[nsp-sec] (ACK 217) List of vulnerable DNS resolvers

Brian Eckman eckman at umn.edu
Wed Jul 23 10:42:10 EDT 2008 

ACK 217.

I wasn't able to confirm one of the resolvers (128.101.101.157), as I 
(thankfully!) can't get it to answer queries from addresses outside our 
network. (I believe it is still unpatched, however - we've been complaining 
loudly about this, trust me.) The other IP address listed was found in our 
scans, and the admin has been notified.

Thanks,
Brian

Niels Provos wrote:
> ----------- nsp-security Confidential --------
> 
> Hi,
> 
> as you know, the DNS flaw was leaked yesterday.   At the moment, ~70%
> of all resolvers on the Internet use static or trivially predictable
> source ports.   These resolvers/NAT devices need to be patched as soon
> as possible.   The CERT reference for this flaw can be found at:
> 
>  http://www.kb.cert.org/vuls/id/800113
> 
> The flaw allows adversaries to inject almost arbitrary A or NS records
> on vulnerable resolvers, e.g. redirect traffic/proxy traffic of
> legitimate domains.
> 
> You can find a list of vulnerable resolvers and corresponding AS numbers at:
> 
>  https://asn.cymru.com/nsp-sec/upload/1216767459.whois.txt
> 
> These IP addresses are from recursive resolvers that showed very low
> standard-deviation (<200) in their source ports according to
> measurements conducted by David Dagon and myself over the last 7 days.
>  I released a small Python tool that you can use to test your own
> resolver.   You can download it from:
> 
>   http://www.monkey.org/~provos/dnspredict.py
> 
> Instructions on how to use the tool can be found here:
> 
>  http://www.provos.org/index.php?/archives/42-DNS-and-Randomness.html
> 
> Please, let me know if you have any questions.
> 
> Thank you,
>  Niels.
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________


-- 
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance

More information about the nsp-security mailing list