From owner-freebsd-security@FreeBSD.ORG  Wed Jul  9 12:38:51 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B76B61065682
	for <freebsd-security@freebsd.org>;
	Wed,  9 Jul 2008 12:38:51 +0000 (UTC) (envelope-from mike@sentex.net)
Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18])
	by mx1.freebsd.org (Postfix) with ESMTP id 68ABF8FC17
	for <freebsd-security@freebsd.org>;
	Wed,  9 Jul 2008 12:38:51 +0000 (UTC) (envelope-from mike@sentex.net)
Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18])
	by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m69C9I45055940;
	Wed, 9 Jul 2008 08:09:18 -0400 (EDT) (envelope-from mike@sentex.net)
Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27])
	by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m69C9Gsl030319
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 9 Jul 2008 08:09:17 -0400 (EDT) (envelope-from mike@sentex.net)
Message-Id: <200807091209.m69C9Gsl030319@lava.sentex.ca>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Wed, 09 Jul 2008 08:09:14 -0400
To: Oliver Fromme <olli@lurza.secnetix.de>, freebsd-security@freebsd.org
From: Mike Tancsa <mike@sentex.net>
In-Reply-To: <200807091054.m69As4eH065391@lurza.secnetix.de>
References: <C4990135.1A0907%astorms@ncircle.com>
	<200807091054.m69As4eH065391@lurza.secnetix.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 2.64 on 64.7.153.18
Cc: 
Subject: Re: BIND update?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2008 12:38:51 -0000

At 06:54 AM 7/9/2008, Oliver Fromme wrote:
>Andrew Storms wrote:
>  > http://www.isc.org/index.pl?/sw/bind/bind-security.php
>
>I'm just wondering ...
>
>ISC's patches cause source ports to be randomized, thus
>making it more difficult to spoof response packets.
>
>But doesn't FreeBSD already randomize source ports by
>default?  So, do FreeBSD systems require to be patched
>at all?

It doesnt seem to do a very good job of it with=20
bind for some reason... Perhaps because it picks a port and reuses it ?

   Doing the following

% cat s
host 1iatest.yahoo.com
host 1iatest2.yahoo.co.uk
host 1iatest3.yahoo.com
host 1iatest4.yahoo.com
host 1iatest4.yahoo.com

shows the same source port being used




08:05:44.269507 IP 64.7.134.1.51761 >=20
203.84.197.239.53: 814% [1au] A? 1iatest.yahoo.com. (46)
08:05:44.595674 IP 203.84.197.239.53 >=20
64.7.134.1.51761: 814 NXDomain*- 0/1/1 (107)
08:05:44.596251 IP 64.7.134.1.51761 >=20
199.212.134.1.53: 38272% [1au] A? 1iatest.yahoo.com.sentex.ca. (56)
08:05:44.649672 IP 199.212.134.1.53 >=20
64.7.134.1.51761: 38272 NXDomain* 0/1/1 (116)
08:05:44.654444 IP 64.7.134.1.51761 >=20
68.142.196.63.53: 20277% [1au] A? 1iatest2.yahoo.co.uk. (49)
08:05:44.743687 IP 68.142.196.63.53 >=20
64.7.134.1.51761: 20277*- 1/13/1 CNAME[|domain]
08:05:44.749325 IP 64.7.134.1.51761 >=20
68.142.255.16.53: 32407% [1au] A? 1iatest3.yahoo.com. (47)
08:05:44.825666 IP 68.142.255.16.53 >=20
64.7.134.1.51761: 32407 NXDomain*- 0/1/1 (108)
08:05:44.826291 IP 64.7.134.1.51761 >=20
199.212.134.2.53: 59918% [1au] A? 1iatest3.yahoo.com.sentex.ca. (57)
08:05:44.881667 IP 199.212.134.2.53 >=20
64.7.134.1.51761: 59918 NXDomain* 0/1/1 (117)
08:05:44.886352 IP 64.7.134.1.51761 >=20
217.12.4.104.53: 56112% [1au] A? 1iatest4.yahoo.com. (47)
08:05:45.021655 IP 217.12.4.104.53 >=20
64.7.134.1.51761: 56112 NXDomain*- 0/1/1 (108)
08:05:45.022213 IP 64.7.134.1.51761 >=20
64.7.153.49.53: 14304% [1au] A? 1iatest4.yahoo.com.sentex.ca. (57)
08:05:45.075656 IP 64.7.153.49.53 >=20
64.7.134.1.51761: 14304 NXDomain* 0/1/1 (117)

and a few min later with new requests,

# tcpdump -ni tun0 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes
08:08:00.273502 IP 64.7.134.1.51761 >=20
68.142.255.16.53: 37470% [1au] A? 21iatest.yahoo.com. (47)
08:08:00.350026 IP 68.142.255.16.53 >=20
64.7.134.1.51761: 37470 NXDomain*- 0/1/1 (108)
08:08:00.350565 IP 64.7.134.1.51761 >=20
199.212.134.1.53: 31976% [1au] A? 21iatest.yahoo.com.sentex.ca. (57)
08:08:00.406013 IP 199.212.134.1.53 >=20
64.7.134.1.51761: 31976 NXDomain* 0/1/1 (117)
08:08:00.410993 IP 64.7.134.1.51761 >=20
68.142.196.63.53: 2704% [1au] A? 21iatest2.yahoo.co.uk. (50)
08:08:00.500032 IP 68.142.196.63.53 >=20
64.7.134.1.51761: 2704*- 1/13/1 CNAME[|domain]
08:08:00.505356 IP 64.7.134.1.51761 >=20
68.142.255.16.53: 33992% [1au] A? 21iatest3.yahoo.com. (48)
08:08:00.582006 IP 68.142.255.16.53 >=20
64.7.134.1.51761: 33992 NXDomain*- 0/1/1 (109)
08:08:00.582565 IP 64.7.134.1.51761 >=20
199.212.134.2.53: 18776% [1au] A? 21iatest3.yahoo.com.sentex.ca. (58)
08:08:00.638004 IP 199.212.134.2.53 >=20
64.7.134.1.51761: 18776 NXDomain* 0/1/1 (118)
08:08:00.642684 IP 64.7.134.1.51761 >=20
68.142.255.16.53: 54964% [1au] A? 21iatest4.yahoo.com. (48)
08:08:00.720000 IP 68.142.255.16.53 >=20
64.7.134.1.51761: 54964 NXDomain*- 0/1/1 (109)
08:08:00.720529 IP 64.7.134.1.51761 >=20
64.7.153.49.53: 11657% [1au] A? 21iatest4.yahoo.com.sentex.ca. (58)
08:08:00.773998 IP 64.7.153.49.53 >=20
64.7.134.1.51761: 11657 NXDomain* 0/1/1 (118)


# sysctl -a net.inet.ip.portrange
net.inet.ip.portrange.randomtime: 45
net.inet.ip.portrange.randomcps: 10
net.inet.ip.portrange.randomized: 1
net.inet.ip.portrange.reservedlow: 0
net.inet.ip.portrange.reservedhigh: 1023
net.inet.ip.portrange.hilast: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.first: 49152
net.inet.ip.portrange.lowlast: 600
net.inet.ip.portrange.lowfirst: 1023


         ---Mike


>Best regards
>    Oliver
>
>PS:
>$ sysctl net.inet.ip.portrange.randomized
>net.inet.ip.portrange.randomized: 1
>$ sysctl -d net.inet.ip.portrange.randomized
>net.inet.ip.portrange.randomized: Enable random port allocation
>
>--
>Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
>Handelsregister: Registergericht Muenchen, HRA 74606,  Gesch=E4ftsfuehrung:
>secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M=FCn-
>chen, HRB 125758,  Gesch=E4ftsf=FChrer: Maik Bachmann, Olaf Erb, Ralf=
 Gebhart
>
>FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd
>
>It's trivial to make fun of Microsoft products,
>but it takes a real man to make them work,
>and a God to make them do anything useful.
>_______________________________________________
>freebsd-security@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"