Tuesday, July 08, 2008
Massive Multi-vendor DNS vulnerability
http://it.slashdot.org/article.pl?sid=08/07/08/195225
US-CERT Technical Cyber Security Alert TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning
http://www.us-cert.gov/cas/techalerts/TA08-190B.html
---
Be sure to apply patches if you run an effected DNS server!
As for client resolver vulnerabilities...
Perhaps in the future firewalls will adapt.
Firewalls should use pattern analysis to detect vulnerable unaddressed client resolvers.
And perform TXID and port number translations (think NAT).
Translating the vulnerable (TXID, source) port combinations into safe ones.
Dynamically modifying the interaction between server and client to workaround
vulnerable software.
The same principle should apply on the server side, as well.
The implication reads..
Messages from the client translated (Weak TXID, Weak Port) => (Safe TXID, Safe Port)
* Safe TXID,PORT pair generated dynamically for every new TXID and PORT, once a
source IP is decided "vulnerable" no TXID or PORT from the client will be used, a new
one will be generated.
Messages from the server translated from (Safe TXID, Safe Port) => (Weak TXID, Weak port)
* In case of collision, the translation is torn down, the query is lost.
* In all cases, the translation is obliterated after a DNS timeout interval (30 seconds, or so)
Procedure explained ¶ 7:31 PM
US-CERT Technical Cyber Security Alert TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning
http://www.us-cert.gov/cas/techalerts/TA08-190B.html
---
Be sure to apply patches if you run an effected DNS server!
As for client resolver vulnerabilities...
Perhaps in the future firewalls will adapt.
Firewalls should use pattern analysis to detect vulnerable unaddressed client resolvers.
And perform TXID and port number translations (think NAT).
Translating the vulnerable (TXID, source) port combinations into safe ones.
Dynamically modifying the interaction between server and client to workaround
vulnerable software.
The same principle should apply on the server side, as well.
The implication reads..
Messages from the client translated (Weak TXID, Weak Port) => (Safe TXID, Safe Port)
* Safe TXID,PORT pair generated dynamically for every new TXID and PORT, once a
source IP is decided "vulnerable" no TXID or PORT from the client will be used, a new
one will be generated.
Messages from the server translated from (Safe TXID, Safe Port) => (Weak TXID, Weak port)
* In case of collision, the translation is torn down, the query is lost.
* In all cases, the translation is obliterated after a DNS timeout interval (30 seconds, or so)
Procedure explained ¶ 7:31 PM
