[conspire] DNS vulnerability details

Ruben Safir ruben at mrbrklyn.com
Wed Jul 23 21:41:04 PDT 2008 

> 
> Good, right?  Except, then, the firewall appliance's network address
> translation / port address translation (NAT/PAT) algorithm kicks in, and
> rewrites the outbound traffic.  The originating port was random, so the
> firewall's rewritten version of that same packet should likewise have a
> random source port, right?  Because all $40 cheap plastic appliances
> have excellent random number generators, right?  Oops.  Sorry, your
> originating port assignment probably doesn't end up being quite so
> random, any more.  See:
> http://www.circleid.com/posts/87143_dns_not_a_guessing_game/  Basically,
> a typical firewall box makes a rather efficient de-randomiser.
> 
> 


If the name server is using random ports how does the resolver know
where to find it.  I'm not likely to rewrite firefox.

Ruben

> 
> Testing your nameserver's randomness of source port selection:
> 
> Do:
> $  dig [namserver IP or hostname] porttest.dns-oarc.net in txt
> 
> The result string will include a editorial comment like "GOOD", "FAIR",
> or "POOR" about randomness quality.
> 
> Or use this Web facility:
> https://www.dns-oarc.net/oarc/services/dnsentropy
> 
> 
> You really do want to attend to this now.  It's not Somebody Else's
> Problem.
> 
> 
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire

-- 
http://www.mrbrklyn.com - Interesting Stuff
http://www.nylxs.com - Leadership Development in Free Software

So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world  - RI Safir 1998

http://fairuse.nylxs.com  DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002

"Yeah - I write Free Software...so SUE ME"

"The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society."

"> I'm an engineer. I choose the best tool for the job, politics be damned.<
You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt.  I guess you missed that one."

© Copyright for the Digital Millennium

More information about the conspire mailing list