Re: Exploit for DNS Cache Poisoning - RELEASED
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- Sean Donelan <sean@donelan.com> wrote:
Let's hope some very large service providers get their act together real soon now.
There is always a tension between discovery, changing, testing and finally deployment.
Sure, I can empathize, to a certain extent. But this issue has been known for 2+ weeks now. Not sure I can be very empathic now, given the seriousness, and the proper warning ISPs have been given. $.02, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIiBldq1pz9mNUZTMRAiLjAJ91jnOPW+nhuk0PA5qGjrwz0bH25ACgjOXS IEJTnVU4BIZ8bMfU7dB4ZKY= =sBS2 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Sure, I can empathize, to a certain extent. But this issue has been known for 2+ weeks now.
Well we knew about the DNS issues since long time ago (20+yrs perhaps?), so the issue is not new, just the exploit is more easy to put together and chances for it to succeed are much higher. As I mentioned in another message, perhaps its time to get serious about DNSSEC, where are we on this front ? Cheers Jorge
On Thu, 24 Jul 2008 09:10:13 -0500 "Jorge Amodio" <jmamodio@gmail.com> wrote:
Sure, I can empathize, to a certain extent. But this issue has been known for 2+ weeks now.
Well we knew about the DNS issues since long time ago (20+yrs perhaps?), so the issue is not new, just the exploit is more easy to put together and chances for it to succeed are much higher.
This is important. Kaminsky took a known concept and did the hard engineering work to make it feasible. To slightly misuse a quote that's more often applied to crypto, "amateurs worry about algorithms; pros worry about economics". The economics of the attack have now changed. (And we need to get DNSSEC deployed before they change even further.) --Steve Bellovin, http://www.cs.columbia.edu/~smb
jmamodio@gmail.com ("Jorge Amodio") writes:
As I mentioned in another message, perhaps its time to get serious about DNSSEC, where are we on this front ?
still waiting for US-DoC to give ICANN permission to sign the root zone. -- Paul Vixie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
jmamodio@gmail.com ("Jorge Amodio") writes:
As I mentioned in another message, perhaps its time to get serious about DNSSEC, where are we on this front ?
Still waiting for US-DoC to give ICANN/IANA permission to sign the root zone. -- Paul Vixie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Neil Suryakant Patel is the nominee for AS for Communications and Information at DoC. If he's in the loop, even "advisory pending ...", and as a Cheney staffer (intially staff secretary, now as a domestic and economic policy adviser), that's possible, then adjust expectations accordingly. Paul Vixie wrote:
jmamodio@gmail.com ("Jorge Amodio") writes:
As I mentioned in another message, perhaps its time to get serious about DNSSEC, where are we on this front ?
Still waiting for US-DoC to give ICANN/IANA permission to sign the root zone.
The problem is, once the ICANNt root is self-signed, the hope of ever revoking that dysfunctional mess as authority is gone. Perhaps the IETF or DoC should sign the root, that way we have a prayer of wresting control from ICANN, as opposed to paying a tax, in perpetuity, for registration services to an unaccountable, unelected, and imperious body? Some of us don't think the UN/EU/ITU are good models for governance. IE: Separation of powers. ICANN/IANA is granted (interim) authority to operate, but some other governing body signs.
-----Original Message----- From: Paul Vixie [mailto:vixie@isc.org] Sent: Thursday, July 24, 2008 9:13 AM To: nanog@merit.edu Subject: Re: Exploit for DNS Cache Poisoning - RELEASED
jmamodio@gmail.com ("Jorge Amodio") writes:
As I mentioned in another message, perhaps its time to get serious about DNSSEC, where are we on this front ?
Still waiting for US-DoC to give ICANN/IANA permission to sign the root zone. -- Paul Vixie
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:
The problem is, once the ICANNt root is self-signed, the hope of ever revoking that dysfunctional mess as authority is gone.
Sorry, I don't follow -- sounds like FUD to me. Care to explain this? As far as I'm aware, as long as the KSK isn't compromised, changing the organization who holds the KSK simply means waiting until the next KSK rollover and have somebody else do the signing.
Perhaps the IETF
You mean oh say IANA?
or DoC
That'll be popular in the international community.
should sign the root, that way we have a prayer of wresting control from ICANN, as opposed to paying a tax, in
perpetuity, for registration services to an unaccountable, unelected, and imperious body?
Registration fees are unrelated to signing the root, but thanks for the gratuitous ICANN bashing. It was missing in this thread -- I was wondering when it would show up.
Some of us don't think the UN/EU/ITU are good models for governance.
Indeed.
IE: Separation of powers. ICANN/IANA is granted (interim) authority to operate, but some other governing body signs.
So you want to increase the role ICANN/IANA has in root zone management. Interesting. Regards, -drc
On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said:
On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:
The problem is, once the ICANNt root is self-signed, the hope of ever revoking that dysfunctional mess as authority is gone.
As far as I'm aware, as long as the KSK isn't compromised, changing the organization who holds the KSK simply means waiting until the next KSK rollover and have somebody else do the signing.
That's true if the ICANN KSK is signed *by some other entity* - that entity can then force a change by signing some *other* KSK for the next rollover. If the ICANN key is self-signed as Tomas hypothesizes, then that leverage evaporates. If
Valdis, On Jul 24, 2008, at 6:05 PM, Valdis.Kletnieks@vt.edu wrote:
On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said:
On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:
The problem is, once the ICANNt root is self-signed, the hope of ever revoking that dysfunctional mess as authority is gone.
As far as I'm aware, as long as the KSK isn't compromised, changing the organization who holds the KSK simply means waiting until the next KSK rollover and have somebody else do the signing.
That's true if the ICANN KSK is signed *by some other entity* - that entity can then force a change by signing some *other* KSK for the next rollover.
If the ICANN key is self-signed as Tomas hypothesizes, then that leverage evaporates.
Except it doesn't work like that. As has been presented in numerous places (RIPE, ICANN, etc.), Richard Lamb has been working with the usual suspects (the Swedish DNSSEC mafia, NLNetLabs folks, Nominet folks, etc.) to come up with a secure, trustable, and accountable architecture for doing the signing. If a miracle happens and IANA were to be allowed to sign the root and then was told to give it to someone else, all that would need to be done would be for IANA staff to hand over the HSM, PIN codes and cards to someone else. Of course, part of the architecture is that there is more than one card and that someone other than IANA would hold the second card (i.e., the same sort of thing you see in US missle silos), but that's somewhat irrelevant to a discussion about how the "dysfunctional mess" would have its "authority" revoked. I suppose one could argue that ICANN could refuse to hand over the HSM, the PIN codes and cards, but given ICANN is a California- incorporated company providing the IANA functions under a contract with the US government, I somehow doubt ICANN would be in any position to refuse. Federal Marshals can be quite persuasive I'm told. Of course, all of this is academic since since I figure it is highly unlikely IANA will be permitted to sign the root. If anyone, my money is on VeriSign (you remember them...) but it may be some other Beltway Bandit as Paul suggests. Regards, -drc
In what way is the EU's governance model the same as, or anything similar, to the UN's or ITU's? This argument gets increasingly silly. Hell, when did ITU last let someone randomly take over a chunk of the e164 name space? On Fri, Jul 25, 2008 at 4:06 PM, David Conrad <drc@virtualized.org> wrote:
Valdis,
On Jul 24, 2008, at 6:05 PM, Valdis.Kletnieks@vt.edu wrote:
On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said:
On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:
The problem is, once the ICANNt root is self-signed, the hope of ever revoking that dysfunctional mess as authority is gone.
in <http://permalink.gmane.org/gmane.linux.redhat.fedora.general/306278> we see this text: The DNS attacks are starting!!! Below is a snippet of a logwatch from last night. Be sure all DNS servers are updated if at all possible. The spooks are out in full on this security vulnerability in force. THIS IS YOUR LAST WARNING...!!! Patch or Upgrade NOW! ... this ought to be an interesting weekend. -- Paul Vixie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Paul Vixie wrote:
in <http://permalink.gmane.org/gmane.linux.redhat.fedora.general/306278> we see this text:
The DNS attacks are starting!!!
Below is a snippet of a logwatch from last night. Be sure all DNS servers are updated if at all possible. The spooks are out in full on this security vulnerability in force.
THIS IS YOUR LAST WARNING...!!! Patch or Upgrade NOW!
...
this ought to be an interesting weekend.
I saw much more than this *from the same address* starting two days ago, and from several other blocks belonging to the same university starting last week, to my home router and another server. So far my better connected servers haven't been hit hard. (and no non-auto answer from "security" at that university...) -- Pete
On Fri, 2008-07-25 at 18:14 -0400, Pete Carah wrote:
I saw much more than this *from the same address* starting two days ago, and from several other blocks belonging to the same university starting last week, to my home router and another server. So far my better connected servers haven't been hit hard. (and no non-auto answer from "security" at that university...)
I saw this earlier in the week, along with queries for a domain name which happens to have been registered by Dan Kaminsky, so I emailed him about it. The addresses in question at Georgia Tech appear to be in use as part of Doxpara's scan for unpatched systems, which he confirmed. For those who are bothered, look out for queries from the same netblock of the form: rB6CIo_XgRlScY5K0iGISAAAAAAvygwAAAAAACujBAA=.ports.dns-integrity-scan.com/A/IN It's probably obvious to one and all what they should be for. And the fact that the queries are denied by correctly configured (ie. non-open) resolvers makes it even less of a panic. The sky isn't falling... yet. Graeme
On Fri, 2008-07-25 at 23:25 +0100, Graeme Fowler wrote:
I saw this earlier in the week, along with queries for a domain name which happens to have been registered by Dan Kaminsky, so I emailed him about it. The addresses in question at Georgia Tech appear to be in use as part of Doxpara's scan for unpatched systems, which he confirmed.
And for extra points, can anyone with access to the raw un-logwatched log entries tell us what's rather odd about the queries, given the current furore over... well, that'd give the answer ;-) Graeme
* Paul Vixie:
in <http://permalink.gmane.org/gmane.linux.redhat.fedora.general/306278> we see this text:
The DNS attacks are starting!!!
Below is a snippet of a logwatch from last night. Be sure all DNS servers are updated if at all possible. The spooks are out in full on this security vulnerability in force.
THIS IS YOUR LAST WARNING...!!! Patch or Upgrade NOW!
...
this ought to be an interesting weekend.
It's from a Georgia Tech address, so it's likely some sort of monitoring effort by David Dagon. I see it in my logs, too.
Lack of accountability, heavily bureacratic, and dirigiste. Oh, and generally irrelevant/impotent in the real world of the streets/net and crime/insurgency/dictatorship.
-----Original Message----- From: Alexander Harrowell [mailto:a.harrowell@gmail.com] Sent: Friday, July 25, 2008 10:54 AM To: David Conrad Cc: nanog@merit.edu Subject: Re: Exploit for DNS Cache Poisoning - RELEASED
In what way is the EU's governance model the same as, or anything similar, to the UN's or ITU's? This argument gets increasingly silly. Hell, when did ITU last let someone randomly take over a chunk of the e164 name space?
On Fri, Jul 25, 2008 at 4:06 PM, David Conrad <drc@virtualized.org> wrote:
Valdis,
On Jul 24, 2008, at 6:05 PM, Valdis.Kletnieks@vt.edu wrote:
On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said:
On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:
The problem is, once the ICANNt root is self-signed, the hope of ever revoking that dysfunctional mess as authority is gone.
"Tomas L. Byrnes" <tomb@byrneit.net> wrote:
The problem is, once the ICANNt root is self-signed, the hope of ever revoking that dysfunctional mess as authority is gone.
that sounds like the kind of foot-dragging that could be holding this up.
Perhaps the IETF or DoC should sign the root, that way we have a prayer of wresting control from ICANN, as opposed to paying a tax, in perpetuity, for registration services to an unaccountable, unelected, and imperious body?
apparently when the internet was invented nobody gave any thought to all kinds of stuff including classful addressing (how were we going to route 16 million class C's anyway?), settlements (aren't AS701 and LVLT also somewhat imperious?), unwanted traffic (spam, DoS), address space longevity and/or conservation, routing table bloat and churn, traffic source authenticity (UDP, SMTP, syslog, ICMP, you name it)... and now you're trying to say that we don't know how to govern it long-term either?
Some of us don't think the UN/EU/ITU are good models for governance.
probably most of us. however, there are certain things that can only get done that way (country code assignments in postal and telephony space for example) and i try to keep this in mind and continually forgive those who mistakenly believe that IP addresses or domain names are like that at all.
IE: Separation of powers. ICANN/IANA is granted (interim) authority to operate, but some other governing body signs.
the other party would have to sign every change. probably that's what will happen, IANA will edit, USG will hire some beltway bandit to hold the keys and do the signing, and then the rootops will publish. and i'm ok with that except that it's taking too long to get it going, and i can't seem to find the person whose desk it's sitting on so that i can offer them my help. (noting that they may not need or want my help, but i'd rather offer my help than just sit back and complain.) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Thu, 24 Jul 2008, Paul Ferguson wrote:
Let's hope some very large service providers get their act together real soon now.
There is always a tension between discovery, changing, testing and finally deployment.
Sure, I can empathize, to a certain extent. But this issue has been known for 2+ weeks now.
Not sure I can be very empathic now, given the seriousness, and the proper warning ISPs have been given.
Also recognize some of the simple testing tools get a bit confused by some of the more complex DNS configurations used by the mega-ISP DNS clusters; and generate false positives (and maybe even false negative) results. You can see it happens when the testing tool reports widely different number of queries checked. Several of the ISPs with complex DNS clusters are patching and upgrading them; however the current state of some of the patches wouldn't support the query load those providers normally experience. So they've been working on alternative mitigation strategies. However, its difficult to now if the alternative strategies actually mitigate the actual threat without knowing the actual threat. And finally, there probably are some providers who haven't made plans to change their DNS. Unfortunately, the testing tools can't read minds (yet), so its difficult to know which ISPs are in this category.
participants (13)
-
Alexander Harrowell
-
David Conrad
-
Eric Brunner-Williams
-
Florian Weimer
-
Graeme Fowler
-
Jorge Amodio
-
Paul Ferguson
-
Paul Vixie
-
Pete Carah
-
Sean Donelan
-
Steven M. Bellovin
-
Tomas L. Byrnes
-
Valdis.Kletnieks@vt.edu