Re: the tool

My DNS server does not serve the outside world. Incoming packets to port
53 are NAT directed to an non-existant IP on the LAN.

The tool uses my internet facing IP as my DNS server and tells me I am
vulnerable. Since, from the internet, connecting to that IP at port 53
will not get you to a DNS server, I find the tool's conclusion rather
without much value.

On Tue, Jul 08, 2008 at 06:26:01PM -0700, Lynda wrote:
> Owen DeLong wrote:
> > The tool, unfortunately, only goes after the server it thinks you are
> > using to recurse from the client where you're running your browser.
> >
> > This makes it hard to test servers being used in production
> > environments without GUIs. The tool is not Lynx compatible.
>
> Figures. It's becoming a pointy-clicky world. I don't like it much,
> either.

[..]

> I'll see whether someone can pry the code loose from Dan, rather than
> having it hidden under a button. As Christian Koch said, the tool isn't
> really directed at NANOG folk. I'm sure that it could be modified so
> that it was. I note that BIND has been updated on all your favorite
> operating systems, which should help some. Still, the updates just
> barely happened, and then the announcement hit.

Reading through the JavaScript that drives <http://www.doxpara.com/>,
it appears to be pretty easy to write a non-AJAX client to query Dan's
service. I threw one together in perl, named "noclicky", that allows you
to use Dan's service against any nameserver specified on the command line.
You can download a copy from <http://michael.toren.net/code/noclicky/>.
Here's an example using the script against an unpatched system:

bash$ ./noclicky 207.106.1.2
Looking up knzcgp14upi9.toorrr.com against 207.106.1.2
Fetching http://209.200.168.66/fprint/knzcgp14upi9
Requests seen for knzcgp14upi9.toorrr.com:
63.139.151.102:32932 TXID=45460
63.139.151.102:32932 TXID=9718
63.139.151.102:32932 TXID=40448
63.139.151.102:32932 TXID=27861
63.139.151.102:32932 TXID=59838
Your nameserver appears vulnerable; all requests came from the same port.

Note that the IP address Dan's service is reporting on is 63.139.151.102,
which is different than the IP address I'm issuing DNS requests against.
In this specific case, it's likely that 207.106.1.2 is configured to use
63.139.151.102 as a forwarder.

Here's an example using the script against a Comcast nameserver, which has
already patched been patched:

bash$ ./noclicky 68.87.76.181
Looking up r14z2k52m6uj.toorrr.com against 68.87.76.181
Fetching http://209.200.168.66/fprint/r14z2k52m6uj
Requests seen for r14z2k52m6uj.toorrr.com:
68.87.76.181:17244 TXID=23113
68.87.76.181:17219 TXID=31336
68.87.76.181:17270 TXID=1613
68.87.76.181:16987 TXID=22846
68.87.76.181:16974 TXID=24013
Your nameserver appears to be safe

On Tue, Jul 08, 2008 at 09:22:23PM -0500, Jimmy Hess wrote:
> I suspect the tool's form might partly be meant to obscure exactly what
> patterns it is looking for. Kind of how one might release a
> vulnerability checker in binary form (but with source code intentionally
> witheld)
>
> 5 query samples would not seem to be a sufficient number to compute the
> probability that the TXIDs and source ports are both independent and
> random, with stringent confidence intervals, and that there is no
> sequence predictability (due to use of a PRNG)...

The logic for determining whether or not a nameserver is vulnerable
turns out to be entirely exposed in the JavaScript client. It isn't
doing anything with the TXID values, but rather just checking to see if
requests were issued from more than one source port. See line 86 of
<http://foo.toorrr.com/printme.html>. Also, if you want to see how the
service is forcing the client to issue five successive DNS requests,
check out the output of dig(1) against foo.toorrr.com.

(Disclaimer: I'm somewhat sleep deprived at the moment due to jet lag,
and some of the information above could very well end up being wrong.
Others are encouraged to double check my work.)

Thanks,
-mct

On Tue, Jul 08, 2008 at 07:20:05PM -0400, Jay R. Ashworth wrote:
> Obligatory Slashdot link: http://it.slashdot.org/article.pl?sid=08/07/08/195225

Additional coverage:

http://news.cnet.com/8301-10789_3-9985815-57.html
http://news.cnet.com/8301-10789_3-9985826-57.html
http://news.cnet.com/8301-10789_3-9985618-57.html
http://www.linux.com/feature/141080
http://www.internetnews.com/security/article.php/3757746
http://www.techmeme.com/080708/p137#a080708p137

Y'know, for you to put on the noticeboard for your help desk, for when
the spooked herd starts calling.

Cheers,
-- jra
--
Jay R. Ashworth Baylink ***@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274

Those who cast the vote decide nothing.
Those who count the vote decide everything.
-- (Joseph Stalin)

On Wed, Jul 9, 2008 at 11:41 AM, Steven M. Bellovin <***@cs.columbia.edu> wrote:

> The ISC web page on the attack notes "DNSSEC is the only definitive
> solution for this issue. Understanding that immediate DNSSEC deployment
> is not a realistic expectation..." I wonder what NANOG folk can do
> about the second part of that quote...

get the root zone signed, get com/net/org/ccTLD's signed.. oh wait,
that's not nanog... doh!

Pressure your local ICANN officers?

-Chris

At 12:41 p.m. 09/07/2008, Steven M. Bellovin wrote:

>It's worth noting that the basic idea of the attack isn't new. Paul
>Vixie described it in 1995 at the Usenix Security Conference
>(http://www.usenix.org/publications/library/proceedings/security95/vixie.html)
>-- in a section titled "What We Cannot Fix", he wrote:
>
> With only 16 bits worth of query ID and 16 bits worth of UDP
> port number, it's hard not to be predictable. A determined
> attacker can try all the numbers in a very short time and can
> use patterns derived from examination of the freely available
> BIND code. Even if we had a white noise generator to help
> randomize our numbers, it's just too easy to try them all.

We have one IETF ID on port randomization for years:
http://www.gont.com.ar/drafts/port-randomization/index.html

While this does not make the attack impossible, it does make it much harder.

The same thing applies to those RST attacks circa 2004.

Most of these blind attacks assume the source port numbers are easy
to guess. But... why should they?

Kind regards,

--
Fernando Gont
e-mail: ***@gont.com.ar || ***@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

On Jul 9, 2008, at 10:39 AM, <***@bt.com> <***@bt.com
> wrote:
>>> Pressure your local ICANN officers?
>> Mmph. https://ns.iana.org/dnssec/status.html
>> (it's out of ICANN's hands)
>
> Huh!?
> ...
> It sounds like ICANN has the matter well in hand to me given
> that it is only responsible for the common central bit of the
> DNS system.

Two answers:

1) The term 'signing the root' means a whole lot more than running
dnssec-signzone over zone data. Specifically, the URL I provided
shows that IANA is _already_ signing the root (more or less) and has
been for over a year -- IANA actually has a _very_ elaborate and
secure infrastructure (including multiple FIPS 140-3 hardware security
modules, air gaps, physical security, and all sorts of other stuff)
for root signing. The fact that root zone data you receive from the
root servers is not signed may suggest that there is a bit more that
needs to be done and pretty much all of that is NOT something ICANN
has direct control over.

2) You are exactly right when you say:

> The rest of the job is everyone's problem.

Getting DNSSEC to be more than an academic exercise requires BOTH
folks signing zones that form an unbroken chain of trust up to a trust
anchor configured in validating name servers AND for the operators of
those validating name servers to enable DNSSEC. Most of the thrust to
date has been on one half of that requirement. How many ISPs
represented here are in a position to turn on DNSSEC validation? How
many are even running caches that are capable of doing DNSSEC?

For DNSSEC to actually be useful, I suspect somebody needs to write
software that provides the user with some indication other than a
timeout that a name validation failed, but that's a separate issue.

Regards,
-drc

On Jul 11, 2008, at 7:58 AM, Tuc at T-B-O-H.NET wrote:

>> Reading through the JavaScript that drives <http://www.doxpara.com/>,
>> it appears to be pretty easy to write a non-AJAX client to query
>> Dan's
>> service. I threw one together in perl, named "noclicky", that
>> allows you
>> to use Dan's service against any nameserver specified on the
>> command line.
>> You can download a copy from <http://michael.toren.net/code/
>> noclicky/>.
>>
> It looks like Dan changed what it returns, and noclicky 1.00 gets
> confused. You can fix this, atleast until MCT comes out with a new
> version,
> by putting :
>
> my $date = shift @data;
>
> before the line :
>
> print "Requests seen for $domain:\n";
>
>
> Tuc/TBOH
>

Sorry to necro this, but the original version will lead to a false
sense of security and people might be finding it in the archives...

--- noclicky-1.00.pl Fri Jul 25 02:02:16 2008
+++ noclicky-1.01.pl Fri Jul 25 02:11:18 2008
@@ -64,10 +64,12 @@
my %ports;
for my $data (@data)
{
- chomp($data);
- my ($ip, $port, $txid) = split "-", $data;
- print " $ip:$port TXID=$txid\n";
- $ports{$port} = 1;
+ if ($data =~ /^[1-9]/) {
+ chomp($data);
+ my ($ip, $port, $txid) = split "-", $data;
+ print " $ip:$port TXID=$txid\n";
+ $ports{$port} = 1;
+ }
}

Thanks to Michael for the tool, though!

Brian Keefer
Sr. Systems Engineer
www.Proofpoint.com
"Defend email. Protect data."