|
Posted by Geoff on July 28, 2008, 1:11 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>> "The test takes a few seconds to complete. When its done you'll see a
>> page where the transaction ID and source port randomness will be
>> rated either GREAT, GOOD, or POOR. If you see a POOR rating, we
>> recommend that contact your ISP and ask if they have plans to upgrade
>> their nameserver software before August 7th."
>
>Umm, I'd beware any stranger offering advice in case that appeals to
>you. It's outright spam to begin with and of no known value or
>recognition otherwise. It's designed to make you curious and want to
>visit that URL where who knows what might go on? It'd be funny if it
>weren't so stupid!
>
>
As an advisory it lacks any real information. This is supposed to be an
advisory about the Kaminsky DNS vulnerability but is of limited use to end
users other than to generate grass roots movement from users to get ISP's
to upgrade their DNS code.
The full text of the dns-oarc.net page follows:
----------------------
US-CERT's Vulnerability Note VU#800113 describes deficiencies in the DNS
protocol and implementations that can facilitate cache poisoning attacks.
The answers from a poisoned nameserver cannot be trusted. You may be
redirected to malicious web sites that will try to steal your identity or
infect your computers with malware. On August 7, 2008, Dan Kaminsky will
release the details of how such attacks can be launched against vulnerable
DNS resolvers.
The essence of the problem is that DNS resolvers don't always use enough
randomness in their transaction IDs and query source ports. Increasing the
amount of randomness increases the difficulty of a successful poisoning
attack.
This page exists to help you learn if your ISP's nameservers are vulnerable
to this type of attack. If you click on the button below, we will test the
randomness of your ISP DNS resolver.
The test takes a few seconds to complete. When its done you'll see a page
where the transaction ID and source port randomness will be rated either
GREAT, GOOD, or POOR. If you see a POOR rating, we recommend that contact
your ISP and ask if they have plans to upgrade their nameserver software
before August 7th.
See porttest for another way to check your resolver from a Unix
commandline.
----------------------
See also: http://www.kb.cert.org/vuls/id/800113
| 
XML site map