![](\"/static/dns1.png\")
\n[Dan Kaminsky here]
This is awesome work :) All the data will eventually be public, so no freak-out on my side. Maybe you'll help me summarize the gigs and gigs of data being collected on this elsewhere?
date: 2008-07-16T19:43:39Z guid: 81EFEB06-536F-11DD-9AB5-BAC8CAD30611 modified: 2008-07-16T19:45:37Z raw: "\nSo I guess you have all read Dan's post (and seen Sarah's video, of course :-).\n
\n\n... And I guess many of you have used the DNS checker on doxpara.com to see if your DNS is vulnerable (although, personally, I like the \"dig +short porttest.dns-oarc.net TXT\" method better). Well, so did I (and neither my home provider, my mobile provider nor $CUSTOMER have fixed their DNS yet) and of course using wasn't enough, I had to look more closely at how it works ...\n
\n\nTurns out it is doing a simple lookup on $randomstring.toorrr.com, which resolves to the webserver via a CNAME chain that encodes the interesting data from the queries that are sent out by the resolver. So what does Dan do with it then? He writes a file with the query details (requested hostname, date, source ports and query IDs) to /fprint/$randomstring on his webserver (which is automatically deleted after about two minutes or so), which the script then fetches using some AJAX-magic. Luckily for me, he forgot to turn of the directory listing on /fprint/, so not only the original requestor could download the result files, but me too.\n
\n\nThus, for the last few days, I have been doing something along the lines of while true; do rm 209.200.168.66/fprint/index.html; wget -U \"Hi Dan, just compiling some stats, hope you don't mind ... Alex\" -r -nc -l inf http://209.200.168.66/fprint/; sleep 30; done and put the output into a database. 471690 queries later, Dan apparently noticed and put a »*laughs*« into /fprint/index.html.\n
\nWell, still enough data to produce some interesting graphs. The first one shows the number of new IPs appearing every hour and how many of those had fixed source ports and weak source ports (max(srcport) - min(srcport) < 100).\n\n\n\n
\nFrom here, one can already see that the red line (fixed source ports, thus apparently vulnerable to what Dan's been cooking up) is still more than 50% of the blue one - here are the percentages of red vs. blue:\n
\n\n![](\"/static/dns2.png\")
\n
\nBut of course, it is not only interesting how many new vulnerable servers are discovered, but what happens to the old ones. The next two graphs show the number of vulnerable servers at the time (some of those may have been fixed, but not retested afterwards, so take the figures with a grain of salt) and how many have been fixed.\n
\n\n![](\"/static/dns3.png\")
\n
\n![](\"/static/dns4.png\")
\n
\nLet's hope that the numbers change a bit before August 6th or I guess all hell will break loose ...\n
\n" signed: 0 summary: " So I guess you have all read Dan's post …" tags: - dns: 1 - english: 1 - security: 1 text: "\n So I guess you have all read Dan's post [1] (and seen Sarah's video\n [2], of course :-).\n\n ... And I guess many of you have used the DNS checker on doxpara.com\n [3] to see if your DNS is vulnerable (although, personally, I like the\n \"dig +short porttest.dns-oarc.net TXT\" method better). Well, so did I\n (and neither my home provider, my mobile provider nor $CUSTOMER have\n fixed their DNS yet) and of course using wasn't enough, I had to look\n more closely at how it works ...\n\n Turns out it is doing a simple lookup on $randomstring.toorrr.com,\n which resolves to the webserver via a CNAME chain that encodes the in-\n teresting data from the queries that are sent out by the resolver. So\n what does Dan do with it then? He writes a file with the query details\n (requested hostname, date, source ports and query IDs) to /fprint/$ran-\n domstring on his webserver (which is automatically deleted after about\n two minutes or so), which the script then fetches using some AJAX-mag-\n ic. Luckily for me, he forgot to turn of the directory listing on /f-\n print/, so not only the original requestor could download the result\n files, but me too.\n\n Thus, for the last few days, I have been doing something along the\n lines of while true; do rm 209.200.168.66/fprint/index.html; wget -U\n \"Hi Dan, just compiling some stats, hope you don't mind ... Alex\" -r\n -nc -l inf http://209.200.168.66/fprint/; sleep 30; done and put the\n output into a database. 471690 queries later, Dan apparently noticed\n and put a »*laughs*« into /fprint/index.html. Well, still enough data\n to produce some interesting graphs. The first one shows the number of\n new IPs appearing every hour and how many of those had fixed source\n ports and weak source ports (max(srcport) - min(srcport) < 100).\n [5]\n\n But of course, it is not only interesting how many new vulnerable\n servers are discovered, but what happens to the old ones. The next two\n graphs show the number of vulnerable servers at the time (some of those\n may have been fixed, but not retested afterwards, so take the figures\n with a grain of salt) and how many have been fixed.\n\n\n [6]\n\n\n [7]\n\n Let's hope that the numbers change a bit before August 6th or I guess\n all hell will break loose ...\n\n-- \n [1] http://www.doxpara.com/?p=1162\n [2] http://www.youtube.com/watch?v=XDKw8ny6IcM\n [3] http://www.doxpara.com\n [4] /static/dns1.pdf\n [5] /static/dns2.pdf\n [6] /static/dns3.pdf\n [7] /static/dns4.pdf\n"
title: Traversing Dan's directory
type: html
uri: http://www.shiftordie.de/articles/Traversing%20Dan's%20directory
xhtml: "So I guess you have all read Dan's post (and seen Sarah's video, of course :-).
... And I guess many of you have used the DNS checker on doxpara.com to see if your DNS is vulnerable (although, personally, I like the "dig +short porttest.dns-oarc.net TXT" method better). Well, so did I (and neither my home provider, my mobile provider nor $CUSTOMER have fixed their DNS yet) and of course using wasn't enough, I had to look more closely at how it works ...
Turns out it is doing a simple lookup on $randomstring.toorrr.com, which resolves to the webserver via a CNAME chain that encodes the interesting data from the queries that are sent out by the resolver. So what does Dan do with it then? He writes a file with the query details (requested hostname, date, source ports and query IDs) to /fprint/$randomstring on his webserver (which is automatically deleted after about two minutes or so), which the script then fetches using some AJAX-magic. Luckily for me, he forgot to turn of the directory listing on /fprint/, so not only the original requestor could download the result files, but me too.
Thus, for the last few days, I have been doing something along the lines of while true; do rm 209.200.168.66/fprint/index.html; wget -U "Hi Dan, just compiling some stats, hope you don't mind ... Alex" -r -nc -l inf http://209.200.168.66/fprint/; sleep 30; done and put the output into a database. 471690 queries later, Dan apparently noticed and put a »*laughs*« into /fprint/index.html.
Well, still enough data to produce some interesting graphs. The first one shows the number of new IPs appearing every hour and how many of those had fixed source ports and weak source ports (max(srcport) - min(srcport) < 100).From here, one can already see that the red line (fixed source ports, thus apparently vulnerable to what Dan's been cooking up) is still more than 50% of the blue one - here are the percentages of red vs. blue:
But of course, it is not only interesting how many new vulnerable servers are discovered, but what happens to the old ones. The next two graphs show the number of vulnerable servers at the time (some of those may have been fixed, but not retested afterwards, so take the figures with a grain of salt) and how many have been fixed.
Let's hope that the numbers change a bit before August 6th or I guess all hell will break loose ...
"