bind flaw properly fixed?!
Helmut Schneider
I ran the following test on both OpenBSD and FreeBSD:
https://www.dns-oarc.net/oarc/services/porttest
[root@ns1 ~]# dig @localhost +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"192.168.0.1 is GOOD: 79 queries in 65.2 seconds from 79 ports with std dev
18353.77"
[root@ns1 ~]# uname -rs
OpenBSD 4.3
[root@ns1 ~]#
[root@BSDHelmut ~]# dig @localhost +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"79.229.250.94 is POOR: 30 queries in 4.9 seconds from 30 ports with std dev
10.12"
[root@BSDHelmut ~]# uname -rs
FreeBSD 7.0-RELEASE-p3
[root@BSDHelmut ~]#
Anyone?
Thanks, Helmut
--
No Swen today, my love has gone away
My mailbox stands for lorn, a symbol of the dawn
Torfinn Ingolfsen
> [root@BSDHelmut ~]# dig @localhost +short porttest.dns-oarc.net TXT
> z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
> "79.229.250.94 is POOR: 30 queries in 4.9 seconds from 30 ports with std
> dev 10.12"
> [root@BSDHelmut ~]# uname -rs
> FreeBSD 7.0-RELEASE-p3
> [root@BSDHelmut ~]#
>
> Anyone?
root@kg-omni1# dig +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"80.202.4.134 is GOOD: 26 queries in 4.6 seconds from 26 ports with std
dev 19600.53"
root@kg-omni1# dig @localhost +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"80.202.4.134 is GOOD: 26 queries in 4.6 seconds from 26 ports with std
dev 19600.53"
root@kg-omni1# uname -rs
FreeBSD 6.3-STABLE
--
Torfinn Ingolfsen,
Norway
Rob Warnock
+---------------
| "192.168.0.1 is GOOD: 79 queries in 65.2 seconds from 79 ports with std dev
| 18353.77"
| "79.229.250.94 is POOR: 30 queries in 4.9 seconds from 30 ports with std dev
| 10.12"
It's not just the count of distinct source port numbers used; they
also check whether or not the random number generator for the source
port sequence looks "weak". In the latter example, the standard
deviation of the port numbers is quite small, indicating that the
source port sequence is likely to be more predictable than the
former example. A "good" generator would have a std. dev. of at
least several thousands, preferably tens of thousands.
And IIUIC, they also check the source port sequence generator for
being among a set known of "bad, very predictable" sequences,
and score those badly no matter *how* large the std. deviation is.
E.g., A source port sequence that goes 5, 20005, 10005, 30005,
6, 20006, 10006, 30006, 7, 20007, 10007, 30007, 8, 20008, 10008,
30008, 9, 20009, 10009, 30009... has a very large std. dev., but
is a *totally* predictable sequence, and therefore *extremely*
vulnerable to the published attack.
-Rob
-----
Rob Warnock <rp...@rpw3.org>
627 26th Avenue <URL:http://rpw3.org/>
San Mateo, CA 94403 (650)572-2607
Helmut Schneider
I probably should blame my NAT device then rather than FreeBSD. Allthough
from an attackers point of view this does not make any difference...
Balwinder S Dheeman
[bsd@cto bsd]$ dig @localhost +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"208.67.219.12 is GOOD: 26 queries in 0.4 seconds from 26 ports with std
dev 17790.38"
[bsd@cto bsd]$ dig @localhost +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"208.67.219.12 is GOOD: 26 queries in 0.1 seconds from 26 ports with std
dev 18466.09"
[bsd@cto bsd]$ uname -rs
FreeBSD 8.0-CURRENT
[bsd@cto bsd]$
The machine is running behind a NAT and firewall on cheap/Belkin/BeeTel
220BX (96338L-2M-8M) ADSL router, custom linux kernel 2.6.24.7,iptables
v1.2.11.
--
Dr Balwinder S "bsd" Dheeman Registered Linux User: #229709
Anu'z Linux@HOME (Unix Shoppe) Machines: #168573, 170593, 259192
Chandigarh, UT, 160062, India Gentoo, Fedora, Debian/FreeBSD/XP
Home: http://cto.homelinux.net/~bsd/ Visit: http://counter.li.org/