[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 18/05/13 00:41, Simon Waters wrote: > If the DNS recursive resolver you use answer queries for remote machines > it makes it (and thus you) more vulnerable to DNS poisoning type attacks. If you admin a DNS server, and it's vulnerable to this, please kill yourself now (not you Simon, I mean in general). > I don't expect DNS poisoning attacks due to DNS server vulnerabilities, > or weaknesses in DNS resolution process to make a big comeback, but it > would be a foolish man who said "never again". DNS attacks have never gone away sadly, mostly because DNSSEC isn't being implemented at all. Well, technically the root servers have it now, so it's available - it's just that hardly anybody else bothers. Even the techies I know seem to have a blind spot about this: SSH, mail and web servers are all locked down and well looked after whilst DNS just swings in the wind. There is even a three-step wizard in bloody Server 2012 (Microsoft) that correctly implements DNSSEC on your zones, for the love of god. So, if you admin any DNS servers and aren't running DNSSEC on them, please also kill yourself now. Fun fact: since 12.04, all Ubuntu versions (including downstream derivatives like Mint, etc) run Dnsmasq via the Network Manager by default so all users are running (limited) resolvers. This is a potential nightmare - I happen to have been fiddling with abusing this recently with a mischievous colleague, with a surprising amount of success (i.e., we're late to the party because proper blackhats will have figured this out much quicker than us, and are probably using it in IRL right now). > > Also if an attack against a recursive resolver requires malformed > packets to be sent, then this attack would likely not be possible for a > remote attacker if the resolver is not open. > > This paper is pretty comprehensive on source address spoofing for its time. > > http://rbeverly.net/research/papers/spoofer-imc09.ps > > Beverly has also been involved in work on mitigation of source address > spoofing, that can be done if a small percentage of core routers deploy > algorithms that allow them to establish if a packet has likely been > spoofed. This approach works in simulation. > > The issue is, as ever, that the costs (of mitigation or fixing) > typically fall on someone other than the victim (or ideally on the > attacker!), indeed the costs of mitigation likely fall on networks some > of whom may even profit indirectly from the attacks (if they charge per > bit carried, rather than for connectivity alone). I don't think any of > them intend to profit, and most charging algorithms at this level > exclude extreme events, but they certainly are unlikely to benefit much > directly from preventing source address spoofing. > > There are some notable exceptions, Akamai have been active in DDoS > mitigation research of various sorts. Presumably because as a CDN both > the cost of, and responsibility for defeating, DDoS are shifted to > themselves. Presumably other content delivery networks are in a similar > position. > > Arguably a case for government intervention to prevent market failure. > IPv6 will hopefully address the issue, although I believe it introduces > its own issues because suddenly there are a lot more IP addresses to > deal with. Not something I know enough about. > > A cheaper but criminal approach would be to hire DDoS services and use > them to attack large network providers websites and other services, to > motivate them to deploy such mitigation in their own networks. Thus > aligning the interests of the victim and the organizations which can fix > the issue. > All interesting stuff, as usual. Also, I've just noticed that I didn't get the original email I think this was a reply to. I know Tom said he was seeing some missing/out of order emails as well - this is getting a bit too common for my liking. I'd guess that the live.com spam filters are rather aggressively nuking some of my LUG emails... Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq