Open recursive DNS exploits: how to prevent?


I am wrestling with a problem with my son's Windows 7 system and would appreciate advice. He has received the following message from his ISP:

__________________________________
Subject: Potential Security Problem Detected

SECURITY NOTIFICATION
=====================

Hello Mr Paul Leyton,

A sweep of customer's IP allocations has revealed the following IPs in your range are showing as susceptible to Open Recursive DNS exploits:

82.xx.xxx.xxx

The associated Zen username is: zen22xxxx@zen

You can confirm this is the case using our recursive DNS tool - http://security.zensupport.co.uk/

This particular type of vulerability is viewed as extremely serious, and we ask for your co-operation in removing it as a threat. Information on open recursive DNS exploits is available here -
http://www.zensupport.co.uk/knowledg....aspx?id=10538 - which also includes some possible fixes for the problem.

Please take action to secure your equipment.

Note some models of Draytek router have a firmware bug that turns on ODR. If you have a Draytek router you may need to speak to Draytek to obtain a new firmware.

Best regards

---------------------------------------------------------
Technical Support - Abuse Department
Zen Internet Ltd.
E: abuse@zen.co.uk
W: http://www.zensupport.co.uk/

Zen Internet Limited is registered in England No. 03101568, VAT Reg No. 686
0495 01.
____________________________________

We have run a full virus check and malware check - with no problem being reported. So we assume that the reported behaviour is not due to any obvious kind of software intrusion.

He is using an Addon NWAR3650 router. We cannot see anything in the documentation that can be set/unset to cause this problem. The ISP is unable/unwilling to help.

Any advice on solving this would be much appreciated, as would opinions on whether this is an important issue or could we simply ignore it (without serious consequences)?

Richard

Sponsored Links:



In Windows operating system such as Windows 7, Windows Vista, Windows XP, Windows Server 2008 R2, Windows Server 2008, Windows Server 2008, Windows 2000 or Windows Me, when user right clicks on a file with registered file type in Windows Explorer user can use the “Open With” command to select an associated programs to open the file. Over the time, each program that user used to open the specific file extension is added to the Open With list for the file type, even if the program user is using is unable to or cannot open the selected file type, or has since been uninstalled.

For example, if user selects Microsoft Paint (MSPaint.exe) or (wmplayer.exe) in the Open With dialog box when opening a text document (a file with a .txt extension), the Paint or WMP program is listed in the Open With list for all text documents, even though Paint is unable to open text documents.

More..........How to Unassociate, Remove or Delete Programs From “Open With” or “Recommended Programs” List My Digital Life




Hi, I have two users on my PC: Me (set as administrator) and a Guest account.

I would like to prevent users of the Guest account from accessing specific folders and their contents.

Can you please tell me how I would go about this?

Thank you!




i have jar file ...i mistaken to open with java 7...how to default it & how to open it?




I have a specific sort of problema nd after a brief browsing couldn't find a solution, my database is absed around a booking system in a small hotel, with tables for rooms, customers and bookings, the problem i have is that i want to prevent a double booking of the same date and same room number, but am unaware of how to group this data so a group duplicate cannot be formed, e.g Room 1 Start 11/07/05 End 18/07/05, I can prevent each individually but obviously this is useless as the the same room can appear but at a different date... Can anyone provide me with a solution - thank you for reading guys,

Noirenex
(Numbers of Ixinia's Ream Eternal Nexus, Eternal Xenerion)




Hello

I open a .CSV file which has dates in the Australian format (DD/MM/YYYY).

When I save the file, Excel changes the dates to the US format (MM/DD/YYYY).

Is there a way to prevent this?

Thanks
Marie-therese




Rather naive question, but there you are!

I'm entirely happy how to stop all the Exchange 2003 services when I want to shut down our Windows 2003 server.

But how do I prevent Exchange starting when I reboot the server? I've been through everything in Autoruns, but there are no clues there!

(The reason for this is that I will be trying to move all of Documents and Settings from the very full system partition to a less-full one, and want as few things started as possible...)

Thanks!




I have a problem with word saving normal.dot every time word closes
I expect the file to change every time word opens since I run various AutoExec macros for customised toolbars
I have tried using different codes to prevent it happening and close without saving
Examples:

'Sub FileExit()
'NormalTemplate.Saved = True
'Application.Quit
'End Sub

'Public Sub Autoexit()
'If NormalTemplate.Saved = False Then
'NormalTemplate.Saved = True
'Else
'End If
'End Sub

The codes do run, I can see them using a stop command and they all appear to step through correctly but word still insist on saving as soon as it executes the "End Sub" command

Am I doing something wrong in the codes?
Thanks
Mike




Each time I startup the pc, I get this notice from the windows firewall that the java updater needs superuser permission to do the check for the latest version.
That is so irritating.

Why would it need superuser access just to make a online call to check for a new version?

how to avoid those irritating notification? (without uninstalling java)

Where is the whitelist for the windows firewall?
(I know that has been asked a lot on this forum without any answer)




I may well be onto a loser here, but anyway. Some web sites seem to produce an annoying, additional, usually smaller, window other than the one you are looking at. Since these are almost always advertising and unwanted, is there any way to prevent their appearance?




yo,

I was wondering if there is any configuration/setting somewhere where you can change whether programs/windows are always on top or not. To clarify:

Let's say I open my browser, firefox. Then I open a notepad. If I now minimize firefox and then maximize my notepad, firefox automatically opens in the background. How to prevent this? I want to see my desktop while having e.g a smaller window, such as notepad, open and NOT a fullscrenn firefox in the background.

I'm quite certain this is changeable somewhere just dont't know where




Original release date: March 29, 2013
Systems Affected

Domain Name System (DNS) servers
Overview

A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic. Description

A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic. The basic attack technique consists of an attacker sending a DNS name lookup request to an open recursive DNS server with the source address spoofed to be the victims address. When the DNS server sends the DNS record response, it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. By leveraging a botnet to perform additional spoofed DNS queries, an attacker can produce an overwhelming amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks.While the attacks are difficult to prevent, network operators can implement several possible mitigation strategies. The primary element in the attack that is the focus of an effective long-term solution is the detection and elimination of open recursive DNS resolvers. These systems are typically legitimate DNS servers that have been improperly configured to respond to recursive queries on behalf of any system, rather than restricting recursive responses only to requests from local or authorized clients. By identifying these systems, an organization or network operator can reduce the number of potential resources that the attacker can employ in an attack.
Impact

A misconfigured Domain Name System (DNS) server can be exploited to participate in a Distributed Denial of Service (DDoS) attack.
Solution

DETECTION

Several organizations offer free, web-based scanning tools that will search a network for vulnerable open DNS resolvers. These tools will scan entire network ranges and list the address of any identified open resolvers.

Open DNS Resolver Project
http://openresolverproject.org
The Open DNS Resolver Project has compiled a list of DNS servers that are known to serve as globally accessible open resolvers. The query interface allows network administrators to enter IP ranges in CIDR format [1].

The Measurement Factory
http://dns.measurement-factory.com
Like the Open DNS Resolver Project, the Measurement Factory maintains a list of Internet accessible DNS servers and allows administrators to search for open recursive resolvers [2]. In addition, the Measurement Factory offers a free tool to directly test an individual DNS resolver to determine if it allows open recursion. This will allow an administrator to determine if configuration changes are necessary and verify that configuration changes have been effective [3]. Finally, the site offers statistics showing the number of open resolvers detected on the various Autonomous System (AS) networks, sorted by the highest number found [4].

DNSInspect
http://www.dnsinspect.com
Another freely available, web-based tool for testing DNS resolvers is DNSInspect. This site is similar to The Measurement Factorys ability to test a specific resolver for vulnerability, but offers the ability to test an entire DNS Zone for several other potential configuration and security issues [5].
Indicators

In a typical recursive DNS query, a client sends a query request to a local DNS server requesting the resolution of a name or the reverse resolution of an IP address. The DNS server performs the necessary queries on behalf of the client and returns a response packet with the requested information or an error [6, page 21]. The specification does not allow for unsolicited responses. In a DNS amplification attack, the key indicator is a query response without a matching request.
MITIGATION

Unfortunately, due to the overwhelming traffic volume that can be produced by one of these attacks, there is often little that the victim can do to counter a large-scale, DNS amplification-based distributed denial-of-service attack. While the only effective means of eliminating this type of attack is to eliminate open recursive resolvers, this requires a large-scale effort by numerous parties. According to the Open DNS Resolver Project, of the 27 million known DNS resolvers on the Internet, approximately 25 million pose a significant threat of being used in an attack [1]. However, several possible techniques are available to reduce the overall effectiveness of such attacks to the Internet community as a whole. Where possible, configuration links have been provided to assist administrators with making the recommended changes. The configuration information has been limited to BIND9 and Microsofts DNS Server, which are two widely deployed DNS servers. If you are running a different DNS server, please see your vendors documentation for configuration details.
Source IP Verification

Because the DNS queries being sent by the attacker-controlled clients must have a source address spoofed to appear as the victims system, the first step to reducing the effectiveness of DNS amplification is for Internet Service Providers to deny any DNS traffic with spoofed addresses. The Network Working Group of the Internet Engineering Task Force released a Best Current Practice document in May 2000 that describes how an Internet Service Provider can filter network traffic on their network to drop packets with source addresses not reachable via the actual packets path [7]. This configuration change would considerably reduce the potential for most current types of DDoS attacks.
Disabling Recursion on Authoritative Name Servers

Many of the DNS servers currently deployed on the Internet are exclusively intended to provide name resolution for a single domain. These systems do not need to support resolution of other domains on behalf of a client, and therefore should be configured with recursion disabled.
Bind9

Add the following to the global options [8]:
options {
allow-query-cache { none; };
recursion no;
};
Microsoft DNS Server

In the Microsoft DNS console tool [9]:

Right-click the DNS server and click Properties.Click the Advanced tab.In Server options, select the Disable recursion check box, and then click OK.
Limiting Recursion to Authorized Clients

For DNS servers that are deployed within an organization or ISP to support name queries on behalf of a client, the resolver should be configured to only allow queries on behalf of authorized clients. These requests should typically only come from clients within the organizations network address range.
BIND9

In the global options, add the following [10]:
acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };
options {
allow-query { corpnets; };
allow-recursion { corpnets; };
};
Microsoft DNS Server

It is not currently possible to restrict recursive DNS requests to a specific client address range in Microsoft DNS Server. The most effective means of approximating this functionality is to configure the internal DNS server to forward queries to an external DNS server and restrict DNS traffic in the firewall to restrict port 53 UDP traffic to the internal server and the external forwarder [11].
Rate Limiting Response of Recursive Name Servers

There is currently an experimental feature available as a set of patches for BIND9 that allows an administrator to restrict the number of responses per second being sent from the name server [12]. This is intended to reduce the effectiveness of DNS amplification attacks by reducing the volume of traffic coming from any single resolver.
BIND9

On BIND9 implementation running the RRL patches, add the following lines to the options block of the authoritative views [13]:
rate-limit {
responses-per-second 5;
window 5;
};
Microsoft DNS Server

This option is currently not available for Microsoft DNS Server.
References

[1] Open DNS Resolver Project[2] The Measurement Factory, "List Open Resolvers on Your Network"[3] The Measurement Factory, "Open Resolver Test"[4] The Measurement Factory, "Open Resolvers for Each Autonomous System"[5] "DNSInspect," DNSInspect.com[6] RFC 1034: DOMAIN NAMES - CONCEPTS AND FACILITIES[7] BCP 38: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing[8] Chapter 3. Name Server Configuration[9] Disable recursion on the DNS server[10] Chapter 7. BIND 9 Security Considerations[11] Configure a DNS Server to Use Forwarders[12] DNS Response Rate Limiting (DNS RRL)[13] Response Rate Limiting in the Domain Name System (DNS RRL)
Revision History

March 29, 2013: Initial release
This product is provided subject to this Notification and this Privacy & Use policy.

Syndicated from the United States Security Readiness Team (US-CERT). More...




I must have made an error upon set-up. Every time I connect a smart phone or tablet, a "windows explorer" window opens, showing the files on the device. I'd like to have the system just do nothing when I connect, but I can not seem to find out how to manage that option. I imagine it would be easy, if I could find it.

Thanks for your help.




how to have 2 separate windows open in windows 7 using firefox ? , iam sure i have read this some where as it would be a good addition to use , can it be done and yes how do you do it




When I open the Lid on this Toshiba L675-OOX Laptop, everything pops up out of sleep the way it should.
When I run it on Battery power, I can lift the Lid but it will not come out of Sleep. If I move the mouse, it does.
Can someone point out to me how to fix this so that when I lift the Lid on Battery Power, it will automatically come out of Sleep. Thanks in advance.

(Windows 7 Home Premium)




I don't know how Speedbit got into my computer but it keeps hijacking both my homepage and default search engine. This is not a browser issue though, the filth is in my System folders (I run Win 7 Ultimate x64, but this is in the x86 segment).

First, of course, I tried to uninstall it, but, of course, there was no uninstaller file in its folder. Nor could I find anything related among the installed programs either with Windows Control Panel or a specific program called Your Uninstaller.

Then, I deleted what I could but two files in C:Program Files (x86)Common FilesSpeedpitSBUpdate, viz. SBupd.dll and SBUpdate.exe resisted all attempts for being open in SBUpdate Module. I checked both the Task Manager and the Startup Manager, but couldn't find anything like this running.

I also tried to delete these files with Norton and Total Commanders, hoping that they would offer to close this ghost program (or module, or whatever) if I insist but they did not.

What is this SBUpdate Module, where is it, and most importanatly how to exterminate it ?
Also, is there any way to prevent such attacks in the future?

Thanks a lot.




I have problem when ever i open internet explorer or word pad it pop to the right hand side of the screen and i could not bring it out. How to fix this problem?




Among new features of Windows 7 is Snap (or Smart Window Arrangement), where Snap functionality enables end-user to move a window toward the top of the screen to maximize the window to fill the screen automatically, or drag the window to the edges of the screen to resize and expand the window vertically instantly.

Snap is designed as a convenient and smart function to manage and arrange the windows on desktop effectively, including ability to position windows side by side. But sometimes some people may feel the feature is too smart till inconvenient. In this case, it’s possible to disable or turn off Snap from automatically arrange window when it’s moved to the edge of screen.

Disable and Turn Off Windows 7 Snap Smart Window Arrangement

1. Run Register Editor (RegEdit).
2. Navigate to the following registry key:

HKEY_CURRENT_USERControl PanelDesktop
3. In the right-pane, double click (or right click and select Modify) on WindowArrangementActive, and set its REG_SZ value to 0.

Disable Windows 7 Snap Auto Window Arrangement
4. Close Registry Editor.
5. Log off and log on again, or restart computer for the change to take effect.

Alternatively, download the following registry registration file to merge the value directly:
http://depositfiles.com/en/files/6xijsrl02.
Simply double click the Disable-Windows-7-Snap.reg to prevent window from snapping.

If you like the Snap to automatically arrange window for you when window is moved to the top, left or right edge of the screen or desktop, but the feature is not working (Snap is enabled by default on Windows 7), or been disabled, use the following steps to enable and turn on the Snap arrange window feature manually.

Enable and Turn On Windows 7 Snap Smart Window Arrangement

1. Run Register Editor (RegEdit).
2. Navigate to the following registry key:

HKEY_CURRENT_USERControl PanelDesktop
3. In the right-pane, double click (or right click and select Modify) on WindowArrangementActive, and set its REG_SZ value to 1.
4. Close Registry Editor.
5. Log off and log on again, or restart computer for the change to take effect.

Alternatively, download the following registry registration file to merge the value directly: Enable-Windows-7-Snap.reg. Simply double click the Enable-Windows-7-Snap.reg to allow Snap to automatically maximize, restore, and arrange window when moved to edge of screen.

It’s also possible to enable or disable Snap Window Arrangement feature through Windows 7 GUI desktop, specifically through the Ease Of Access Center.

1. Open the Control Panel.
2. In “Large Icons” or “Small Icons” view, click on the Ease of Access Center icon. Then, click on either Make the mouse easier to use link.

In “Category” view, go to East of Access, and then click Change how your mouse works link.
3. Under the “Make it easier to manage windows” section, tick the check box for Prevent windows from being automatically arranged when moved to the edge of the screen option to turn off and disable Snap.

Prevent windows from being automatically arranged when moved to the edge of the screen

To enable and turn on Snap, untick and unselect the check box for Prevent windows from being automatically arranged when moved to the edged of the screen
4. Click on OK.
5. Close the Ease of Access Center window. The change takes effect immediately without the need to restart or logout.




I have a form with Border Style = Sizable, Modal = No

Sometimes I open a form as follows:

DoCmd.OpenForm strDocName, acNormal, , , , acDialog, Me.Name

When I'm inside the open from, how can I in code, test to see that the form was opened with acDialog as opposed to acWindowNormal (default)?

Thanks, John




Is there any way to *prevent* the automatic updating of fields on opening a document, other than switching off the auto update on open option in Tools, Options?

I have a couple of templates that pick up values from Excel spreadsheets, which work fine, but the thing is that when the template runs, the first thing it does is update the fields in the template, so when the user goes to save their document Word asks if they want to save the changes to the template, too.

They can't do so (they're all read only) but it's a nuisance and causes confusion at all levels!

I don't want to switch off the Tools Option to auto update because this will stop any others updating and this is used quite extensively elsewhere - it's only when it's in a template it becomes a nuisance!

Many thanks in advance!