bind flaw properly fixed?! - BSD

This is a discussion on bind flaw properly fixed?! - BSD ; Hi, I ran the following test on both OpenBSD and FreeBSD: https://www.dns-oarc.net/oarc/services/porttest [root@ns1 ~]# dig @localhost +short porttest.dns-oarc.net TXT z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b. a.pt.dns-oarc.net. "192.168.0.1 is GOOD: 79 queries in 65.2 seconds from 79 ports with std dev 18353.77" [root@ns1 ~]# uname -rs ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: bind flaw properly fixed?!

  1. bind flaw properly fixed?!

    Hi,

    I ran the following test on both OpenBSD and FreeBSD:
    https://www.dns-oarc.net/oarc/services/porttest

    [root@ns1 ~]# dig @localhost +short porttest.dns-oarc.net TXT
    z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b. a.pt.dns-oarc.net.
    "192.168.0.1 is GOOD: 79 queries in 65.2 seconds from 79 ports with std dev
    18353.77"
    [root@ns1 ~]# uname -rs
    OpenBSD 4.3
    [root@ns1 ~]#

    [root@BSDHelmut ~]# dig @localhost +short porttest.dns-oarc.net TXT
    z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b. a.pt.dns-oarc.net.
    "79.229.250.94 is POOR: 30 queries in 4.9 seconds from 30 ports with std dev
    10.12"
    [root@BSDHelmut ~]# uname -rs
    FreeBSD 7.0-RELEASE-p3
    [root@BSDHelmut ~]#

    Anyone?

    Thanks, Helmut

    --
    No Swen today, my love has gone away
    My mailbox stands for lorn, a symbol of the dawn


  2. Re: bind flaw properly fixed?!

    Helmut Schneider wrote:
    > [root@BSDHelmut ~]# dig @localhost +short porttest.dns-oarc.net TXT
    > z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b. a.pt.dns-oarc.net.
    > "79.229.250.94 is POOR: 30 queries in 4.9 seconds from 30 ports with std
    > dev 10.12"
    > [root@BSDHelmut ~]# uname -rs
    > FreeBSD 7.0-RELEASE-p3
    > [root@BSDHelmut ~]#
    >
    > Anyone?

    FWIW:
    root@kg-omni1# dig +short porttest.dns-oarc.net TXT
    z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b. a.pt.dns-oarc.net.
    "80.202.4.134 is GOOD: 26 queries in 4.6 seconds from 26 ports with std
    dev 19600.53"
    root@kg-omni1# dig @localhost +short porttest.dns-oarc.net TXT
    z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b. a.pt.dns-oarc.net.
    "80.202.4.134 is GOOD: 26 queries in 4.6 seconds from 26 ports with std
    dev 19600.53"
    root@kg-omni1# uname -rs
    FreeBSD 6.3-STABLE
    --
    Torfinn Ingolfsen,
    Norway

  3. Re: bind flaw properly fixed?!

    Helmut Schneider wrote:
    +---------------
    | "192.168.0.1 is GOOD: 79 queries in 65.2 seconds from 79 ports with std dev
    | 18353.77"
    ....
    | "79.229.250.94 is POOR: 30 queries in 4.9 seconds from 30 ports with std dev
    | 10.12"
    +---------------

    It's not just the count of distinct source port numbers used; they
    also check whether or not the random number generator for the source
    port sequence looks "weak". In the latter example, the standard
    deviation of the port numbers is quite small, indicating that the
    source port sequence is likely to be more predictable than the
    former example. A "good" generator would have a std. dev. of at
    least several thousands, preferably tens of thousands.

    And IIUIC, they also check the source port sequence generator for
    being among a set known of "bad, very predictable" sequences,
    and score those badly no matter *how* large the std. deviation is.
    E.g., A source port sequence that goes 5, 20005, 10005, 30005,
    6, 20006, 10006, 30006, 7, 20007, 10007, 30007, 8, 20008, 10008,
    30008, 9, 20009, 10009, 30009... has a very large std. dev., but
    is a *totally* predictable sequence, and therefore *extremely*
    vulnerable to the published attack.


    -Rob

    -----
    Rob Warnock
    627 26th Avenue
    San Mateo, CA 94403 (650)572-2607


  4. Re: bind flaw properly fixed?!

    Rob Warnock wrote:
    > Helmut Schneider wrote:
    > +---------------
    >> "192.168.0.1 is GOOD: 79 queries in 65.2 seconds from 79 ports with
    >> std dev 18353.77"

    > ...
    >> "79.229.250.94 is POOR: 30 queries in 4.9 seconds from 30 ports with
    >> std dev 10.12"

    > +---------------
    >
    > It's not just the count of distinct source port numbers used; they
    > also check whether or not the random number generator for the source
    > port sequence looks "weak". In the latter example, the standard
    > deviation of the port numbers is quite small, indicating that the
    > source port sequence is likely to be more predictable than the
    > former example. A "good" generator would have a std. dev. of at
    > least several thousands, preferably tens of thousands.
    >
    > And IIUIC, they also check the source port sequence generator for
    > being among a set known of "bad, very predictable" sequences,
    > and score those badly no matter *how* large the std. deviation is.
    > E.g., A source port sequence that goes 5, 20005, 10005, 30005,
    > 6, 20006, 10006, 30006, 7, 20007, 10007, 30007, 8, 20008, 10008,
    > 30008, 9, 20009, 10009, 30009... has a very large std. dev., but
    > is a *totally* predictable sequence, and therefore *extremely*
    > vulnerable to the published attack.


    I probably should blame my NAT device then rather than FreeBSD. Allthough
    from an attackers point of view this does not make any difference...

    --
    No Swen today, my love has gone away
    My mailbox stands for lorn, a symbol of the dawn


  5. Re: bind flaw properly fixed?!

    Helmut Schneider wrote:
    > Rob Warnock wrote:
    >> Helmut Schneider wrote:
    >> +---------------
    >>> "192.168.0.1 is GOOD: 79 queries in 65.2 seconds from 79 ports with
    >>> std dev 18353.77"

    >> ...
    >>> "79.229.250.94 is POOR: 30 queries in 4.9 seconds from 30 ports with
    >>> std dev 10.12"

    >> +---------------
    >>
    >> It's not just the count of distinct source port numbers used; they
    >> also check whether or not the random number generator for the source
    >> port sequence looks "weak". In the latter example, the standard
    >> deviation of the port numbers is quite small, indicating that the
    >> source port sequence is likely to be more predictable than the
    >> former example. A "good" generator would have a std. dev. of at
    >> least several thousands, preferably tens of thousands.
    >>
    >> And IIUIC, they also check the source port sequence generator for
    >> being among a set known of "bad, very predictable" sequences,
    >> and score those badly no matter *how* large the std. deviation is.
    >> E.g., A source port sequence that goes 5, 20005, 10005, 30005,
    >> 6, 20006, 10006, 30006, 7, 20007, 10007, 30007, 8, 20008, 10008,
    >> 30008, 9, 20009, 10009, 30009... has a very large std. dev., but
    >> is a *totally* predictable sequence, and therefore *extremely*
    >> vulnerable to the published attack.

    >
    > I probably should blame my NAT device then rather than FreeBSD.
    > Allthough from an attackers point of view this does not make any
    > difference...
    >


    [bsd@cto bsd]$ dig @localhost +short porttest.dns-oarc.net TXT
    z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b. a.pt.dns-oarc.net.
    "208.67.219.12 is GOOD: 26 queries in 0.4 seconds from 26 ports with std
    dev 17790.38"
    [bsd@cto bsd]$ dig @localhost +short porttest.dns-oarc.net TXT
    z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b. a.pt.dns-oarc.net.
    "208.67.219.12 is GOOD: 26 queries in 0.1 seconds from 26 ports with std
    dev 18466.09"
    [bsd@cto bsd]$ uname -rs
    FreeBSD 8.0-CURRENT
    [bsd@cto bsd]$

    The machine is running behind a NAT and firewall on cheap/Belkin/BeeTel
    220BX (96338L-2M-8M) ADSL router, custom linux kernel 2.6.24.7,iptables
    v1.2.11.

    --
    Dr Balwinder S "bsd" Dheeman Registered Linux User: #229709
    Anu'z Linux@HOME (Unix Shoppe) Machines: #168573, 170593, 259192
    Chandigarh, UT, 160062, India Gentoo, Fedora, Debian/FreeBSD/XP
    Home: http://cto.homelinux.net/~bsd/ Visit: http://counter.li.org/

+ Reply to Thread