Re: BIND update?

Wed, 09 Jul 2008 05:40:20 -0700 

At 06:54 AM 7/9/2008, Oliver Fromme wrote:

Andrew Storms wrote:
 > http://www.isc.org/index.pl?/sw/bind/bind-security.php

I'm just wondering ...

ISC's patches cause source ports to be randomized, thus
making it more difficult to spoof response packets.

But doesn't FreeBSD already randomize source ports by
default?  So, do FreeBSD systems require to be patched
at all?
It doesnt seem to do a very good job of it with bind for some reason... Perhaps because it picks a port and reuses it ? 

  Doing the following

% cat s
host 1iatest.yahoo.com
host 1iatest2.yahoo.co.uk
host 1iatest3.yahoo.com
host 1iatest4.yahoo.com
host 1iatest4.yahoo.com

shows the same source port being used
08:05:44.269507 IP 64.7.134.1.51761 > 203.84.197.239.53: 814% [1au] A? 1iatest.yahoo.com. (46) 08:05:44.595674 IP 203.84.197.239.53 > 64.7.134.1.51761: 814 NXDomain*- 0/1/1 (107) 08:05:44.596251 IP 64.7.134.1.51761 > 199.212.134.1.53: 38272% [1au] A? 1iatest.yahoo.com.sentex.ca. (56) 08:05:44.649672 IP 199.212.134.1.53 > 64.7.134.1.51761: 38272 NXDomain* 0/1/1 (116) 08:05:44.654444 IP 64.7.134.1.51761 > 68.142.196.63.53: 20277% [1au] A? 1iatest2.yahoo.co.uk. (49) 08:05:44.743687 IP 68.142.196.63.53 > 64.7.134.1.51761: 20277*- 1/13/1 CNAME[|domain] 08:05:44.749325 IP 64.7.134.1.51761 > 68.142.255.16.53: 32407% [1au] A? 1iatest3.yahoo.com. (47) 08:05:44.825666 IP 68.142.255.16.53 > 64.7.134.1.51761: 32407 NXDomain*- 0/1/1 (108) 08:05:44.826291 IP 64.7.134.1.51761 > 199.212.134.2.53: 59918% [1au] A? 1iatest3.yahoo.com.sentex.ca. (57) 08:05:44.881667 IP 199.212.134.2.53 > 64.7.134.1.51761: 59918 NXDomain* 0/1/1 (117) 08:05:44.886352 IP 64.7.134.1.51761 > 217.12.4.104.53: 56112% [1au] A? 1iatest4.yahoo.com. (47) 08:05:45.021655 IP 217.12.4.104.53 > 64.7.134.1.51761: 56112 NXDomain*- 0/1/1 (108) 08:05:45.022213 IP 64.7.134.1.51761 > 64.7.153.49.53: 14304% [1au] A? 1iatest4.yahoo.com.sentex.ca. (57) 08:05:45.075656 IP 64.7.153.49.53 > 64.7.134.1.51761: 14304 NXDomain* 0/1/1 (117) 

and a few min later with new requests,

# tcpdump -ni tun0 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes
08:08:00.273502 IP 64.7.134.1.51761 > 68.142.255.16.53: 37470% [1au] A? 21iatest.yahoo.com. (47) 08:08:00.350026 IP 68.142.255.16.53 > 64.7.134.1.51761: 37470 NXDomain*- 0/1/1 (108) 08:08:00.350565 IP 64.7.134.1.51761 > 199.212.134.1.53: 31976% [1au] A? 21iatest.yahoo.com.sentex.ca. (57) 08:08:00.406013 IP 199.212.134.1.53 > 64.7.134.1.51761: 31976 NXDomain* 0/1/1 (117) 08:08:00.410993 IP 64.7.134.1.51761 > 68.142.196.63.53: 2704% [1au] A? 21iatest2.yahoo.co.uk. (50) 08:08:00.500032 IP 68.142.196.63.53 > 64.7.134.1.51761: 2704*- 1/13/1 CNAME[|domain] 08:08:00.505356 IP 64.7.134.1.51761 > 68.142.255.16.53: 33992% [1au] A? 21iatest3.yahoo.com. (48) 08:08:00.582006 IP 68.142.255.16.53 > 64.7.134.1.51761: 33992 NXDomain*- 0/1/1 (109) 08:08:00.582565 IP 64.7.134.1.51761 > 199.212.134.2.53: 18776% [1au] A? 21iatest3.yahoo.com.sentex.ca. (58) 08:08:00.638004 IP 199.212.134.2.53 > 64.7.134.1.51761: 18776 NXDomain* 0/1/1 (118) 08:08:00.642684 IP 64.7.134.1.51761 > 68.142.255.16.53: 54964% [1au] A? 21iatest4.yahoo.com. (48) 08:08:00.720000 IP 68.142.255.16.53 > 64.7.134.1.51761: 54964 NXDomain*- 0/1/1 (109) 08:08:00.720529 IP 64.7.134.1.51761 > 64.7.153.49.53: 11657% [1au] A? 21iatest4.yahoo.com.sentex.ca. (58) 08:08:00.773998 IP 64.7.153.49.53 > 64.7.134.1.51761: 11657 NXDomain* 0/1/1 (118) 


# sysctl -a net.inet.ip.portrange
net.inet.ip.portrange.randomtime: 45
net.inet.ip.portrange.randomcps: 10
net.inet.ip.portrange.randomized: 1
net.inet.ip.portrange.reservedlow: 0
net.inet.ip.portrange.reservedhigh: 1023
net.inet.ip.portrange.hilast: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.first: 49152
net.inet.ip.portrange.lowlast: 600
net.inet.ip.portrange.lowfirst: 1023


        ---Mike



Best regards
   Oliver

PS:
$ sysctl net.inet.ip.portrange.randomized
net.inet.ip.portrange.randomized: 1
$ sysctl -d net.inet.ip.portrange.randomized
net.inet.ip.portrange.randomized: Enable random port allocation

--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

It's trivial to make fun of Microsoft products,
but it takes a real man to make them work,
and a God to make them do anything useful.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to