Re: new DNS forwarder vulnerability
On Fri, Mar 14, 2014 at 5:06 PM, Wayne E Bouchard w...@typo.org wrote: Have we ascertained if there is a typical configuration adjustment that can be made to reduce or eliminate the likelihood of impact? I think your best tactic is: Provide specified DNS resolver cache servers. Don't use CPEs for DNS forwarders. The trouble is a CPE's management/locally-bound IP address is in many cases... often the same IP address that is a NAT address shared with user traffic; instead of a dedicated separate IP address that traffic can be managed and security controlled. Providing you ensure that the CPE's IP bound address is not overloaded or shared with user traffic you might try firewalling destination port 53 to the CPE, except from the proper upstream DNS resolvers, since nothing else should be replying to a DNS request made by the CPE. Look into whether the CPE can use a different, lesser-used UDP port than 53 to forward DNS requests to; use device firewall rules or upstream ACLs to limit which source IP addresses can talk to the service on the CPE's IP. To ascertain effectiveness for a specific CPE, you would need to run a sample exploit with a before and after test. (From the description it sounds as though this is not possible but it doesn't hurt to ask.) -- -JH
Re: Verizon FIOS issues in the Washington DC issue with HTTPS traffic?
On Fri, Mar 14, 2014 at 4:28 PM, Ulf Zimmermann u...@alameda.net wrote: We have a number of customers in the DC area on Verizon Fios who can talk to us using http, but not https. Linkedin also tweeted there are issues via Verzion Fios. Verizon support so far denies everything. Anyone else seeing issues? I had major issues with FIOS in the DC area yesterday which cleared after power-cycling the ONT. It wasn't protocol-specific though; all suffered major packet loss. No idea if it's related to your issue but it was proximate in time and location. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: new DNS forwarder vulnerability
Why would a CPE have an open DNS resolver from the WAN side? Gary Baribault On 03/14/2014 12:45 PM, Livingood, Jason wrote: Well, at least all this CPE checks in for security updates every night so this should be fixable. Oh wait, no, nevermind, they don't. :-( This is getting to be the vulnerability of the week club for home gateway devices - quite concerning. JL On 3/14/14, 12:05 PM, Merike Kaeo mer...@doubleshotsecurity.com wrote: On Mar 14, 2014, at 7:06 AM, Stephane Bortzmeyer bortzme...@nic.fr wrote: On Fri, Mar 14, 2014 at 01:59:27PM +, Nick Hilliard n...@foobar.org wrote a message of 10 lines which said: did you characterise what dns servers / embedded kit were vulnerable? He said We have not been able to nail this vulnerability down to a single box or manufacturer so it seems the answer is No. It is my understanding that many CPEs work off of same reference implementation(s). I haven't had any cycles for this but with all the CPE issues out there it would be interesting to have a matrix of which CPEs utilize which reference implementation. That may start giving some clues. Has someone / is someone doing this? - merike
Re: new DNS forwarder vulnerability
Why would a CPE have an open DNS resolver from the WAN side? Honest to god, are you new to computers or something? People have been writing just good enough code since the beginning. A resolver package binds to *:53 by default. Some poor firmware guys with no security experience, deadlines, and too few bytes for code storage don't notice or don't know or don't care and install the resolver feature on the firmware that they're designing, then promptly never think about it again because that feature works and is therefore done. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: US to relinquish control of Internet
* John R. Levine: Let's hope you're right, but I note that the ITU isn't an inter-governmental organization, It was able to obtain a delegation for ITU.INT, so it's inter-governmental enough in DNS terms.
Re: new DNS forwarder vulnerability
Good question, but the reality is that a lot of them are this way. They just forward everything from any source. Maybe it was designed that way to support DDoS as a use case. Imagine a simple iptables rule like -p udp --dport 53 -j DNAT --to 4.2.2.4 I think some forwarders work this way - the LAN addresses can be reconfigured and so it's probably easier if the rule doesn't check the source address.. or maybe it was designed to work this way on purpose, because it's easy to explain as a 'bug' or oversight, rather than deliberate action. Of course, it's crazy to think that some person or organization deliberately did this so they would have a practically unlimited amount of DoS sources. -Laszlo On Mar 15, 2014, at 4:26 PM, Gary Baribault g...@baribault.net wrote: Why would a CPE have an open DNS resolver from the WAN side? Gary Baribault On 03/14/2014 12:45 PM, Livingood, Jason wrote: Well, at least all this CPE checks in for security updates every night so this should be fixable. Oh wait, no, nevermind, they don't. :-( This is getting to be the vulnerability of the week club for home gateway devices - quite concerning. JL On 3/14/14, 12:05 PM, Merike Kaeo mer...@doubleshotsecurity.com wrote: On Mar 14, 2014, at 7:06 AM, Stephane Bortzmeyer bortzme...@nic.fr wrote: On Fri, Mar 14, 2014 at 01:59:27PM +, Nick Hilliard n...@foobar.org wrote a message of 10 lines which said: did you characterise what dns servers / embedded kit were vulnerable? He said We have not been able to nail this vulnerability down to a single box or manufacturer so it seems the answer is No. It is my understanding that many CPEs work off of same reference implementation(s). I haven't had any cycles for this but with all the CPE issues out there it would be interesting to have a matrix of which CPEs utilize which reference implementation. That may start giving some clues. Has someone / is someone doing this? - merike
Re: new DNS forwarder vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 That's a good question, but I know that during the ongoing survey within the Open Resolver Project [http://openresolverproject.org/], Jared found thousands of CPE devices which responded as resolvers. Further work needs to go into fingerprinting these devices to determine the vendor, version, etc., but it is disturbing to see such brokenness. :-/ - - ferg On 3/15/2014 9:26 AM, Gary Baribault wrote: Why would a CPE have an open DNS resolver from the WAN side? Gary Baribault On 03/14/2014 12:45 PM, Livingood, Jason wrote: Well, at least all this CPE checks in for security updates every night so this should be fixable. Oh wait, no, nevermind, they don't. :-( This is getting to be the vulnerability of the week club for home gateway devices - quite concerning. JL On 3/14/14, 12:05 PM, Merike Kaeo mer...@doubleshotsecurity.com wrote: On Mar 14, 2014, at 7:06 AM, Stephane Bortzmeyer bortzme...@nic.fr wrote: On Fri, Mar 14, 2014 at 01:59:27PM +, Nick Hilliard n...@foobar.org wrote a message of 10 lines which said: did you characterise what dns servers / embedded kit were vulnerable? He said We have not been able to nail this vulnerability down to a single box or manufacturer so it seems the answer is No. It is my understanding that many CPEs work off of same reference implementation(s). I haven't had any cycles for this but with all the CPE issues out there it would be interesting to have a matrix of which CPEs utilize which reference implementation. That may start giving some clues. Has someone / is someone doing this? - merike - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMkgYQACgkQKJasdVTchbLR1AD9Ey+ISQtaVoJKReLZ6ZzHI7/4 91h+HIQgvazMAne+NMsA/3CCQVw9KG1U6oZdouKexi8ycVw1Y4d4poH+7Yfh4zEh =bFpE -END PGP SIGNATURE-
Re: US to relinquish control of Internet
Let's hope you're right, but I note that the ITU isn't an inter-governmental organization, It was able to obtain a delegation for ITU.INT, so it's inter-governmental enough in DNS terms. Yes, it was delegated a month before TPC.INT was. Could you clarify the point you're making? R's, John
Re: US to relinquish control of Internet
(As if the US has control anyway) It's all over the popular press, strange I haven't seen it here. http://thehill.com/blogs/hillicon-valley/technology/200889-us-to-relinquish-internet-control http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions http://www.icann.org/en/news/announcements/announcement-2-14mar14-en.htm http://www.icann.org/en/news/announcements/announcement-14mar14-en.htm http://www.icann.org/en/news/announcements/announcement-14mar14-en.htm Etc., etc. It's nice of the DoC to relinquish control, but I really don't see it changing much other than quieting down some hype from countries that were saying they were pissed at the US for controlling the Internet. And I couldn't really see those countries doing anything about it unless the US did something actually bad, which they wouldn't do IMHO. Was I being a pollyanna? Yep, way to optimistic. The world always wants the success of capitalism as long as they don't have to create the climate for it, they just want it handed to them. Once they have it they turn it back toward socialism and proceed to F%^$ it up. Gee, sound like the direction our system's been trying to go in for the last 6 years. Bob Evans -- TTFN, patrick
Re: US to relinquish control of Internet
On 3/15/2014 7:39 AM, Bob Evans wrote: It's nice of the DoC to relinquish control, but I really don't see it changing much other than quieting down some hype from countries that were saying they were pissed at the US for controlling the Internet. And I couldn't really see those countries doing anything about it unless the US did something actually bad, which they wouldn't do IMHO. Was I being a pollyanna? Yep, way to optimistic. The world always wants the success of capitalism as long as they don't have to create the climate for it, they just want it handed to them. Once they have it they turn it back toward socialism and proceed to F%^$ it up. Gee, sound like the direction our system's been trying to go in for the last 6 years. Or 101 years. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: US to relinquish control of Internet
Bob Evans wrote: (As if the US has control anyway) It's all over the popular press, strange I haven't seen it here. http://thehill.com/blogs/hillicon-valley/technology/200889-us-to-relinquish-internet-control http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions http://www.icann.org/en/news/announcements/announcement-2-14mar14-en.htm http://www.icann.org/en/news/announcements/announcement-14mar14-en.htm http://www.icann.org/en/news/announcements/announcement-14mar14-en.htm Etc., etc. It's nice of the DoC to relinquish control, but I really don't see it changing much other than quieting down some hype from countries that were saying they were pissed at the US for controlling the Internet. And I couldn't really see those countries doing anything about it unless the US did something actually bad, which they wouldn't do IMHO. Was I being a pollyanna? Yep, way to optimistic. The world always wants the success of capitalism as long as they don't have to create the climate for it, they just want it handed to them. Once they have it they turn it back toward socialism and proceed to F%^$ it up. Gee, sound like the direction our system's been trying to go in for the last 6 years. Not for nothing, but what does capitalism have to do with this? The Internet was a creation of a combination of Government investment (not just US mind you, the ARPANET was not the only early network that ended up merging into the early Internet, there were European networks as well). Today's Internet is a cooperative endeavor that is not owned by anyone (the pieces, of course, are); and the governance is mostly a cooperative endeavor (yes ICANN is under contract to the US Government, but primarily operates on its own). Capitalism, if anything, is a negative factor in the mix - as evidenced by the practices of some of the backbone owners and particularly the large cable and telephone companies who own a lot of the network edge (at least in the US, where access costs are higher, and bandwidths are lower, than some far more socialist countries). Now one can argue about under- and over- regulation; and who is to do the regulating (treating US carriers under common carriage regimes would, IMHO, would have positive results. Handing ICANN over to the ITU would create a bureacratic nightmare, for example). But that's a separate issue entirely - and coincidentally, the issue on the table. As to being a pollyanna: I agree, way to optimistic. But not for reasons having to do with communism vs. socialism - but for reasons of a proven system that works vs. handing control over to bureaucrats who might F^k it up. Personally, I think the caveats that NTIA has attached to relinquishing control sound like somebody has got it right - handing ICANN over to, say ISOC might work very well (nobody complains about ISOC control of the IETF). The question is, whether political pressures will lead to a horribly bad decision. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: US to relinquish control of Internet
On Sat, Mar 15, 2014 at 12:17 PM, John Levine jo...@iecc.com wrote: Let's hope you're right, but I note that the ITU isn't an inter-governmental organization, It was able to obtain a delegation for ITU.INT, so it's inter-governmental enough in DNS terms. Yes, it was delegated a month before TPC.INT was. Could you clarify the point you're making? The ITU is an agency of the United Nations.Which is an organization created by treaty, of which various nations' governments are members. How is the ITU _not_ an Inter-governmental organization? If it is not, then what kind of organizations does the NTIA memo say will be excluded? R's, John -- -JH
Re: US to relinquish control of Internet
The ITU is an agency of the United Nations.Which is an organization created by treaty, of which various nations' governments are members. Actually, the ITU is more than twice as old as the UN, and merged with the UN in 1947. As noted in a previous message, the ITU has both government and non-government members, more of the later than the former, which arguably makes it a multi-stakeholder entity. I entirely believe that NTIA doesn't want the ITU involved with ICANN, but the ITU has made it abundantly clear over the years that it wants a seat at the table, preferably its own table. I listened to the ICANN press conference this morning, the gist of which was don't worry, nothing will change, but once the NTIA opens up the ICANN management contract (or whatever it's called these days) to other parties, keeping the ITU out will be a challenge. R's, John
Re: US to relinquish control of Internet
On Sat, Mar 15, 2014 at 08:08:47PM -0400, John R. Levine wrote: The ITU is an agency of the United Nations.Which is an organization created by treaty, of which various nations' governments are members. Actually, the ITU is more than twice as old as the UN, and merged with the UN in 1947. As noted in a previous message, the ITU has both government and non-government members, more of the later than the former, which arguably makes it a multi-stakeholder entity. I entirely believe that NTIA doesn't want the ITU involved with ICANN, but the ITU has made it abundantly clear over the years that it wants a seat at the table, preferably its own table. I listened to the ICANN press conference this morning, the gist of which was don't worry, nothing will change, but once the NTIA opens up the ICANN management contract (or whatever it's called these days) to other parties, keeping the ITU out will be a challenge. R's, John Yes, the ITU is a very old agreement. It's also been more or less painless to us on the low end of the ladder even though of late they are doing their best to screw it up. Personally, I'm not too terribly worried about ICANN. Granted, the politicians have gotten markedly more efficient at converting gold into sh** in recent years but I think it will take them quite a while to royally fk up the internet, especially if they are relying on going through ICANN to do it. What's the worst they can do at this point? Make .bobtodd and .bubbagump TLDs? This is different from some of the crap we've got now in what way?? -Wayne --- Wayne Bouchard w...@typo.org Network Dude http://www.typo.org/~web/
Re: US to relinquish control of Internet
What's the worst they can do at this point? Make .bobtodd and .bubbagump TLDs? This is different from some of the crap we've got now in what way?? Well, ICANN has come pretty close to delegating .HOME and .CORP to domain speculators, despite the vast amount of informal use which would get badly screwed up. Like I said, I look forward to the ITU equitably delegating domain names and IP addresses. Sorry the US has enough names already, the next ten million go to underserved areas. And since we know that phone numbers work great with per-country prefixes, we're going to improve the DNS so domain names always start with the country code. R's, John
Re: US to relinquish control of Internet
What's the worst they can do at this point? Make .bobtodd and .bubbagump TLDs? This is different from some of the crap we've got now in what way?? I’m not too worried about what they could do to TLDs… It would be hard to make a bigger mess than ICANN already has. On the other hand, I am very concerned about what they would do to the numbers side of things.. Owen
Re: US to relinquish control of Internet
Owen DeLong wrote: What's the worst they can do at this point? Make .bobtodd and .bubbagump TLDs? This is different from some of the crap we've got now in what way?? I’m not too worried about what they could do to TLDs… It would be hard to make a bigger mess than ICANN already has. On the other hand, I am very concerned about what they would do to the numbers side of things.. Owen And try to horn their way into the standards side of things. Can you say X.25? Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: US to relinquish control of Internet
On Sat, Mar 15, 2014 at 9:36 PM, Owen DeLong o...@delong.com wrote: On the other hand, I am very concerned about what they would do to the numbers side of things.. Just keep their grubby paws off the IETF and the internet standards process. I doubt there's much reason for concern. IPv4 is pretty much already spoken for, and probably even they could not screw up IPv6 allocation. It's not as if they would be free to invent crazy new numbering schemes. I'm not too worried about what they could do to TLDs... It would be hard to make a bigger mess than ICANN already has. What comes to mind is scrapping WHOIS due to privacy concerns, and replacing it with a filing with a private national authority for the TLD, accessible primarily to law enforcement (and not incident responders/operators/infosec/anti-spam people). How TLDs COULD be screwed up worse than ICANN.. introducing regional TLDs, for coded regions (similar to DVD region locking), and region-locking existing TLDs --- Or certain agreements and fees will be required for an ISP to subscribe to a certain TLD, including agreement to pay kickbacks for Data transfer and termination fees related to DNS queries and site access, according to rate schedules that the receiving country will be free to set, however exorbitantly they like to the benefit of certain countries desiring to limit access or charge access fees for subscription to out-of-region DNS content; and splitting the root zone, so that domains registered in a certain region cannot be resolved in other regions, Owen -- -Mysid