[nsp-sec] Solutions for the DNS vul? - Suggestion
jonathan.curtis at bell.ca
jonathan.curtis at bell.ca
Thu Jul 24 09:09:16 EDT 2008
Here are a few thoughts on protecting against this threat, some are mine, some I've stolen from Barry Greene and David Dagon. This is in addition to patching ...
1. Two tier server architecture for all DNS cache systems.
- Larger ISP's have 20+ DNS Cache servers, this concept is to create a pool of 4-5 Cache Authority servers and point the 20+ caching servers to them for upstream resolution. Then place more protection and security measures on those 4-5 servers where performance isn't going to be as much of a concern. This also provides for a good place to do DNS domain/name-server reputation and injection for phishing / botnet domains.
- Implement NIDS/NIPS/other products in front of the Auth-Cache servers.
- Perhaps DNS-SEC if it fits...
2. Implement TLD's within your AS - a shorter path to the right answer might beat out a wrong answer ... < John K. This might be the key to justifying it. >
Thanks,
Jonathan
AS 577
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> White, Gerard
> Sent: Thursday, July 24, 2008 8:58 AM
> To: Yonglin ZHOU; nsp-security NSP
> Subject: Re: [nsp-sec] Solutions for the DNS vul? - Suggestion
>
> ----------- nsp-security Confidential --------
>
>
> While not a _countermeasure_ one thing you can do is watch
> for increased flows of ICMP Port unreachable traffic towards
> your DNS Infrastructure.
>
> One thing I have noticed about the metasploit modules is that
> the box SHOULD generate ICMP Port Unreachable messages as the
> exploit code is executed (in response to the "replies" that
> come back from the target during the <random_12_char>.domain run...
>
> Unless of course the miscreant is smart enough to filter that
> stuff away... which doesn't happen, sometimes...
>
> GW
>
>
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Yonglin
> > ZHOU
> > Sent: Thursday, July 24, 2008 5:55 AM
> > To: nsp-security NSP
> > Subject: [nsp-sec] Solutions for the DNS vul?
> >
> > ----------- nsp-security Confidential --------
> >
> > Beside patching the dns servers, any other supplementary
> countermeasures?
> >
> > Thanks.
> >
> > --
> > -------[CNCERT/CC]-----------------------------------------------
> > Zhou, Yonglin 【周勇林】
> > CNCERT/CC, P.R.China 【国家计算机网络应急技术处理协调中心】
> > Tel: +86 10 82990355 Fax: +86 10 82990399 Web:
> www.cert.org.cn Finger
> > Print: 9AF3 E830 A350 218D BD2C 2B65 6F60 BEFB 3962 1C64
> > -----------------------------------------------[CNCERT/CC]-------
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the
> > nsp-security community. Confidentiality is essential for
> effective Internet security counter-measures.
> > _______________________________________________
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security community. Confidentiality is essential for
> effective Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list