Escalation imminent?
As indicated in earlier diary entries, an authoritative server sees queries from recursive servers for nonexistent names if their domain is being targeted by the latest DNS attack. They can't do much: all they can do is report them.
Yesterday Ray contacted us with logs from his authoritative DNS server indicating some ISPs servers in former USSR countries were being used in a very suspicious manner. The logs were somewhat sanitized, so we don't know the first thing about the domains that were targeted, but the logs had enough detail to identify that the pattern of randomness in the queries was different from any of the publicly known exploits.
So this can mean a lot of things, but the signs of either more development of attack tools, or of obfuscation of existing attack tools, or even somebody just exploring how hard it is to write it yourself is never going to be positive to the good guys.
Better get the patches in over the weekend if you still didn't.
Verify any firewall, NAT etc. you use doesn't undo what the patches provide.
If you use DNS servers from your ISP, validate they did patch them, if not use alternate servers such as those of OpenDNS.
The Bad Guys
But why would you write your own code as a bad guy?
What's the motive of a bad guy to change where a site points to on a DNS caching server level?
Don't worry, those interested in doing this know this, I'm not giving them any new ideas.
Yellow?
We're (not yet) on yellow for this, we lack some exploitation in the wild to do that. Moreover the trade press has been running this to boredom since last Black Tuesday.
What to patch?
Only non-recursive DNS servers are exempt from this need.
Conclusion
So is this bad: yes, it is unless your DNS clients, name-servers and the namesevers you forward to are up-to-date on patches as well as your NAT devices (routers, firewalls, ...) in between are confirmed not to undo the randomization of source ports.
The clock is ticking ... .
--
Swa Frantzen -- Section 66