[nsp-sec] List of vulnerable DNS resolvers - Interesting observation
White, Gerard
Gerard.White at aliant.ca
Tue Jul 22 21:13:13 EDT 2008
Greetings.
Isn't it ironic that none of the more dense targets for DNS Jacking
(i.e. Zlob et. al.) malware
Shows up in this list...
i.e. 85.255.112.0/24 & 85.255.113.0/24 (CERNEL/INTERCAGE)
Maybe the bad guys have their act together and patched themselves
appropriately...
Nevertheless, thanks for the _great_ data Niels/Dave, and Ack 855 and
its downstreams too...
(We're having trouble with patching ISC Bind 9 and Solaris... but
that's another story.)
GW
855 - Bell Aliant.
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Niels Provos
> Sent: Tuesday, July 22, 2008 8:42 PM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] List of vulnerable DNS resolvers
>
> ----------- nsp-security Confidential --------
>
> Hi,
>
> as you know, the DNS flaw was leaked yesterday. At the moment, ~70%
> of all resolvers on the Internet use static or trivially predictable
> source ports. These resolvers/NAT devices need to be patched as soon
> as possible. The CERT reference for this flaw can be found at:
>
> http://www.kb.cert.org/vuls/id/800113
>
> The flaw allows adversaries to inject almost arbitrary A or NS records
> on vulnerable resolvers, e.g. redirect traffic/proxy traffic of
> legitimate domains.
>
> You can find a list of vulnerable resolvers and corresponding AS
numbers at:
>
> https://asn.cymru.com/nsp-sec/upload/1216767459.whois.txt
>
> These IP addresses are from recursive resolvers that showed very low
> standard-deviation (<200) in their source ports according to
> measurements conducted by David Dagon and myself over the last 7 days.
> I released a small Python tool that you can use to test your own
> resolver. You can download it from:
>
> http://www.monkey.org/~provos/dnspredict.py
>
> Instructions on how to use the tool can be found here:
>
> http://www.provos.org/index.php?/archives/42-DNS-and-Randomness.html
>
> Please, let me know if you have any questions.
>
> Thank you,
> Niels.
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
> community. Confidentiality is essential for effective Internet
security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list