Date: Wed, 09 Jul 2008 08:09:14 -0400 From: Mike Tancsa <mike@sentex.net> To: Oliver Fromme <olli@lurza.secnetix.de>, freebsd-security@freebsd.org Subject: Re: BIND update? Message-ID: <200807091209.m69C9Gsl030319@lava.sentex.ca> In-Reply-To: <200807091054.m69As4eH065391@lurza.secnetix.de> References: <C4990135.1A0907%astorms@ncircle.com> <200807091054.m69As4eH065391@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
At 06:54 AM 7/9/2008, Oliver Fromme wrote: >Andrew Storms wrote: > > http://www.isc.org/index.pl?/sw/bind/bind-security.php > >I'm just wondering ... > >ISC's patches cause source ports to be randomized, thus >making it more difficult to spoof response packets. > >But doesn't FreeBSD already randomize source ports by >default? So, do FreeBSD systems require to be patched >at all? It doesnt seem to do a very good job of it with=20 bind for some reason... Perhaps because it picks a port and reuses it ? Doing the following % cat s host 1iatest.yahoo.com host 1iatest2.yahoo.co.uk host 1iatest3.yahoo.com host 1iatest4.yahoo.com host 1iatest4.yahoo.com shows the same source port being used 08:05:44.269507 IP 64.7.134.1.51761 >=20 203.84.197.239.53: 814% [1au] A? 1iatest.yahoo.com. (46) 08:05:44.595674 IP 203.84.197.239.53 >=20 64.7.134.1.51761: 814 NXDomain*- 0/1/1 (107) 08:05:44.596251 IP 64.7.134.1.51761 >=20 199.212.134.1.53: 38272% [1au] A? 1iatest.yahoo.com.sentex.ca. (56) 08:05:44.649672 IP 199.212.134.1.53 >=20 64.7.134.1.51761: 38272 NXDomain* 0/1/1 (116) 08:05:44.654444 IP 64.7.134.1.51761 >=20 68.142.196.63.53: 20277% [1au] A? 1iatest2.yahoo.co.uk. (49) 08:05:44.743687 IP 68.142.196.63.53 >=20 64.7.134.1.51761: 20277*- 1/13/1 CNAME[|domain] 08:05:44.749325 IP 64.7.134.1.51761 >=20 68.142.255.16.53: 32407% [1au] A? 1iatest3.yahoo.com. (47) 08:05:44.825666 IP 68.142.255.16.53 >=20 64.7.134.1.51761: 32407 NXDomain*- 0/1/1 (108) 08:05:44.826291 IP 64.7.134.1.51761 >=20 199.212.134.2.53: 59918% [1au] A? 1iatest3.yahoo.com.sentex.ca. (57) 08:05:44.881667 IP 199.212.134.2.53 >=20 64.7.134.1.51761: 59918 NXDomain* 0/1/1 (117) 08:05:44.886352 IP 64.7.134.1.51761 >=20 217.12.4.104.53: 56112% [1au] A? 1iatest4.yahoo.com. (47) 08:05:45.021655 IP 217.12.4.104.53 >=20 64.7.134.1.51761: 56112 NXDomain*- 0/1/1 (108) 08:05:45.022213 IP 64.7.134.1.51761 >=20 64.7.153.49.53: 14304% [1au] A? 1iatest4.yahoo.com.sentex.ca. (57) 08:05:45.075656 IP 64.7.153.49.53 >=20 64.7.134.1.51761: 14304 NXDomain* 0/1/1 (117) and a few min later with new requests, # tcpdump -ni tun0 port 53 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes 08:08:00.273502 IP 64.7.134.1.51761 >=20 68.142.255.16.53: 37470% [1au] A? 21iatest.yahoo.com. (47) 08:08:00.350026 IP 68.142.255.16.53 >=20 64.7.134.1.51761: 37470 NXDomain*- 0/1/1 (108) 08:08:00.350565 IP 64.7.134.1.51761 >=20 199.212.134.1.53: 31976% [1au] A? 21iatest.yahoo.com.sentex.ca. (57) 08:08:00.406013 IP 199.212.134.1.53 >=20 64.7.134.1.51761: 31976 NXDomain* 0/1/1 (117) 08:08:00.410993 IP 64.7.134.1.51761 >=20 68.142.196.63.53: 2704% [1au] A? 21iatest2.yahoo.co.uk. (50) 08:08:00.500032 IP 68.142.196.63.53 >=20 64.7.134.1.51761: 2704*- 1/13/1 CNAME[|domain] 08:08:00.505356 IP 64.7.134.1.51761 >=20 68.142.255.16.53: 33992% [1au] A? 21iatest3.yahoo.com. (48) 08:08:00.582006 IP 68.142.255.16.53 >=20 64.7.134.1.51761: 33992 NXDomain*- 0/1/1 (109) 08:08:00.582565 IP 64.7.134.1.51761 >=20 199.212.134.2.53: 18776% [1au] A? 21iatest3.yahoo.com.sentex.ca. (58) 08:08:00.638004 IP 199.212.134.2.53 >=20 64.7.134.1.51761: 18776 NXDomain* 0/1/1 (118) 08:08:00.642684 IP 64.7.134.1.51761 >=20 68.142.255.16.53: 54964% [1au] A? 21iatest4.yahoo.com. (48) 08:08:00.720000 IP 68.142.255.16.53 >=20 64.7.134.1.51761: 54964 NXDomain*- 0/1/1 (109) 08:08:00.720529 IP 64.7.134.1.51761 >=20 64.7.153.49.53: 11657% [1au] A? 21iatest4.yahoo.com.sentex.ca. (58) 08:08:00.773998 IP 64.7.153.49.53 >=20 64.7.134.1.51761: 11657 NXDomain* 0/1/1 (118) # sysctl -a net.inet.ip.portrange net.inet.ip.portrange.randomtime: 45 net.inet.ip.portrange.randomcps: 10 net.inet.ip.portrange.randomized: 1 net.inet.ip.portrange.reservedlow: 0 net.inet.ip.portrange.reservedhigh: 1023 net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.first: 49152 net.inet.ip.portrange.lowlast: 600 net.inet.ip.portrange.lowfirst: 1023 ---Mike >Best regards > Oliver > >PS: >$ sysctl net.inet.ip.portrange.randomized >net.inet.ip.portrange.randomized: 1 >$ sysctl -d net.inet.ip.portrange.randomized >net.inet.ip.portrange.randomized: Enable random port allocation > >-- >Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. >Handelsregister: Registergericht Muenchen, HRA 74606, Gesch=E4ftsfuehrung: >secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M=FCn- >chen, HRB 125758, Gesch=E4ftsf=FChrer: Maik Bachmann, Olaf Erb, Ralf= Gebhart > >FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd > >It's trivial to make fun of Microsoft products, >but it takes a real man to make them work, >and a God to make them do anything useful. >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807091209.m69C9Gsl030319>