[catching up]
That's a good question, but I know that during the ongoing survey
within the Open Resolver Project [http://openresolverproject.org/],
Jared found thousands of CPE devices which responded as resolvers.
Not thousands, *tens of millions*.
Our estimate from mid-2013 was 32M such
On Apr 2, 2014, at 8:38 AM, Mark Allman mall...@icir.org wrote:
[catching up]
That's a good question, but I know that during the ongoing survey
within the Open Resolver Project [http://openresolverproject.org/],
Jared found thousands of CPE devices which responded as resolvers.
Not
In message c7e435c6-344f-49cd-9152-7a9ef2fa6...@puck.nether.net, Jared Mauch
writes:
On Apr 2, 2014, at 8:38 AM, Mark Allman mall...@icir.org wrote:
[catching up]
That's a good question, but I know that during the ongoing survey
within the Open Resolver Project
On Fri, Mar 14, 2014 at 5:06 PM, Wayne E Bouchard w...@typo.org wrote:
Have we ascertained if there is a typical configuration adjustment
that can be made to reduce or eliminate the likelihood of impact?
I think your best tactic is: Provide specified DNS resolver cache servers.
Don't use
Why would a CPE have an open DNS resolver from the WAN side?
Gary Baribault
On 03/14/2014 12:45 PM, Livingood, Jason wrote:
Well, at least all this CPE checks in for security updates every night so
this should be fixable. Oh wait, no, nevermind, they don't. :-(
This is getting to be the
Why would a CPE have an open DNS resolver from the WAN side?
Honest to god, are you new to computers or something?
People have been writing just good enough code since the beginning.
A resolver package binds to *:53 by default. Some poor firmware guys
with no security experience, deadlines,
Good question, but the reality is that a lot of them are this way. They just
forward everything from any source. Maybe it was designed that way to support
DDoS as a use case.
Imagine a simple iptables rule like -p udp --dport 53 -j DNAT --to 4.2.2.4
I think some forwarders work this way - the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
That's a good question, but I know that during the ongoing survey
within the Open Resolver Project [http://openresolverproject.org/],
Jared found thousands of CPE devices which responded as resolvers.
Further work needs to go into fingerprinting
Just a quick note to let folks know about a new vulnerability we have
found in some low-rent DNS forwarders---which we have been calling the
'preplay attack'.
The finding is that when the vulnerable open resolvers receive a DNS
response they just look at the query string in the response to see
On 14/03/2014 13:45, Mark Allman wrote:
- We have found 7--9% of the open resolver population---or 2-3 million
boxes---to be vulnerable to this cache poisoning attack. (The
variance is from different runs of our experiments.)
did you characterise what dns servers / embedded kit were
On Mar 14, 2014, at 7:06 AM, Stephane Bortzmeyer bortzme...@nic.fr wrote:
On Fri, Mar 14, 2014 at 01:59:27PM +,
Nick Hilliard n...@foobar.org wrote
a message of 10 lines which said:
did you characterise what dns servers / embedded kit were
vulnerable?
He said We have not been able
On 14/03/2014 16:05, Merike Kaeo wrote:
Has someone / is someone doing this?
someone has, and many CPEs use dnsmasq. current uplink too slow to find
references.
Nick
Well, at least all this CPE checks in for security updates every night so
this should be fixable. Oh wait, no, nevermind, they don't. :-(
This is getting to be the vulnerability of the week club for home gateway
devices - quite concerning.
JL
On 3/14/14, 12:05 PM, Merike Kaeo
Have we ascertained if there is a typical configuration adjustment
that can be made to reduce or eliminate the likelihood of impact?
(From the description it sounds as though this is not possible but it
doesn't hurt to ask.)
On Fri, Mar 14, 2014 at 09:05:00AM -0700, Merike Kaeo wrote:
On Mar
14 matches
Mail list logo