[169786] in North American Network Operators' Group
Re: new DNS forwarder vulnerability
daemon@ATHENA.MIT.EDU (Laszlo Hanyecz)
Sat Mar 15 12:39:20 2014
From: Laszlo Hanyecz <laszlo@heliacal.net>
In-Reply-To: <53247F1A.8020404@baribault.net>
Date: Sat, 15 Mar 2014 16:36:09 +0000
To: Gary Baribault <gary@baribault.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Good question, but the reality is that a lot of them are this way. They =
just forward everything from any source. Maybe it was designed that way =
to support DDoS as a use case.
Imagine a simple iptables rule like -p udp --dport 53 -j DNAT --to =
4.2.2.4
I think some forwarders work this way - the LAN addresses can be =
reconfigured and so it's probably easier if the rule doesn't check the =
source address.. or maybe it was designed to work this way on purpose, =
because it's easy to explain as a 'bug' or oversight, rather than =
deliberate action. Of course, it's crazy to think that some person or =
organization deliberately did this so they would have a practically =
unlimited amount of DoS sources.
-Laszlo
On Mar 15, 2014, at 4:26 PM, Gary Baribault <gary@baribault.net> wrote:
> Why would a CPE have an open DNS resolver from the WAN side?
>=20
> Gary Baribault
>=20
> On 03/14/2014 12:45 PM, Livingood, Jason wrote:
>> Well, at least all this CPE checks in for security updates every =
night so
>> this should be fixable. Oh wait, no, nevermind, they don't. :-(
>>=20
>>=20
>> This is getting to be the vulnerability of the week club for home =
gateway
>> devices - quite concerning.
>>=20
>> JL
>>=20
>> On 3/14/14, 12:05 PM, "Merike Kaeo" <merike@doubleshotsecurity.com> =
wrote:
>>=20
>>> On Mar 14, 2014, at 7:06 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr>
>>> wrote:
>>>=20
>>>> On Fri, Mar 14, 2014 at 01:59:27PM +0000,
>>>> Nick Hilliard <nick@foobar.org> wrote
>>>> a message of 10 lines which said:
>>>>=20
>>>>> did you characterise what dns servers / embedded kit were
>>>>> vulnerable?
>>>> He said "We have not been able to nail this vulnerability down to a
>>>> single box or manufacturer" so it seems the answer is No.
>>>=20
>>>=20
>>> It is my understanding that many CPEs work off of same reference
>>> implementation(s). I haven't
>>> had any cycles for this but with all the CPE issues out there it =
would be
>>> interesting to have
>>> a matrix of which CPEs utilize which reference implementation. That =
may
>>> start giving some clues.
>>>=20
>>> Has someone / is someone doing this?
>>>=20
>>> - merike
>>>=20
>>=20
>>=20
>=20
>=20
