North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SANS: DNS Bug Now Public?
FWIW, anyone using iptables for NAT can use --random, e.g.: iptables -t nat -A POSTROUTING -o ethX -j SNAT --to x.x.x.x --random Useful for Linux NAT/load-balancer boxes, or for Linux-powered embedded devices where the vendor has not been forthcoming with a firmware patch to alter the rules they generate. I believe this requires kernel >= 2.6.21. -Jasper On Wed, 2008-07-23 at 12:16 -0700, Darren Bolding wrote: > After a bit of looking around, I have not been able to find a list of > firewalls/versions which are known to provide appropriate randomness in > their PAT algorithms (or more importantly, those that do not). > > I would be very interested in such a list if anyone knows of one. > > As a side note, most people here realize this but, while people mention > firewalls, keep in mind that if a load-balancer or other device is your > egress PAT device, you might be interested in checking those systems > port-translation randomness as well. > > --D > > On Wed, Jul 23, 2008 at 10:11 AM, Joe Abley <[email protected]> wrote: > > > > > On 23 Jul 2008, at 12:16, Jorge Amodio wrote: > > > > Let me add that folks need to understand that the "patch" is not a fix to a > >> problem that has been there for long time and > >> it is just a workaround to reduce the chances for a potential > >> attack, and it must be combined with best practices and > >> recommendations to implent a more robust DNS setup. > >> > > > > Having just seen some enterprise types spend time patching their > > nameservers, it's also perhaps worth spelling out that "patch" in this case > > might require more than upgrading resolver code -- it could also involve > > reconfigurations, upgrades or replacements of NAT boxes too. If your NAT > > reassigns source ports in a predictable fashion, then no amount of BIND9 > > patching is going to help. > > > > (Reconfiguring your internal resolvers to forward queries to an external, > > patched resolver which can see the world other than through NAT-coloured > > glasses may also be a way out.) > > > > > > Joe > > > > > > > >
|