Responding to the DNS vulnerability and attacks
Summary: The DNS vulnerability, which has completely dominated the news in the security world the last two weeks, has been a concern for so many. On the front of good news and getting things protected, the IBM ISS has team has published some great information.
We've been hearing four primary questions from customers about the recently disclosed DNS cache poisoning vulnerability; How do I tell if I'm vulnerable, what do I do to mitigate it, how do I tell if I've been attacked, and what do I do if I've been attacked. We put this blog post together in an attempt to address those questions directly.I've found that the blog entry by ISS has some very good take away points, such as concerns over how DNS servers that have been patched, but sit behind NAT devices may still be vulnerable.
Furthermore, if you have a server behind a NAT device, some NAT devices will undo the UDP port randomness introduced by the patch. Fortunately, Linux iptables and OpenBSD's pf are not vulnerable, but many popular NAT devices are. If you have such a device you can either move your DNS server to a DMZ segment where it need not be NATed, or you can forward requests from that DNS server to a patched server that is not behind the NAT. If you forward make sure that you disable recursion.
If you believe you have been attacked, and despite reading this article aren't quite sure what to do, ISS has a service to help with this:IBM ISS has an emergency response team standing by 24 hours a day, 7 days a week, 365 days a year. If you have been the target of an attack, you can call us at the number listed on this web page any time of day, and we can provide immediate assistance to stop attacks and help you get your network back in running order. It is our opinion that if you have been the victim of a breach you should seek the assistance of a professional response team, whether ours or someone else's.Another thing, I'd like to reiterate a post by Danch Danchev, which discusses the fact that OpenDNS, PowerDNS, and MaraDNS remain unaffected by the flaw, so moving to one of these also becomes an option. -Nate
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
This is good to know ...
I've been told by quite a few people that if you're running behind a NAT device you didn't have to enable iptables in Linux. Myself being overly cautious enabled iptables on all of my machines regardless of location.
Guess my paranoia for once paid off. ;)
Economic Terrorists
How is selling an exploit kit to someone who is going to cause a company thousands of dollars in IT support fees any different than an arms manufacturer who sells a grenade to someone who then lobs it at his neighbor's house?
Sure the computer guys always fall back to "there was poor security.... they had it coming... etc".
But if we make an analogy to the grenade thrower we would never accept a comment like "well, they should have put blast-resistant windows in the living room!"
Just like we don't accept blaming a rape victing for a rape.
Time to get tough, and if that means prosecution of companies that have poor security, it should also mean taking a hard line against countries that turn a blind eye to hosting malware.
There was a stat on ZDNET that something like 200,000 websites in China are spreading malware. I bet banning all traffic to/from the CN domain for 30 days would get China's attention.
Stop pandering and accepting the status quo.
Interesting thoughts
-Nate
watch those assumptions
Maybe if they had patched DNS when they first learned of this many months ago, we'd not be having this discussion today.
Tough call
Powerful tools can always be abused though. Blaming the toolmaker goes way beyond simple tech stuff though (2nd Amendment fight, anyone? See you at 20 paces...).
RE: Responding to the DNS vulnerability and attacks
Sure, you can say the people the drunk hit should have been more aware of the traffic around them, but you can also say the bartender shouldn't have sold the guy so many drinks he was that he was not safe on the road.
It is a twisted logic that says by making an exploit available (even for free) we are really helping the situation by forcing those lazy software writers to fix the problems.