Comments on: Yes! Now I Can Attend Nate Lawson’s Talk at BlackHat! http://www.veracode.com/blog/2008/07/yes-now-i-can-attend-nate-lawsons-talk-at-blackhat/ Application security testing, analysis, and metrics Tue, 06 Jan 2009 21:19:27 +0000 http://wordpress.org/?v=2.6.5 By: Brandon Creighton http://www.veracode.com/blog/2008/07/yes-now-i-can-attend-nate-lawsons-talk-at-blackhat/#comment-1967 Brandon Creighton Tue, 22 Jul 2008 15:54:57 +0000 http://www.veracode.com/blog/?p=123#comment-1967 The leaked attack is the kind of thing that anomaly-detection-engine device vendors have been salivating for since 2005. This is especially true for the attack variant that involves the attacker sending the RR questions himself, as well as the spoofed answers and the inevitable "probe questions" you'd have to send to find out when you finally guessed the ID correctly. (There are plenty of other ways to cause the questions to happen, but that's generally the one that requires the least amount of packets.) Who wants to bet that every entity on <a href="http://www.kb.cert.org/vuls/id/800113" rel="nofollow">the CERT vendor list</a> that is also an IDS vendor has pushed out rules looking for requests that fit one or more of these patterns? One problem with the embargo is that it's preventing discussion of attack detection and mitigation outside those put forward in the various announcements (ingress filtering, restricting recursion). Even those kind of got pushed to the background; the main message that got through to everyone was, "You need to patch." Why are detection and mitigation important? Because you can still perform this attack even against a server serving queries from random source ports. It takes longer, but if there's nobody watching, that doesn't matter. The leaked attack is the kind of thing that anomaly-detection-engine device vendors have been salivating for since 2005. This is especially true for the attack variant that involves the attacker sending the RR questions himself, as well as the spoofed answers and the inevitable “probe questions” you’d have to send to find out when you finally guessed the ID correctly. (There are plenty of other ways to cause the questions to happen, but that’s generally the one that requires the least amount of packets.)

Who wants to bet that every entity on the CERT vendor list that is also an IDS vendor has pushed out rules looking for requests that fit one or more of these patterns?

One problem with the embargo is that it’s preventing discussion of attack detection and mitigation outside those put forward in the various announcements (ingress filtering, restricting recursion). Even those kind of got pushed to the background; the main message that got through to everyone was, “You need to patch.”

Why are detection and mitigation important? Because you can still perform this attack even against a server serving queries from random source ports. It takes longer, but if there’s nobody watching, that doesn’t matter.

]]>