[dns-operations] All Too Quiet?

briand at ca.afilias.info briand at ca.afilias.info
Mon Jul 28 20:24:23 UTC 2008

> Hash: SHA1
> Greetings All,
> Okay, this is NOT a complaint. It is an observation / question.
> Has anyone observed any real DNS scans other than those of known test
> programs or researchers? I am not aware of any scans of significance.
> So, this is why I ask: Why is it so quiet?
> One one hand, since so many major ISPs have yet to patch, I am SO VERY
> GLAD (!!!) that no one has tried to exploit this vulnerability -- yet.
> On the other hand, does this lack of attacks once again give management
> the excuse to categorize "I.T. Security" as "Chicken Little"?
> Let's look at the current state of affairs from a management perspective:
>   -- You (I.T. Security) said we had a major vulnerability to contend
> with.
>   -- You said that as soon as it became public, it was certain to be
> exploited, and the consequences would be serious.
>   -- You said that we had to drop everything and patch NOW.
>   -- Well, at great expense and inconvenience, I (management) listened
> to you and we dropped everything, and we are now patched.
>   -- It has been nearly a week since the vulnerability was disclosed,
> and you told me late last week there were multiple exploits now
> available to compromise insecure DNS servers.
>   -- You said that with exploits now available, that "the bad guys" were
> sure to start using them "any day now" to compromising the DNS servers
> that are not yet patched.
>   -- You can't even show me one time where we have had a hostile scan of
> our name servers.
>   -- You say we are "just lucky" that "the bad guys" haven't started
> trying to exploit this. I don't believe in luck. If it was as easy to
> exploit name servers as you have claimed, and the exploits would be as
> devastating as you have claimed, I cannot believe that "the bad guys"
> would not be taking maximum advantage of it.
>   -- Your credibility is now just about zero. Why should I listen to you
> the next time that you come to me with a "pending crisis for which we
> must patch now"?
> I am already hearing this type of grousing from management of various
> clients. How do we explain to managers that we have indeed been lucky
> and this was indeed as serious as indicated two plus weeks ago?

I am reminded of what was scientifically selected as the funniest joke
in the world.

To spoil it a bit, the punch line goes something like this:

    911 Operator: "Let's make sure your friend's really dead".
    Caller: "Now what?"

Ask them if they want proof, and ask them to sign a waiver making them
responsible if you succeed in proving the vulnerability.

If they sign on the dotted line, well, then, prove it to them!

Just to be safe, be sure they have someone standing by to restart the
resolver in question, and have them (the client's management) using a
browser which is using the resolver. Redirect a domain of their choosing,
to a site you have set up to answer any HTTP GET requests with a static
page suitably laid out.

Have one of their tech guys using a sniffer and show them the sniffer log.

Show them the code, and that it doesn't require, and you didn't use, any
knowledge about their systems.

Be sure you have a bottle of <local high-proof alcoholic beverage> so they
can soothe their shattered nerves. Glasses are optional.

> And, to repeat my original question: Why is it so quiet?

You have just violated the Law of the Unspoken Word.
*Thanks.* 1/2 :-)


> TIA!
> Jon Kibler
> P.S. I am looking for constructive comments. No need to respond with
> "All managers are idiots."

They aren't. But you probably want them to engage their own layer 8/9
folks on risk/cost assessment and liability models.

More information about the dns-operations mailing list