Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-04-22 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DNS problems at Network Solutions; Potential Problems with MS05-019; Filtering SSL

Published: 2005-04-22
Last Updated: 2005-04-22 23:07:16 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)

DNS problems at Network Solutions



(This story reported by handler Kyle Haugsness)



We have reports from numerous people about problems with the
worldnic.com nameservers and there appears to have been an outage today.
These nameservers provide authoritative nameservers for Network
Solutions customers that don't have their own DNS servers. This outage
reported today on the NANOG mailing list:



http://www.merit.edu/mail.archives/nanog/msg07136.html



However, there seems to be another potential issue. Numerous sites are
reporting problems resolving names against the worldnic servers. There
seems to be a bug in the Symantec gateway products including the SEF
(Raptor) product line. This seems to be known by the Symantec DNS
engineers and they seem to be working on it.



Here is a public post on the issue from Barry Margolin, CISSP, Sr. Technical Support Engineer at Symantec.



"When I investigated, I found that occasionally the worldnic.com servers
will respond to a query with an empty response with the Truncated flag
set. The problem on our end is that the DNS proxy in our firewall seems
to ignore the Truncated flag, rather than retry using TCP (I've reported
this bug to development), so we cache the NOANSWER response (but we have
a hard-coded 60-second negative cache TTL, so the problem usually clears
up shortly)."



Finally, the Network Solutions problems may be causing issues on BIND
servers. The empty response to the UDP query and the Truncated Flag
should force a DNS server to use TCP and ask the question. Apparently,
TCP sessions to those servers are very slow so it is looking like an
outage (or a high number of SYN-SENT sessions to the worldnic.com
servers).



This issue could be wreaking havoc with e-mail delivery. Receiving mail
servers can't lookup MX records from remote servers and reject mail as
spam. Given the large number of DNS queries some spam filters produce,
this can be an issue.


Potential Problems with MS05-019


We are hearing of some problems with the MS05-019 patch. There is a posting by Darryl J. Roberts at


http://archives.neohapsis.com/archives/ntbugtraq/2005-q2/0049.html



Here is what he said:

"After installing the update in Microsoft Security Bulletin MS05-019 on
two servers at a customer site, we are no longer able to connect via VPN
to terminal services on those servers. (Other servers that did not have
the security bulletins from last Tuesday installed can connect via VPN.)


After many hours over two days working with Microsoft Product Support
Services, we discovered that forcing the MTU size down allowed the
client to connect to terminal services. Today Microsoft PSS reported
the they have confirmed that there is a problem with ICMP messages being
incorrectly discarded (other have opened PSS cases about this issue).
This could be why the MTU size is not being set correctly.


There will be an update to the patch in MS05-019, but as of this time,
that update is not available. A Microsoft KB article is being written
and has been assigned the number KB898060, but as to this time, that
article is not publicly available.


I will be uninstalling the update for Security Bulletin MS05-019 from
our customers servers this evening and waiting for the corrected patch
before reinstalling it."


There is also discussion that it doesn't affect all operating systems. Here are some more links:

http://marc.theaimsgroup.com/?l=patchmanagement&r=1&b=200504&w=2
http://www.winserverhelp.com/ftopic22712.html
If anyone has experienced issues with this patch or has other information, please let us know.

Filtering SSL


We had a reader who posed a very good question about filtering SSL. Any type of encrypted traffic, such as SSL or SSH, does blind your previously installed network security tools and may allow for unwanted traffic to enter your network. However, I feel that filtering encrypted traffic poses some serious issues. I would really like to hear how folks are handling encrypted traffic, espcially when its not possible to terminate it outside or right at the gateway to your network. If you
are filtering, have there been any legal issues that have arisen and what have you found that works.


Lorna Hutcheson

Handler on Duty

http://www.iss-md.com
Keywords:
0 comment(s)
Diary Archives