[nsp-sec] List of vulnerable DNS resolvers

Tom Sands tsands at rackspace.com
Wed Jul 23 09:20:59 EDT 2008 

ACK 10532, 15395, 27357, 33070

--------------------------------------------------------------------------------
Tom Sands			  				
Chief Network Engineer				
Rackspace 	    	
(210)312-4391	   	
--------------------------------------------------------------------------------

Niels Provos wrote:
> ----------- nsp-security Confidential --------
> 
> Hi,
> 
> as you know, the DNS flaw was leaked yesterday.   At the moment, ~70%
> of all resolvers on the Internet use static or trivially predictable
> source ports.   These resolvers/NAT devices need to be patched as soon
> as possible.   The CERT reference for this flaw can be found at:
> 
>  http://www.kb.cert.org/vuls/id/800113
> 
> The flaw allows adversaries to inject almost arbitrary A or NS records
> on vulnerable resolvers, e.g. redirect traffic/proxy traffic of
> legitimate domains.
> 
> You can find a list of vulnerable resolvers and corresponding AS numbers at:
> 
>  https://asn.cymru.com/nsp-sec/upload/1216767459.whois.txt
> 
> These IP addresses are from recursive resolvers that showed very low
> standard-deviation (<200) in their source ports according to
> measurements conducted by David Dagon and myself over the last 7 days.
>  I released a small Python tool that you can use to test your own
> resolver.   You can download it from:
> 
>   http://www.monkey.org/~provos/dnspredict.py
> 
> Instructions on how to use the tool can be found here:
> 
>  http://www.provos.org/index.php?/archives/42-DNS-and-Randomness.html
> 
> Please, let me know if you have any questions.
> 
> Thank you,
>  Niels.
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
> 


Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse at rackspace.com, and delete the original message.
Your cooperation is appreciated.

More information about the nsp-security mailing list