SAD DNS cache poisoning attack

Baptiste Jonglez baptiste at bitsofnetworks.org
Sat Nov 14 19:42:51 EST 2020


On 15-11-20, Baptiste Jonglez wrote:
> There are two solutions to fix/workaround the problem:
> 
> 1) randomize ICMP rate limiting (done in upstream kernel, there are
>    already OpenWrt patches to update it)

I just checked, here are stable kernel versions containing the fix:

- 4.9.241
- 4.14.203
- 4.19.153
- 5.4.73

And here are our current kernel versions:

- 18.06: 4.9.243 and 4.14.206
- 19.07: 4.14.202
- master: 5.4.75

So, only 19.07 needs a kernel bump (which is already in progress), and
then the fix can go in new stable releases.

> 2) don't send these ICMP messages on WAN for closed ports (change the
>    default rule to DROP instead of REJECT, at least for UDP)

For the record, to do this, the input option of the WAN zone needs to
be changed to "DROP" in /etc/config/firewall:

  config zone
        option name             wan
	...
	option input            DROP
	...

and then call "/etc/init.d/firewall reload".

To automate the change (warning: this will remove all comments in your
firewall configuration, and it assumes WAN is the last zone):

  uci get firewall. at zone[-1].name
  # Check that it's indeed "wan"
  uci set firewall. at zone[-1].input=DROP
  uci commit firewall
  /etc/init.d/firewall reload
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20201115/47531080/attachment.sig>


More information about the openwrt-devel mailing list