Saturday, July 26, 2008

DNS in danger..or should I say, the Internet

As we all know, Dan Kaminsky found a very efficient way to poison DNS resolver caches. The vulnerability and the coordination work (very well done Dan & all folks involved!) has been discussed extensively by the IT blogosphere and -press, CERT:s (US-CERT / CERT/CC and CERT-FI for example). The internet operations community and DNS server operators should be very well informed.

I am still worried. Why?

The patches are not at all completely installed. Windows users should be already quite cleared, thanks to the coordinated release of Microsoft patches at July 2008 MS patch Tuesday. According to several reports like the one generated by CERT.at (links here and here), the implementation situation on the real resolving nameservers is a bit on the weak side, mildly said. The patches available to BIND implementations are not
final and have shown to have major performance problems especially on Solaris enviroment. So I fully
understand the ISP:s who are very concerned on their patch situation.

Why this vulnerability is so special? DNS is one of the fundamental services that makes Internet tick. It is the white pages of the ┬┤net, binding all domain names to the related IP addresses. The ability to disturb this database - totally unnoticed by the end users - is really really nasty.

Just think of it:

Someone changes NS records of Google at a major ISP resolver stack. All Google-related traffic of the ISP customers (opening page of Firefox, Gmail etc) goes where the attacker wants. Hmm, a nice drive-by exploit code to Firefox opening page?

A major bank webbank A-record is redirected to Somewhere Else. How many webbank users type https:// at the browser URL line?

Need I say more?

I hope the ISP:s do their best to get their infrastructure protected. And good luck to ISC for their efforts
in finding a complete solution at the BIND issues. The really challenging part is how to patch all SOHO NAT firewalls and WLAN boxes...this is one of the very first times when we need a patch the black box with blinking lights at the bottom of the cupboard. Globally.

It must be July. The mainstream press has been surprisingly quiet on this one.

Let's be careful out there..

Labels: , ,

Sunday, January 20, 2008

Does it really make sense for finnish ISP:s to peer at Stockholm?

While debugging a website problem (not my own) I discovered an interesting rift among Nebula and Eunet(Elisa) IP peering. They don't want to talk to each other on finnish soil. See yourself:

3 ge0-1-0-954.bbr2.hel1.fi.eunetip.net (213.192.190.185) 1.537 ms 1.571 ms 1.544 ms
4 as0-0.bbr1.sto1.se.eunetip.net (213.192.191.210) 9.199 ms 8.853 ms 10.071 ms
5 ge0-0-0-0.bbr1.sto2.se.eunetip.net (213.192.191.202) 10.810 ms 8.677 ms 8.748 ms
6 64.214.141.25 (64.214.141.25) 11.268 ms 8.686 ms 8.592 ms
7 64.209.110.194 (64.209.110.194) 8.999 ms 8.928 ms 8.889 ms
8 tt-router.nebula.fi (213.157.92.222) 8.845 ms 9.069 ms 9.058 ms

When discussing this at a popular network people hangout IRC channel, I understood that
Eunet has offered substantial increases in their transit pricing. OK, I understand transit is a commercial game, but domestic peering at FICIX is another. I don't see the business logic for Eunet to peer with Nebula at Stockholm. It costs them money in their own international capacity to Stockholm, too.

When the breakup happened, there was some spectacular round-the-world paths visible. Here is one example.

Labels: , , ,