[nsp-sec] Solutions for the DNS vul? - Suggestion
Patrick W. Gilmore
patrick at akamai.com
Thu Jul 24 10:10:33 EDT 2008
On Jul 24, 2008, at 8:58 AM, White, Gerard wrote:
> While not a _countermeasure_ one thing you can do is watch for
> increased flows of ICMP Port unreachable traffic towards your DNS
> Infrastructure.
>
> One thing I have noticed about the metasploit modules is that the
> box SHOULD
> generate ICMP Port Unreachable messages as the exploit code is
> executed (in response
> to the "replies" that come back from the target during the
> <random_12_char>.domain
> run...
>
> Unless of course the miscreant is smart enough to filter that stuff
> away... which
> doesn't happen, sometimes...
How can a miscreant filter that? Bot sends recursive NS a query,
recursive NS rejects & sends ICMP to the real authority. The bot is
not in the recursor -> authority path, so cannot filter the ICMP.
Anyway, I think this is a very good idea. People with high-value
targets (banks, paypal/ebay, credit card sites, etc.) should start
monitoring their authorities. If they have firewalls in front of the
authorities (highly likely, given most are financial institutions),
the firewalls are probably already logging the ICMP Port Unreachable
packets. If there is a large spike, you know your bank's reputation
is under attack, and you know which recursive NS is the point of the
attack. Contact them and tell them the danger they are in.
--
TTFN,
patrick
More information about the nsp-security
mailing list