco <***@ns.sol.net> wrote:
> Well, Paul, I'm not *too* impressed, and so far, I'm not seeing what is
> groundbreaking, except that threats discussed long ago have become more
> practical due to the growth of network and processing speeds, which was
> a hazard that ... was actually ALSO predicted.

Joe,

Early attacks were based on returning out-of-scope data in the
Additional section of the response. This was an implementation error
in the servers: they should never have accepted out of scope data.

Later attacks were based on forging responses to a query. The resolver
sends a query packet and the attacker has a few tens of milliseconds
in which to throw maybe a few tens of guesses about correct ID at the
resolver before the real answer arrives from the the real server.
These were mitigated because:

a. You had maybe a 1 in 1000 chance of guessing right during the
window of opportunity.
b. If you guessed wrong, you had to wait until the TTL expired to try
again, maybe as much as 24 hours later.

So, it could take months or years to poison a resolver just once, far
below the patience threshold for your run-of-the-mill script kiddie.


What's new about this attack is that it removes mitigator B. You can
guess again and again, back to back, until you hit that 1 in 1000.

Paul tells us this can happen in about 11 seconds, well inside the
tolerance of your normal script kiddie and long before you'll notice
the log messages about invalid responses.


Anyway, it shouldn't be hard to convert this from a poisoning
vulnerability to a less troubling DOS vulnerability by rejecting
responses for a particular query (even if valid) when received near a
bad-id response. From there it just takes some iterative improvements
to mitigate the DOS.

In the mean time, randomizing the query port makes the attack more
than four orders of magnitude less effective and causes it to require
more than four orders of magnitude of additional resources on the
attacker's part.

Regards,
Bill Herrin


--
William D. Herrin ................ ***@dirtside.com ***@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

On 24 Jul 2008, at 10:56, Joe Greco wrote:

> MY move? Fine. You asked for it. Had I your clout, I would have
> used
> this opportunity to convince all these new agencies that the
> security of
> the Internet was at risk, and that getting past the "who holds the
> keys"
> for the root zone should be dealt with at a later date. Get the root
> signed and secured.

Even if that was done today, there would still be a risk of cache
poisoning for months and years to come.

You're confusing the short-term and the long-term measures, here.

> Get the GTLD's signed and secured.

I encourage you to read some of the paper trail involved with getting
ORG signed, something that the current roadmap still doesn't
accommodate for the general population of child zones until 2010. It
might be illuminating.

Even once everything is signed and working well to the zones that
registries are publishing, we need to wait for registrars to offer
DNSSEC key management to their customers.

Even once registrars are equipped, we need people who actually host
customer zones to sign them, and to acquire operational competence
required to do so well.

And even after all this is done, we need a noticeable proportion of
the world's caching resolvers to turn on validation, and to keep
validation turned on even though the helpdesk phone is ringing off the
hook because the people who host the zones your customers are trying
to use haven't quite got the hang of DNSSEC yet, and their signatures
have all expired.

Compared with the problem of global DNSSEC deployment, getting
everybody in the world to patch their resolvers looks easy.


Joe

On Thu, Jul 24, 2008 at 09:56:32AM -0500, Joe Greco wrote:
> MY move? Fine. You asked for it. Had I your clout, I would have used
> this opportunity to convince all these new agencies that the security of
> the Internet was at risk, and that getting past the "who holds the keys"
> for the root zone should be dealt with at a later date. Get the root
> signed and secured. Get the GTLD's signed and secured. Give people the
> tools and techniques to sign and secure their zones. Focus on banks,

I admit readily that I am not one of the 'dns guys' around here, but
I have been watching with some interest for a few years now, and have
more or less become convinced that the players involved are willing to
tolerate, downplay, or even flat out ignore a great deal.

Except losing their own relevance. This is cherished above all. The
only times I have seen these parties move is when it has been
realistically threatened.

So in brandishing this world event as like a holy sword of fire to
smite some nefarious beaurocracy, there is no danger its strike will
drain any relevance. The band aid fix is there. Their relevance is
saved along with all of our businesses. There is still plenty of time
to argue about who gets the keys. Who gets nearly the entire pot of
this magical relevance ambrosia?

It wouldn't work. Paul's booming voice would serve only to make him
hoarse.

The strike only lands for effect if you withold the band aid fix,
which simply can not be done in this case either.


I'm only really aware of two ways to reduce the relevance of the root
and its children (I did say I am not a DNS guy). You can join one of
the alternate roots, which I do not recommend. Or you can sign your
zones using a DLV registry.

If DLV registries became 'de rigeur', it would effectively halve the
root and by extension the GTLDs' relevance. I do not believe they
will permit this to come to pass. Provided they did, we would win
anyway, as signing zones itself would have become the norm.

--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins

On 24 Jul 2008, at 11:40, Joe Greco wrote:

>> Compared with the problem of global DNSSEC deployment, getting
>> everybody in the world to patch their resolvers looks easy.
>
> Of course. That's why I said that deploying this patch was
> something that
> could be done *too*.

OK, good. Sorry if I misinterpreted your earlier message.


Joe

>
>
> He,he,nice comment. The issue is that with todays html crap and embedded
> images on mails "click" is no longer required, just include a malicious tag
> forcing your resolver to go to bad boy's NS to resolve the URL and you are
> up in biz.
>
>
Can't stop laughing ... its a rainy boring day in south TX, just thinking
that MSFT is probably working on a security patch for Vista that will ask
you every few seconds "Are you sure you want to resolve this domain name?"
....

Just a bit of humor before my resolver is poisoned ...

Cheers
Jorge

>
> ... and we've successfully managed to get Gates to train users to click
> on "OK" for any message where they don't understand what it's trying to
> say, so relying on security at other layers isn't particularly effective
> either.


He,he,nice comment. The issue is that with todays html crap and embedded
images on mails "click" is no longer required, just include a malicious tag
forcing your resolver to go to bad boy's NS to resolve the URL and you are
up in biz.

/etc/hosts rulez !!! :-)

Regards
Jorge

Here's some older ones:

http://pdp-10.trailing-edge.com/cgi-bin/searchbyname?name=hosts.txt

Prior to departing SRI last year I spent a bunch of time trying to find some of the old SRI-NIC records. It appears that they were all cleaned out once the contract was closed and the Internet was handed over to Network Solutions. I think that a lot of old records still exist in personal file cabinets and garages around Menlo Park but nothing "official" is on the campus of SRI.

Marc

-----Original Message-----
From: Tuc at T-B-O-H [mailto:***@t-b-o-h.net]

>
> Jorge Amodio wrote:
>
> > /etc/hosts rulez !!! :-)
>
> Wonder if SRI wstill has the files.....
>
UNOFFICIAL copy from 15-Apr-94 :

http://ftp.univie.ac.at/netinfo/netinfo/hosts.txt

Tuc/TBOH