[conspire] DNS vulnerability details
ruben at mrbrklyn.com
Wed Jul 23 21:41:04 PDT 2008
> Good, right? Except, then, the firewall appliance's network address
> translation / port address translation (NAT/PAT) algorithm kicks in, and
> rewrites the outbound traffic. The originating port was random, so the
> firewall's rewritten version of that same packet should likewise have a
> random source port, right? Because all $40 cheap plastic appliances
> have excellent random number generators, right? Oops. Sorry, your
> originating port assignment probably doesn't end up being quite so
> random, any more. See:
> http://www.circleid.com/posts/87143_dns_not_a_guessing_game/ Basically,
> a typical firewall box makes a rather efficient de-randomiser.
If the name server is using random ports how does the resolver know
where to find it. I'm not likely to rewrite firefox.
> Testing your nameserver's randomness of source port selection:
> $ dig [namserver IP or hostname] porttest.dns-oarc.net in txt
> The result string will include a editorial comment like "GOOD", "FAIR",
> or "POOR" about randomness quality.
> Or use this Web facility:
> You really do want to attend to this now. It's not Somebody Else's
> conspire mailing list
> conspire at linuxmafia.com
http://www.mrbrklyn.com - Interesting Stuff
http://www.nylxs.com - Leadership Development in Free Software
So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998
http://fairuse.nylxs.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
"Yeah - I write Free Software...so SUE ME"
"The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society."
"> I'm an engineer. I choose the best tool for the job, politics be damned.<
You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt. I guess you missed that one."
© Copyright for the Digital Millennium
More information about the conspire