SANS: DNS Bug Now Public?

Jasper Bryant-Greene jasper at unleash.co.nz
Wed Jul 23 15:53:27 CDT 2008


FWIW, anyone using iptables for NAT can use --random, e.g.:

iptables -t nat -A POSTROUTING -o ethX -j SNAT --to x.x.x.x --random

Useful for Linux NAT/load-balancer boxes, or for Linux-powered embedded
devices where the vendor has not been forthcoming with a firmware patch
to alter the rules they generate.

I believe this requires kernel >= 2.6.21.

-Jasper

On Wed, 2008-07-23 at 12:16 -0700, Darren Bolding wrote:
> After a bit of looking around, I have not been able to find a list of
> firewalls/versions which are known to provide appropriate randomness in
> their PAT algorithms (or more importantly, those that do not).
> 
> I would be very interested in such a list if anyone knows of one.
> 
> As a side note, most people here realize this but, while people mention
> firewalls, keep in mind that if a load-balancer or other device is your
> egress PAT device, you might be interested in checking those systems
> port-translation randomness as well.
> 
> --D
> 
> On Wed, Jul 23, 2008 at 10:11 AM, Joe Abley <jabley at ca.afilias.info> wrote:
> 
> >
> > On 23 Jul 2008, at 12:16, Jorge Amodio wrote:
> >
> > Let me add that folks need to understand that the "patch" is not a fix to a
> >> problem that has been there for long time and
> >> it is just a workaround to reduce the chances for a potential
> >> attack, and it must be combined with best practices and
> >> recommendations to implent a more robust DNS setup.
> >>
> >
> > Having just seen some enterprise types spend time patching their
> > nameservers, it's also perhaps worth spelling out that "patch" in this case
> > might require more than upgrading resolver code -- it could also involve
> > reconfigurations, upgrades or replacements of NAT boxes too. If your NAT
> > reassigns source ports in a predictable fashion, then no amount of BIND9
> > patching is going to help.
> >
> > (Reconfiguring your internal resolvers to forward queries to an external,
> > patched resolver which can see the world other than through NAT-coloured
> > glasses may also be a way out.)
> >
> >
> > Joe
> >
> >
> >
> 
> 





More information about the NANOG mailing list