WRT54G and CVE-2008-1447 (DNS cache poisoning vulnerability)

Similar Messages

• DNS Cache Poisoning Signature

  Is there a signature available for the new Bind 9 DNS Cache Poisoning vulnerability/exploit.
  See reference
  http://www.securityfocus.com/bid/25037/info

  From our research on the subject, we do not believe a high-fidelity signature can be created to detect this attack. The nature of the traffic used in the attack is legitimate and as a successful attack requires some guess-work and timing, there are too many variables to detect any sort of pattern in the traffic used. The initial part of the attack occurs when a user accesses a malicious link. Standard user training should mitigate this vector if users avoid accessing unsolicited links. Updates are also available to patch systems. For more information, please see Intellishield alert number 13831:
  https://intellishield.cisco.com/security/alertmanager/basicSearch.do?dispatch=1&UID=13831
  We will continue to monitor the situation regarding this vulnerability and take appropriate action when necessary.

• DNS cache poisoning, 4004

  Can we get some details on what this signatures is looking at? Does it do anything more intelligent than look at query throughput? I'm thinking something more along the lines of these Snort rules:
  #by many very smart people
  # This may be a high load sig. Take time and seriously consider
  # that your dns_servers var is set as narrowly as possible
  alert udp any 53 -> $DNS_SERVERS any (msg:"ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; sid:2008446; rev:8;)
  #this will catch large numbers of nxdomain replies, a sign that someone may be trying to poison you
  alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter"; byte_test:1,&,128,2; byte_test:1,&,3,1,relative; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; sid:2008470; rev:1;)

  4004 just looks for a flood basically. In s347, we're making that pps rate visible. That number is currently set at 500.
  I will say that dns responses with more than 1 RR are completely normal and happen all the time. I was watching some of my own dns traffic and I was getting responses with multipl RRs from things like Yahoo, Google CNN... completely normal and legitimate, nothing odd about it.
  Does honing in on that make a sig any more specific - not really - its still a flood. Its the rate thats the kicker and what works for small shops, doesn't work for large shops - so you do have to have some handle of what you "normally" see. I'm not saying that looking for more might not be something that's useful, but it'll largely depend on what you normally see.
  The traffic itself is legitimate, albeit crammed with bogus data.

• W2003 DNS cache snooping vulnerability for PCI-DSS compliance.

  Hi everyone.
  How can I solve this security vulnerability reported by Nessus(security software) with W2003's DNS ?
  DNS Server Cache Snooping Remote Information Disclosure
  Synopsis:
  The remote DNS server is vulnerable to cache snooping attacks.
  Description:
  The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently
  visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution.
  Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more. Note: If this is an internal DNS server not accessable to outside networks, attacks would be limited to the internal network. This may include
  employees, consultants and potentially users on a guest network or WiFi connection if supported.
  Risk factor:
  Medium
  CVSS Base Score:5.0
  CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
  See also:
  http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf
  Solution:
  Contact the vendor of the DNS software for a fix.
  Plugin output:
  Nessus sent a non-recursive query for example.com and received 1 answer : 192.0.43.10
  I have been searching for a solution at the web...but I was unabled to find one..that could let me to use "recursion" at our DNS server.
  We have an internal DNS server for Active Directory, with a forwarding to resolve external internet domains as is a requirement by our application..but now the only way to fix this is to disable "recursion" and we are working with external IP address instead
  of internet DNS names..but this is not a good solution for us.
  I found something about spliting DNS functions, but my point is that we have all the servers internal and DMZ, inside the same AD domain..so we need to use the same DNS server AD integrated, notwithstanding we must resolve external DNS records for our application...How
  can I do this without getting the same vulnerability again ? I don´t know how to do it disabling "recursion"..If I disable recursion I will be unable to resolve external DNS names.
  Any suggestion will be really appreciated!!
  thx!!

  That's basically for your internet facing DNS. I wouldn't worry about it too much for internal DNS, since that's only hosting your internal AD zone.
  Other than setting the "Secure cache against polution" setting, you can also opt to disable caching of all records so each and every query is a fresh query. This actually fixes CNAME vs A record TTL mismatch issues, too, not that you're probably seeing them
  or not, but just wanted to add that:
  Description of DNS registry entries in Windows 2000 Server, part 2 of 3 (applies to 2003, 2008 & 2008 R2)
  http://support.microsoft.com/kb/813964
  Cannot resolve names in certain top level domains like .co.uk.
  http://blogs.technet.com/b/sbs/archive/2009/01/29/cannot-resolve-names-in-certain-top-level-domains-like-co-uk.aspx
  ============
  To turn off or disable local cache: (WIndows 2000 notes, but they apply to all current OS's)
  Set the MaxCacheTtl to 0 in the registry or use Dnscmd
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
     Value:     MaxCacheTtl
     Type:     DWORD
     Default:  NoKey (Cache for up to one day)
     Function: Set maximum caching TTL.
  MaxCacheTtl
  Type: DWORD
  Default value: 0x15180 (86,400 seconds = 1 day)
  Function: Determines how long the DNS server can save a record of a
  recursive name query.
  You can use the MaxCacheTtl registry entry to specify how long the DNS
  server can save a record of a recursive name query.
  If the value of the MaxCacheTtl entry is 0x0, the DNS server does not save
  any records.
  The DNS server saves the records of recursive name queries in a memory cache
  so that it can respond quickly to new queries for the same name. Records are
  deleted from the cache periodically to keep the cache content current. The
  interval when the records remain in the cache typically is determined by the
  value of the Time to Live (TTL) field in the record. The MaxCacheTtl entry
  establishes the maximum time that records can remain in the cache. The DNS
  server deletes records from the cache when the value of this entry expires,
  even if the value of the TTL field in the record is greater.
  Change method
  To change the value of the MaxCacheTtl entry, use Dnscmd.exe, a tool that is
  included with the Windows 2000 Support Tools. The change is effective
  immediately so that you do not have to restart the DNS server.
  Start method
  DNS reads its registry entries only when it starts. If you change the value
  of the MaxCacheTtl entry by editing the registry, the changes are not
  effective until you restart the DNS server.
  Note the following items: . Windows 2000 does not add the MaxCacheTtl entry
  to the registry. You can add it by editing the registry or by using a
  program that edits the registry.
  The MaxCacheTtl entry does not affect Windows Internet Name Service
  (WINS) data that is saved in the DNS memory cache. WINS data is saved until
  the Cache Timeout Value on the WINS record expires. To view or change the
  Cache Timeout Value on the WINS record, use the DNS snap-in. Right-click a
  zone name, click Properties, click the WINS tab, and then click Advanced.
  ===============================
  Ace
  Ace Fekay
  MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• DNS cache poisoning flaw

  see: http://www.computerworld.com/action/article.do?command= viewArticleBasic&articleId=9108378&intsrc=news_ts_head There are pleny of other articles out there, too... Is this (or are other) router(s) affected in any way by this? I mean, is there DNS software that needs patching? And if so, when might it be available? Apologies if this is a particularly ignorant question. I'm not too bad with a PC generally, but when it comes to networking, I'm just not too bright. TIA. Take care, and peace.

  I ran the DNS test (http://www.doxpara.com/?p=1176), on the website of the person who discovered this security hole, and the test indicates that while my ISP has fixed their DNS, my Linksys wireless router (WRT54G) is compromised. Specifically, the test reports:
  Your name server, at 68.238.128.37, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 50.
  I have been unable to located any information on the Linksys site that indicates a plan to release new firmware for Linksys routers. The only links I have found point to Cisco, where the plan is to fix their "heavy iron" routers.
  Can someone from Linksys comment on plans to fix the Linksys router firmware base?

• ARP Cache Poison reported in Norton AntiVirus for Mac

  The MAC address from my new gen Apple TV is being tagged from Norton Antivirus as sending an ARP Cache Poison. Anything to care about, folks?

  DNS cache poisoning affects certain versions of named and is used by miscreants to redirect access requests to sites they control. It's likely that the warning you're receiving is a false alarm, but it could be valid if either your computer or your ATV has been compromised.
  Check Norton's web site or contact their technical support to be sure. It's not a warning I would simply ignore, as it would indicate a serious security breach if it's valid.

• 2008 MBP DNS issues Wifi and DPC3825

  We are visiting a beach house and have about a dozen iDevices that all connect sucessfully via WiFi to Mediacom broadband via a Cisco DPC3825 cable modem. Only a 2008 MPB with 10.8.2 will not resolve DNS lookups.
  A 2011 MBA also with 10.8.2 works fine. The MBP is configured with the exact same DNS servers. The MBP gets an IP address and I can ping any IP address but Lookup fails using the network utility. I can get an IP address on the MBA and surf it directly by entering it into Safari on the malfunctioning MBP. I tried changing the DNS server to 8.8.8.8 but no joy. Also have flushed the DNS cache. This is the strangest Mac networking problem I have seen in some time. Anyone have any suggestions?
  Thanks

  Nothing is blocking his traffic.  The fact that ping works by IP and not by name indicates that DNS client service is not working properly on the Mac in question.  I bet that's your problem.  Unfortunately, I don't know how to tell you to fix that, but that's probably the best place to start looking.  If this was a Windows machine, I'd have you check the winsock stack and do a reset as well as check to make sure DNS Client was started as a service.  **** if I know where in OSX this functionality is.  That's what ***** about OSX... they don't give you a lot of control over stuff like this and when it breaks, it's not easy to fix or even check if things are working since everything is via plists and damons, etc.
  I would check in Activity Monitor if mDNSResponder is listed as a process.  If it isn't, then that's your issue.

• Where Is My DNS Cache And How Do I Clear It?

  I'm using Timbuktu to reach my desktop iMac remotely. I subscribe to DYNDNS to detect IP changes. Recently, after a blackout, I could not reach the iMac remotely via DYNDNS. I WAS able to use the new IP (which I had someone look up for me) and Timbuktu connected just fine.
  After contacting DYNDNS, they told me to clear my DNS cache, as that was probably the reason why their detecting system could not see the new IP.
  My head is spinning. Can some kindly tell me where the DNS cache is on my iMac 10.4.11 and how to clear it? (For idiots, please).
  Many thanks
  ---Gary

  Yes, it's clear. Thanks.
  I'm just too nervous to try this until my Mac Guru is sitting here. I can't unscramble anything I screw up...and that's a pretty good possibility based on past events.
  Again, thanks
  Gary

• Generate DNS Cache

  Hi Experts,
  What is meant by generating DNS Cache for resolving the domain names faster in server 2008.
  How it is configured and what are its advantages.....???Any suggestions...
  Thank You.

  Hi，
  A DNS cache is a small database maintained by a computer's operating system. The DNS server can use its own cache of resource record information to answer a query without to contact other DNS servers on behalf of the requesting client to fully resolve the name.
  For more detailed information, please check the process of DNS query:
  How DNS query works
  You can view the DNS cache by running the PowerShell commands as below:
  Show-DnsServerCache –ComputerName "xxx.xxx.xxx(FQDN of the DNS server)"
  Or you can check that in DNS snap-in:
  From the View menu, select Advanced, then select the Cached Lookups tree node from the left-hand pane to display the top-level domains under. (root), and expand any of these domains to view the cached DNS information.
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Java Vulnerabilities CVE-2008-5353

  There is an exploit in Java on Mac Systems and I'm wondering when Apple will be fixing it? I updated to 10.5.7 today and it's still not fixed.
  Read about it here: http://www.theregister.co.uk/2009/05/19/unpatchedapplevulnerability/
  You can see an example of it working here on the latest patched system system:
  http://landonf.bikemonkey.org/2009/05/19#CVE-2008-5353.20090519

  No, no, you guys have it all wrong. Haven't you seen the latest TV ads? Security patches are annoying nuisances that only PCs have to put up with. If Apple were to patch this flaw, then they would be guilty of false advertising since the ads don't contain any "fine print" legal copy.
  But seriously, now that the bug has been posted on slashdot, Apple will probably start working on a patch. I think slashdot is Apple's primary source for information about security vulnerabilities in their own OS. For example, people knew about the ARDAgent / AppleScript privilege escalation vulnerability for years but it went unpatched until it was posted on slashdot. The Kaminsky DNS vulnerability was patched by everyone except Apple, then a slashdot post appeared pointing that out, and lo and behold, Apple released a patch.

• DNS caching problem when configuring Windows clients for SCAN

  I have a Windows 2008 R2 server running apps that connect to a RAC cluster database using the SCAN address. The SCAN address however always returns the same IP when you ping it from that server. If I flush the DNS cache I get a different address, but again the same one all the time. I believe this is caused by the fact that DNS caching is enabled on Windows by default. This has caused problems when one of the RAC nodes goes south and the cached SCAN IP is not responding. The applications lose their connections, try to reconnect, but can't because they keep using the same dead SCAN IP.
  I suggested we disable the DNS Client service on those machines so that the SCAN name correctly cycles through the addresses but the Windows admin says not to do this. Is there a documented practice somewhere that this is OK to do for Windows RAC clients? Or is there a way to disable caching just on the SCAN name but leave it enabled from every other host name?
  TIA

  What happened was the SCAN VIP did not fail over. The node VIP did not fail over. The database instance was running but I could not connect to it even locally as sysdba. I got the message "protocol adapter error". This normally only occurs on Windows for local connections when either (a) the Oracle service is not running, or (b) you didn't set the ORACLE_SID variable correctly. Neither was true.
  I tried "crsctl stop crs" but it could not stop the listeners.
  I rebooted the server. During the reboot, neither the VIP no SCAN VIPs failed over. It's almost as if CRS either didnt recognize tat the other node had been shutdown, or it didn't care.
  I have never seen this happen before.
  For the record this is Oracle RAC 11.2.0.1.

• WRT54GS and poor performance?

  I've owned a WRT54GS for about 3 months, and I simply can't get any faster than 1/2 of the 54mbps standard, let alone even see the speedboost capability.
  I have 3 laptops, two of which have the speedboost (afterburner) chips built in.  But even the 3rd laptop *never* goes past %50 of 54mbps.  I get to 24mbps, and there it sits.
  Any ideas?
  Message Edited by tfry on 02-18-2008 02:00 PM

  It seems that you need to update your routers software. Anyway, if you are online hardwired to your router. Try going to www.linksys.com/connect. Download the software called Easylink Firmware Tool. Just run this software and hopefully this should assist you in upgrading your routers firmware.
  If this would not work, or would fail to upgrade your router, you might need to do it manually instead. Go to www.linksys.com/downloads . Input your product model number w/c is WRT54GS and select your router version. You can find the actual version underneath the router itself on one of the stickers. Just like the image below.
  Select the data labeled firmware and just save it to the main desktop page. Then open up a new web browser, type on the address bar now the numbers 192.168.1.1 (password as a default is usually admin, username just leave it blank). Then follow the instructions on the image below.
  Click on browse, select the file you just downloaded, click on open and then hit the upgrade button.
  NOTE: Make sure you do all of these on a hardwired PC.

• Clear DNS cache

  How can I clear the DNS cache?
  When I configure my webserver and change the records, I have to wait the time configured in the ttl of the specific record. I know, that I can change the ttl to a lower value, but the default value is 3 hours, so i have to wait until the time's up.
  I checked the DNS records with dig (from dnsutils). dig also shows the remaining seconds until the next refresh (dns server request). And here's my question: How can I refresh it manually? (tried a lot from the internet, but nothing helped)
  Thank you guys!
  Last edited by gummiflummi (2014-12-16 20:41:53)

  brebs wrote:Woah right there. Why do you need to *change* the records? Shouldn't happen often.
  Other than the answer stated (to test DNS settings), you might want to change records for a (self-hosted) DynDNS service. If you want a device to updated its DNS entries while being connected to a shaky cellular network, those changes might occur frequently with changing IPs.
  To the original poster: You should always set the TTL to a reasonable setting. If you didn't change the record for the last two years, then maybe a TTL of several hours (or even a day) might be OK. If you want to be able to react more quickly to emergency situations, set it lower. For a DynDNS service, TTLs below a minute might be appropriate.
  If you want to test your DNS Server, you can always query it directly (bypassing your ISP's DNS servers) with a command like this (where 1.2.3.4 is the IP of your nameserver):
  dig @1.2.3.4 your.entry.example.com
  This will usually show you the new settings right after changing.

• Possible DNS caching problem

  I just upgraded to Lion. I am a web deveoper and I just changed the DNS settings for a new website. While everyone else in my office is seeing the new wesite at the domain, I am stuck seeing the old. I have tried the DNS cache flushing techniques below (in addition to restarting, clearing cache, etc), but none have helped:
  sudo killall -HUP mDNSResponder
  dscachutil -flushcache
  In the terminal 'host domain.com' still points to the old server too.
  Seems like OSX is holding on to the old DNS settings. Any ideas?

  Select  ▹ System Preferences ▹ Network ▹ Advanced ▹ Proxies. If any boxes are checked, uncheck them, apply your changes, and try again.  You must apply the changes before they take effect.

• How to Flush DNS Cache in Mavericks 10.9.3

  So I have seen references to the following when searching for a cmd to flush DNS
  sudo killall -HUP mDNSResponder and sudo dscacheutil -flushcache
  Which one is proper for Mavericks 10.9.3?

  Mountain Lion, but should be applicable to Mavericks.
  DNS cache - Reset