[dns-operations] "Cybercrooks exploiting new Windows DNS flaw"

Stasiniewicz, Adam stasinia at msoe.edu
Fri Apr 13 20:23:51 UTC 2007

Let me clarify some points.  First, this is no Slammer.  MSDE was commonly infected by Slammer, since most people don't know they are running MSDE so they did not patch it (and you found MSDE on both servers and clients).  This allowed Slammer to spread between networks.  I have yet to meet someone running a DNS server on their laptop (unless they are doing some sort of VMware, test lab, etc setup).  But either way, spreading via infected client computer is a very small risk (as compared to other nasties a computer can get when not behind the corporate content filter).  
As for firewall rules.  My experience has shown that the external DNS servers might/might not be in the DMZ (depends on time/budget).  But the firewall rule is always UDP 53 inbound allow, drop everything else.  It goes without saying that there are also stateful packet inspection rules.  
I am not a firewall expert, but I just don't see how you can trick a firewall into thinking a new TCP connection on ports 1024-5000 is related to a connection started on UDP 53 and should be allowed in.
Adam Stasiniewicz


From: Florian Weimer [mailto:fw at deneb.enyo.de]
Sent: Fri 4/13/2007 3:02 PM
To: Stasiniewicz, Adam
Cc: Paul Vixie; dns-operations at mail.oarc.isc.org
Subject: Re: [dns-operations] "Cybercrooks exploiting new Windows DNS flaw"

* Adam Stasiniewicz:

> This exploit looks a bit over hyped.  Relatively speaking, the exploit
> is no where near as bad as Code Red and equivalents.  Code Red for
> instance (which used an exploit in IIS) could infect a web server over
> TCP 80. 

As long as it's not Slammer. 8-/ This time, it would be close to
impossible to filter in the backbone.

> Since that port is needed to be open to allow visitors to the
> website, there would be no firewall filtering preventing exploitation.
> But to be able to exploit this new vulnerability an attacker would
> need to access the Windows RPC ports (1024-5000) which firewalls
> located at network perimeters should be blocking.

It's not that simple.  The resolver component opens a UDP port in this
range, so you can't simply block all of them.

And if your firewall is stateful, but too permissive, you might be
able to play games with SIP and things like that.

> Simply having access via the standard DNS ports (TCP/UDP 53) is not
> enough.  Because of this, the scope of the attack is limited to
> within LANs only.

I'm not sure if this is true.  DNS servers are often located in DMZs
with more permissive filtering.  Therefore, I hesitate to make any
claims about wormability or lack thereof.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20070413/23517978/attachment.html>

More information about the dns-operations mailing list