Saturday, 12 July 2008

More on DNS

Shame I have not finished the DNS paper - I will endeavor to get this done before August.

Having tested 5,000,000 IP addresses earlier this year and finding 264,125 DNS Servers with over 200,000 of them found to hae not been correctly patched, I do not see that the randomness issue is the biggest concern.

Yes, many of the most vulnerable systems I recorded are small sites and home users, but they are still an issue. Worse, I found over 25,000 systems in this that can be remotely compromised. If a crime.org site wants to make a great bot-net, an adaptive DNS scanner will work wonders. It would need to account for many attacks as I found over 50 versions of BIND running (including some version 4s), but it would be doable.

Of course they could already be a part of a botnet...

So the issue is not so much new versions of old attacks, but the fact that most people do little anyway.

What I did get from the scan:

DNS [2] [3] [4]
ISC BIND 36.77% 23.85% 68.55%
Microsoft 78.31% 0.00% 16.56%
Tiny DNS 38.91% 0.00% 2.22%

DNS [5] [6]
ISC BIND 79.55% 21.87
Microsoft 84.15% 15.50

What I found was that approx 75%+ servers are vulnerable at some level. Worse, over 16% of DNS servers are still vulnerable to a root compromise.

The big issue was that huge numbers of DNS servers are not patched against root level compromise. If this issue gets people patching - great - but I doubt it. Much work on my paper is still needed. However the issue remain patching.

No comments: