Tales from the Crypto - All Comments

re: Removing Apple Mobile Device Support

Alun Jones — Fri, 25 Jul 2008 17:08:51 GMT

I would certainly give that a go, since you can always fetch and install it again. Of course, not being that much of an Apple expert, I can't guarantee that this won't cause you problems with an iPod / iPhone.

re: DNS Server Reserves 2500 Ports.

Ivan_83 — Fri, 25 Jul 2008 11:47:20 GMT

There is another big problem!

Then ms dns running on server that have NAT role (in my case 2003 + ISA 2006 sp1 + ms dns for caching and forwading to ISP DNS and PPPoE connection to ISP)

Then users send dns request to local dns server -> forwad to ISP DNS, but NAT cant create UDP sockets, becouse sockets from previous reguests still alive.

In my case im set SocketPoolSize=16 and now all work fine.

Not really solving the problem

Sure, that fixes the problem of DNS causing your system to run out of ephemeral ports - but it does so by undoing almost all of the work of patching your DNS system.

Far more useful than reducing the size of socket pool used by DNS would be to increase the number of ports assigned for ephemeral ports. I believe the registry setting that you'll want to investigate is MaxUserPorts - on pre-Vista systems, this is set to 5000, so that ephemeral sockets exist at ports between 1024 and 5000.

As you've seen, take a few thousand out of that range, especially if you have to double the number through NAT, and you're hurting. So extend the range, and you'll find DNS is still patched against this exploit. [Don't forget to put the pool size back]

Friday, July 25, 2008 8:42 PM by Alun Jones

re: Removing Apple Mobile Device Support

Carolyn — Wed, 23 Jul 2008 21:45:48 GMT

************ HELP PLEASE!!! ************

I have iTunes. I use Windows Vista. Everytime I open iTunes [lately], I get a "looped message" that says:

"AppleMobileDeviceHelper has stopped working

Aproblem caused the program to stop working correctly.

Windows will close the progtam and notify you if a solution is available."

I do want to continue using iTunes for my iPod.

Can I just go in and "uninstall" Apple Mobile Device Support and solve the problem of the "loop"?

re: Whoops - Information Wanted to be Free Again.

Harry Johnston — Wed, 23 Jul 2008 04:08:11 GMT

I'm not sure that's the best way to get into the news though!

I suppose it boils down to the old adage - there's no such thing as bad publicity. :-(

Apple Plumping Up My Windows System? : AwesomeBlogs.Info

Apple Plumping Up My Windows System? : AwesomeBlogs.Info — Wed, 23 Jul 2008 04:07:30 GMT

Pingback from Apple Plumping Up My Windows System? : AwesomeBlogs.Info

re: Removing Apple Mobile Device Support

Jason Bean — Wed, 23 Jul 2008 01:10:42 GMT

I agree, I'm tired of having Quicktime and iTunes pushed on me repeatedly when I'm not really interested in the upgrades if I don't want them. Now pushing Safari and this new Apple Mobile Device Support is the newest one on the list.

Apple Plumping Up My Windows System?

Apple Plumping Up My Windows System? — Wed, 23 Jul 2008 01:07:38 GMT

Pingback from Apple Plumping Up My Windows System?

re: Whoops - Information Wanted to be Free Again.

Harry Johnston — Tue, 22 Jul 2008 23:19:04 GMT

If all they wanted was to prove they already knew, why didn't they publish a hash of their article? They could have done that as soon as the patches were released.

re: hashing the article

Sadly, publishing hashes of articles isn't sexy. You don't get in the news because you were the first to come up with an idea, and can demonstrate it with a time-based signed hash. You get in the news because you were the first to publish full details.

Tuesday, July 22, 2008 5:50 PM by Alun Jones

re: DNS Server Reserves 2500 Ports.

Alan McFarlane — Tue, 22 Jul 2008 15:10:11 GMT

There seems to be a Registry option to control the number of ports reserved. It's

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\SocketPoolSize

See support.microsoft.com/.../953230

As I understand it, Vista and Server 2008 now use the original BSD intended behaviour of assigning ephemeral ports from above 5000, support.microsoft.com/.../929851 I wonder if the current DNS Server code assigns ports only from that range on those platforms, that would at least solve the conflicts described in the SBS blog (1024<p<5000 vs emphemeral >=5000).

I agree with your points however; I particularly like the Winsock-give-me-a-randomized-port-assignment option.

Alan

Blast from the past...

Alan, yours is a name I remember from relatively early on in the development of Winsock - as another developer trying to use and make sense of the darn thing, if I remember correctly.

Yeah, I like the idea of providing for other protocols which also need to bind to random ports (DNS isn't alone, because FTP needs it - and where two protocols need a behaviour, you can bet that there's another half dozen at least) - I was going to suggest that ephemeral ports' behaviour should change and become random assignment, because "of course" developers knew that they couldn't guarantee any particular assignment sequence, let alone one after the other.

But then sanity reined me in, and I realised that of course developers - particularly the cheap ones that get the job done quickly - tend to rely on observed behaviour more than documentation or training. So I thought it'd better be an option. And a socket option makes sense - call it between socket() and bind() / connect(), and you have an answer.

Sunday, July 20, 2008 4:32 PM by Alun Jones

re: Wireless PC Lock - part 2

ByteSeeker — Tue, 22 Jul 2008 06:44:02 GMT

LOL, Then with your permission I'll pop here from time to time to act as reminder ;)

re: Removing Apple Mobile Device Support

Alun Jones — Mon, 21 Jul 2008 16:27:19 GMT

Thank you for the time and thought you put into creating such a cogent argument for that posting. The effort must have been considerable.

re: Removing Apple Mobile Device Support

freaq — Mon, 21 Jul 2008 16:08:48 GMT

u r an ass.

i love my ipod and i know im an ass.

but ur an ass but u don't know it

get lost

re: DNS Server Reserves 2500 Ports.

Alun Jones — Mon, 21 Jul 2008 05:39:12 GMT

What about some active evasion, as well - detect when you might be being flooded with requests, and either refuse to serve such requests (discarding any responses that you might already have cached from forged responses), or serve them using a more protected connection, such as a TCP connection to the remote DNS server?

I'm sure that the DNS folks at Microsoft have spent a lot of time talking with other DNS server authors and coming to some consensus as to what's a good approach - and it's always possible that I'm missing something huge and important in my analysis.

What I'd like to see is a new Winsock socket option, to say "when I call bind() on this socket, I want you to give me a pseudo-random (not N+1) port assignment, that isn't currently in use by another application" - FTP would benefit from this, because PASV responses are supposed to bind to an unpredictable port to improve security.

I do like the idea of leaving DNS less responsive (or even non-responsive to external queries) until a significant time after booting, though.

Another angle that I don't think has been considered is to tailor the approach to two scenarios - one of a high-traffic DNS server, which is probably almost exclusively running DNS as its only service; the other of a DNS server that runs multiple other services. I think the threats can be handled differently, because the level of service to be provided is different.

re: DNS Server Reserves 2500 Ports.

The Dave — Mon, 21 Jul 2008 04:49:44 GMT

You're absolutely correct. Sadly.

Remember that MSDNS still needs to pick random numbers at some point here, we still need to randomize requests among the various available ports, so we're not saving any CPU time at all by doing the randomization first, although we are probably reducing DNS query time by a couple MS. We could achieve the same performance improvement by building a list, but not pre-binding.

Worse, by pre-binding to 2500 ports, we might even be helping an attacker map out which ports are and are not used by DNS. Sure, sending out 2500 times more spoofed packets then before sounds like a lot, but with zombie farms ranging in the millions, getting an important DNS poison (PayPal anyone?) cached is probably not outside the scope.

If we build a random map out in advance, but don't bind until needed, an attacker would still need to flood some ~65000 ports. Oh well, 2500 is better then 1.

The other performance improvement is that by pre-binding, rather then binding on-demand, we don't need to confirm that a binding is successful before sending out a DNS query. Good, also saves a ms or two. A better fix might be to have the server pre-bind a small number of ports in advance, only using a single port once (or at least only sending it to a single destination IP once, you can probably reuse a remote-DNS-IP:local-port pair pretty safely, since this whole random port scheme does nothing for MITM attacks anyway.

Anyway, an effective pre-binding algorithm could avoid clobbering ports other applications need, plus avoid the performance impact of binding on demand. The numbers may need to be tweaked, but start with this: For the first three minutes of operation, you'd only pre-bind five ports. These ports could be anywhere in a large range, maintaining some level of randomness, but don't forget a comprehensive list of known-services to avoid, maybe Windows' own "%systemroot%\system32\drivers\etc\services" list would be a good place to start.

After three minutes, larger numbers of ports can be safely allocated without difficulty, since services have now had an opportunity to start and do their initial bindings. At this stage, MSDNS could decide how many ports to pre-bind allowing for MSDNS to stay 30-60 seconds ahead -- Enough time to allow for a bump in activity, but not enough time for an attacker to build a map.

Thoughts?

re: Wireless PC Lock - part 2

Alun Jones — Mon, 21 Jul 2008 00:19:19 GMT

I'd love to, but I keep forgetting to do so.

re: DNS Server Reserves 2500 Ports.

Alun Jones — Sun, 20 Jul 2008 23:32:17 GMT

It's not much better if you're using BIND as your DNS server, apparently (mostly in the Linux world).

BIND can't tell when it's selecting a port that's already bound by another application, so it randomly, unpredictably, and without warning will send out a request on a port that causes the response to come back to an application other than BIND's "named".

[For discussion of this problem, see: this Usenet thread]

That's all very well for applications that are used to being exposed to the Internet - after all, they receive random junk packets all the time, so they should be resilient.

But what about apps that aren't used to Internet exposure? Remember - the DNS server sends out a packet first, so it will cause most firewalls to open up a hole for the return packet.

Any UDP-based service on your DNS server will receive random UDP data, whether you've blocked it at the firewall or not.

Just like in Windows with the ReservedPorts option, there's a way to work around this - there's a new setting for named called "avoid-v4-udp-ports" that you can use to list ports that named shouldn't bind to for its outgoing requests.

re: DNS Server Reserves 2500 Ports.

Yoav — Sun, 20 Jul 2008 20:33:33 GMT

agreed. This may cause issues to a lot of users.

re: Wireless PC Lock - part 2

ByteSeeker — Thu, 17 Jul 2008 12:35:37 GMT

Would you make the source code available for download by any chance so people may adapt it to other platforms ?

re: Can You Write Good Code for an OS you Despise?

Alun Jones — Thu, 17 Jul 2008 02:22:50 GMT

You have a point - a better approach, if you have to hold secrets around for a long time, is to use CryptProtectMemory and CryptUnprotectMemory.

[Edited to refer to the Memory functions, rather than the Data functions, which are designed for storage that will last past reboots]

re: Can You Write Good Code for an OS you Despise?

David LeBlanc — Wed, 16 Jul 2008 23:41:51 GMT

Couple of things to add - VirtualLock doesn't guarantee the memory will never get paged, though it would rare to have it happen. If the system is under enough memory stress, and the app hasn't done anything for a while, the whole process could be paged out. I think the comments say as much.