Peter Rathlev wrote:
On Mon, 2009-10-12 at 09:19 -0700, Joel M Snyder wrote:
You may remember last year's "the Internet is falling and only Dan
Kaminsky can explain it" flap around DNS. Well, a lot of the
discussion around this bug/problem/issue ignored the truth that a good
firewall prevented the attack directly, by knowing enough 'deep packet
smarts' around the DNS protocol that the attack scenario was
effectively blocked (hey, that's why we have a session table in the
first place!).
The "Kaminsky attack" only makes sense towards recursive resolvers, and
I think most posters here are thinking about authoritative Internet
facing nameservers. Who runs a recursive nameserver open towards the
Internet now adays?
Well, if "nowadays" is "the day before the Kaminsky press..." then I'd
say "all kinds of people." Including prominent NANOG contributors. I
suspect most of those folks have cleaned up their acts since then, but I
have learned never to be surprised at the level of security as actually
deployed.
And I don't even have a seat-of-the-pants number to throw out, but I'd
bet that you'd be surprised if you did a little survey at how many
recursive resolvers are reachable from the general purpose Internet.
Even so: The nameservers make outbound requests and for those it sort of
does make sense to have stateful inspection. Except AFAIK the Kaminsky
attack works with spoofed answers, i.e. spoofing both source IP and
ports and query ID. How would a firewall (including DPI) catch this? By
randomizing source ports or query IDs like TCP sequence number
randomization? I'm not sure I agree that's a good idea. By denying all
but one answers? Perfect way to DoS yourself.
I don't see that as a DoS issue. Let's say that the firewall has an
idea that a DNS query should have only one answer (which would be
correct). If you start to get multiple answers for each query, then
wouldn't that be something you'd want to know about? We're not talking
about port scanning here; we're talking about clearly broken
behavior--either a broken DNS server which is multi-replying to queries
or some third party trying to inject bad juju.
Yes, it turns out that almost anything the security people put in place
can be used by a malicious attacker to create a DoS. For example, if I
know you have a <deleted> brand firewall, I can send a medium-size ZIP
files, better double-ZIPped (more is suspicious), through the firewall
with email and watch those little files have an impact equal to 10x
their normal bandwidth.
Even if you have NO security hardware in place, by knowing your routing
infrastructure and desire to patch, I can cause DoS attacks with crafty
choice of traffic designed to either cause disproportionate load or,
even better, a nice reload every once in a while.
Yes, I'll acknowledge that the security hardware is MUCH more
susceptible to this kind of attack. I was in the lab a few months ago
with a massive IPS from <deleted> and accidentally chose the "wrong"
port to send throughput test traffic on, and watched that box go from
40Gbps to about 2Gbps.
Now, maybe this is NANOG and ISPs operate in a 'we're just a utility
company; you buy your own water softener or surge suppressor' mindset.
But a lot of the thinking that goes into engineering large ISP networks
is applicable to large enterprise networks, and vice versa. I see
organizations in the carrier business who a few years ago would never
dream of anything but the lightest of ACLs across their infrastructure
now investing in big firewalls and other tools to provide security.
jms
--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One Phone: +1 520 324 0494
[email protected] http://www.opus1.com/jms
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
