[nsp-sec] Solutions for the DNS vul? - Suggestion

Thu Jul 24 12:29:24 EDT 2008

Since it came up, I've push up slides here:

http://www.getit.org/Mediawiki/images/4/46/SP-Security-101-Primer-1-8-3-2-Po
ison-Module.ppt 

It also has some 'illustrations' of how this attack vector can be
industrialized. So if you still have people who "don't get it," you can cut
and paste slides. 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> jonathan.curtis at bell.ca
> Sent: Thursday, July 24, 2008 6:09 AM
> To: gerard.white at aliant.ca; yonglin.zhou at gmail.com; 
> nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] Solutions for the DNS vul? - Suggestion
> 
> ----------- nsp-security Confidential --------
> 
> 
> 
> Here are a few thoughts on protecting against this threat, 
> some are mine, some I've stolen from Barry Greene and David 
> Dagon.  This is in addition to patching ...
> 
> 1. Two tier server architecture for all DNS cache systems.
>         -  Larger ISP's have 20+ DNS Cache servers, this 
> concept is to create a pool of 4-5 Cache Authority servers 
> and point the 20+ caching servers to them for upstream 
> resolution. Then place more protection and security measures 
> on those 4-5 servers where performance isn't going to be as 
> much of a concern.  This also provides for a good place to do 
> DNS domain/name-server reputation and injection for phishing 
> / botnet domains.
>         - Implement NIDS/NIPS/other products in front of the 
> Auth-Cache servers.
>         - Perhaps DNS-SEC if it fits...
> 
> 2. Implement TLD's within your AS -    a shorter path to the 
> right answer might beat out a wrong answer ... < John K.  
> This might be the key to justifying it. >
> 
> Thanks,
> 
> Jonathan
> 
> AS 577
> 
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of White, 
> > Gerard
> > Sent: Thursday, July 24, 2008 8:58 AM
> > To: Yonglin ZHOU; nsp-security NSP
> > Subject: Re: [nsp-sec] Solutions for the DNS vul? - Suggestion
> >
> > ----------- nsp-security Confidential --------
> >
> >
> > While not a _countermeasure_ one thing you can do is watch for 
> > increased flows of ICMP Port unreachable traffic towards your DNS 
> > Infrastructure.
> >
> > One thing I have noticed about the metasploit modules is 
> that the box 
> > SHOULD generate ICMP Port Unreachable messages as the 
> exploit code is 
> > executed (in response to the "replies" that come back from 
> the target 
> > during the <random_12_char>.domain run...
> >
> > Unless of course the miscreant is smart enough to filter that stuff 
> > away... which doesn't happen, sometimes...
> >
> > GW
> >
> >
> > > -----Original Message-----
> > > From: nsp-security-bounces at puck.nether.net
> > > [mailto:nsp-security-bounces at puck.nether.net] On Behalf 
> Of Yonglin 
> > > ZHOU
> > > Sent: Thursday, July 24, 2008 5:55 AM
> > > To: nsp-security NSP
> > > Subject: [nsp-sec] Solutions for the DNS vul?
> > >
> > > ----------- nsp-security Confidential --------
> > >
> > > Beside patching the dns servers, any other supplementary
> > countermeasures?
> > >
> > > Thanks.
> > >
> > > --
> > > -------[CNCERT/CC]-----------------------------------------------
> > > Zhou, Yonglin 【周勇林】
> > > CNCERT/CC, P.R.China 【国家计算机网络应急技术处理协调中心】
> > > Tel: +86 10 82990355 Fax: +86 10 82990399 Web:
> > www.cert.org.cn Finger
> > > Print: 9AF3 E830 A350 218D BD2C 2B65 6F60 BEFB 3962 1C64
> > > -----------------------------------------------[CNCERT/CC]-------
> > >
> > >
> > > _______________________________________________
> > > nsp-security mailing list
> > > nsp-security at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/nsp-security
> > >
> > > Please do not Forward, CC, or BCC this E-mail outside of the 
> > > nsp-security community. Confidentiality is essential for
> > effective Internet security counter-measures.
> > > _______________________________________________
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the 
> > nsp-security community. Confidentiality is essential for effective 
> > Internet security counter-measures.
> > _______________________________________________
> >
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security community. Confidentiality is essential for 
> effective Internet security counter-measures.
> _______________________________________________