[nsp-sec] ACK: List of vulnerable DNS resolvers

[Andreas Lorentzen]

ACK for 15659

Sanitized reports are being sent to contacts in 43200 and 28824.

Andreas Lorentzen
NextGenTel

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Niels Provos
Sent: Wednesday, July 23, 2008 1:12 AM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] List of vulnerable DNS resolvers

----------- nsp-security Confidential --------

Hi,

as you know, the DNS flaw was leaked yesterday.   At the moment, ~70%
of all resolvers on the Internet use static or trivially predictable
source ports.   These resolvers/NAT devices need to be patched as soon
as possible.   The CERT reference for this flaw can be found at:

 http://www.kb.cert.org/vuls/id/800113

The flaw allows adversaries to inject almost arbitrary A or NS records
on vulnerable resolvers, e.g. redirect traffic/proxy traffic of
legitimate domains.

You can find a list of vulnerable resolvers and corresponding AS numbers
at:

 https://asn.cymru.com/nsp-sec/upload/1216767459.whois.txt

These IP addresses are from recursive resolvers that showed very low
standard-deviation (<200) in their source ports according to
measurements conducted by David Dagon and myself over the last 7 days.
 I released a small Python tool that you can use to test your own
resolver.   You can download it from:

  http://www.monkey.org/~provos/dnspredict.py

Instructions on how to use the tool can be found here:

 http://www.provos.org/index.php?/archives/42-DNS-and-Randomness.html

Please, let me know if you have any questions.

Thank you,
 Niels.


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________