Responding to the DNS vulnerability and attacks

Responding to the DNS vulnerability and attacks

Summary: The DNS vulnerability, which has completely dominated the news in the security world the last two weeks, has been a concern for so many.  On the front of good news and getting things protected, the IBM ISS has team has published some great information.

SHARE:
The DNS vulnerability, which has completely dominated the news in the security world the last two weeks, has been a concern for so many.  On the front of good news and getting things protected, the IBM ISS has team has published some great information. The Frequency X Blog, run by IBM ISS, had an interesting article that I think is likely useful to many of us out there.  I've personally heard a few questions from my clients, some from other associates at Ernst & Young, asking about other options for mitigation, if this is being attacked in the wild, etc.  Apparently IBM ISS has heard similar things.  From their Frequency X Blog:
We've been hearing four primary questions from customers about the recently disclosed DNS cache poisoning vulnerability; How do I tell if I'm vulnerable, what do I do to mitigate it, how do I tell if I've been attacked, and what do I do if I've been attacked. We put this blog post together in an attempt to address those questions directly.
I've found that the blog entry by ISS has some very good take away points, such as concerns over how DNS servers that have been patched, but sit behind NAT devices may still be vulnerable.

Furthermore, if you have a server behind a NAT device, some NAT devices will undo the UDP port randomness introduced by the patch.  Fortunately, Linux iptables and OpenBSD's pf are not vulnerable, but many popular NAT devices are. If you have such a device you can either move your DNS server to a DMZ segment where it need not be NATed, or you can forward requests from that DNS server to a patched server that is not behind the NAT. If you forward make sure that you disable recursion.

If you believe you have been attacked, and despite reading this article aren't quite sure what to do, ISS has a service to help with this:
IBM ISS has an emergency response team standing by 24 hours a day, 7 days a week, 365 days a year. If you have been the target of an attack, you can call us at the number listed on this web page any time of day, and we can provide immediate assistance to stop attacks and help you get your network back in running order. It is our opinion that if you have been the victim of a breach you should seek the assistance of a professional response team, whether ours or someone else's.
Another thing, I'd like to reiterate a post by Danch Danchev, which discusses the fact that OpenDNS, PowerDNS, and MaraDNS remain unaffected by the flaw, so moving to one of these also becomes an option. -Nate

Topics: Servers, Browser, IBM, Networking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • This is good to know ...

    [i]Furthermore, if you have a server behind a NAT device, some NAT devices will undo the UDP port randomness introduced by the patch. Fortunately, Linux iptables and OpenBSD?s pf are not vulnerable, but many popular NAT devices are.[/i]

    I've been told by quite a few people that if you're running behind a NAT device you didn't have to enable iptables in Linux. Myself being overly cautious enabled iptables on all of my machines regardless of location.

    Guess my paranoia for once paid off. ;)
    MisterMiester
  • Economic Terrorists

    These companies / groups that sell these explit kits should be prosecuted just like gunmakers get sued.

    How is selling an exploit kit to someone who is going to cause a company thousands of dollars in IT support fees any different than an arms manufacturer who sells a grenade to someone who then lobs it at his neighbor's house?

    Sure the computer guys always fall back to "there was poor security.... they had it coming... etc".

    But if we make an analogy to the grenade thrower we would never accept a comment like "well, they should have put blast-resistant windows in the living room!"

    Just like we don't accept blaming a rape victing for a rape.

    Time to get tough, and if that means prosecution of companies that have poor security, it should also mean taking a hard line against countries that turn a blind eye to hosting malware.

    There was a stat on ZDNET that something like 200,000 websites in China are spreading malware. I bet banning all traffic to/from the CN domain for 30 days would get China's attention.

    Stop pandering and accepting the status quo.
    croberts
    • Interesting thoughts

      You might be interested to know that Metasploit is actually free.

      -Nate
      nmcfeters
    • watch those assumptions

      You appear to assume that the exploit wasn't already out there and in the hands of skilled criminals.

      Maybe if they had patched DNS when they first learned of this many months ago, we'd not be having this discussion today.
      shawn_dude
    • Tough call

      --because those kind of tools are excellent to run vs. new environments as a "Whoops"-catcher; to make sure you didn't miss something.

      Powerful tools can always be abused though. Blaming the toolmaker goes way beyond simple tech stuff though (2nd Amendment fight, anyone? See you at 20 paces...).
      beoz
  • RE: Responding to the DNS vulnerability and attacks

    It might be a better comparision to a bartender selling 4-5 drinks to a guy he knows is going to drive afterwards.

    Sure, you can say the people the drunk hit should have been more aware of the traffic around them, but you can also say the bartender shouldn't have sold the guy so many drinks he was that he was not safe on the road.

    It is a twisted logic that says by making an exploit available (even for free) we are really helping the situation by forcing those lazy software writers to fix the problems.
    dysart