List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: Re: [ActiveDir] [Fwd: [ISC] DNS cache poisoning vulnerability details confirmed]

Prev Next

You are not authorized to post a reply.

Author

Messages

beads

Posts:32

07/25/2008 2:05 AM
Now, I have to agree with Susan (don't faint on me here). Its bad and getting worse particularly on the BIND side of things. On the other hand its an excellent opportunity to rid ourselves of some of the more notorious 'lame servers' out there still running BIND 8 and sometimes lower. Brent Eads Employee Technology Solutions, Inc. "Susan Bradley, CPA " <sbradcpa@pacbell.net> Sent by: ActiveDir-owner@mail.activedir.org 07/24/2008 05:20 PM Please respond to ActiveDir@mail.activedir.org To activeDir@mail.activedir.org cc Subject [ActiveDir] [Fwd: [ISC] DNS cache poisoning vulnerability details confirmed] A couple of the handlers tuned into the Blackhat "webinar" today. The topic was Kaminsky's DNS vulnerability. Here are some quick notes... Dan Kaminsky confirmed the details about the vulnerability. I think he was wanting to save the details until Blackhat, but since it got leaked and exploits have shown up in the last 24 hours, there doesn't seem to be much use in delaying any longer. Dan seemed to confirm that the leaked blog entry and the latest Metasploit module have identified the vulnerability correctly. In Kaminsky's tests, he was able to poison a nameserver cache in about 5-10 seconds. This bug allows the attacker to overwrite entries that are already in the cache. Nameservers that are authoritative only are not vulnerable. But setting a high TTL for your hosts which you are authoritative won't help vulnerable resolvers from being poisoned. This attack bypasses the TTL protections on vulnerable resolvers. DNS client libraries (workstations and servers that resolve to upstream nameservers) need to be patched also. The attacks still work against single unpatched hosts - but the priority should be your resolving nameservers. Home firewall NAT devices are also proving to be vulnerable as many don't seem to randomize the source port. If I heard correctly, Joao Damas from ISC (Internet Systems Consortium, maintainers of BIND) reports that he has seen attacks already in the wild for this vulnerability. -------- Original Message -------- Subject: [ISC] DNS cache poisoning vulnerability details confirmed Date: Thu, 24 Jul 2008 22:16:00 GMT From: mrroboto@sans.org To: sbradcpa@pacbell.net DNS cache poisoning vulnerability details confirmed http://isc.sans.org/diary.html?n&storyid=4777 Unsubscribe: http://isc.sans.org/notify.html List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx Message scanned by TrendMicro Message scanned by TrendMicro

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > Re: [ActiveDir] [Fwd: [ISC] DNS cache poisoning vulnerability details confirmed]

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads