Is that not what the CCIP is supposed to do? Cheers Paul Paul Brislen External Communications Manager Vodafone New Zealand 021 721 337 -----Original Message----- From: Dean Pemberton [mailto:nznog(a)deanpemberton.com] Sent: Friday, 25 July 2008 1:17 p.m. To: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] dns cache poisoning and "slutty" isp recursors

Anyone else wishing NZ had our own CERT right now?

No _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog ----------------------------------------------------------------------------------------------- Unless otherwise stated, any views or opinions expressed are solely those of the author and do not represent those of Vodafone New Zealand Limited.

On 25/07/2008, at 1:23 PM, Neil Fenemor wrote:

Yes, the scope of the CCIP and any NZ CERT that may be formed would be hugely overlapping, and rather wasteful of resources if they were ever to be created as separate organisations.

I didn't think CCIP were interested in consumer ISPs. Happy to be told otherwise. I agree there would be huge overlaps but a CERT would have a much wider audience. Sam.

Mark and all, It wouldn't hurt and would be in many ways helpful that such DNS Cache poisoning or other security related problems be shared with US-CERT.GOV so that coordination with relevant law enforcment agencies can occur more smoothly and effectively. Mark Foster wrote:

Paul,

Not exactly.

http://www.ccip.govt.nz/about-ccip/background.html

http://www.ccip.govt.nz/about-ccip/what-is-cni.html

NZ's Critical Infrastructure as defined by CCIP may have some overlap with what a CERT generally does, but it's not the same thing and it's probably important to note the differences.

Mark.

On Fri, 25 Jul 2008, Brislen, Paul, VF-NZ wrote:

...

Is that not what the CCIP is supposed to do?

Cheers

Paul

Paul Brislen External Communications Manager Vodafone New Zealand 021 721 337 -----Original Message----- From: Dean Pemberton [mailto:nznog(a)deanpemberton.com] Sent: Friday, 25 July 2008 1:17 p.m. To: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] dns cache poisoning and "slutty" isp recursors

...

Anyone else wishing NZ had our own CERT right now?

No _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog -----------------------------------------------------------------------------------------------

Unless otherwise stated, any views or opinions expressed are solely those of the author and do not represent those of Vodafone New Zealand Limited. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Regards, Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1(a)ix.netcom.com My Phone: 214-244-4827

I'll ask the same question again after something "really bad" (tm) happens. jamie On Fri, 2008-07-25 at 13:19 +1200, Neil Fenemor wrote:

I agree. People who actively want a CERT, are members of AusCERT. I don't believe the NZ membership over there is exactly high.

2008/7/25 Dean Pemberton :

> Anyone else wishing NZ had our own CERT right now? >

No

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

On 25/07/2008, at 11:00 AM, Steven Heath wrote:

I am with Neil on this, what I have seen of AusCERT is it is a delayed mimic of CERT (comments welcome on if it does more etc).

It does do more. Its member services include training and consulting, and it runs "beacons" monitoring botnets so that it can tell you which IP addresses on your network are sufficiently malware-infected to annoy the rest of the Internet. They're also seen by the local press and the gubbermint as the go-to guys for security issues, which makes it a bit more likely that sensible clue will be inserted into some of the weirder, freakier public debates that often accompany infosec problems. - mark -- Mark Newton Email: newton(a)internode.com.au (W) Network Engineer Email: newton(a)atdot.dotat.org (H) Internode Systems Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223

Is this still valid with the new information that has come out? All ours appear to be OK currently, using this method, but is this OK with new exploit ? On Fri, 2008-07-25 at 12:19 +1200, Sam Sargeant wrote:

On 24/07/2008, at 9:33 PM, Jasper Bryant-Greene wrote:

...

testing from an IP in the USA, I was able to make recursive queries at six major NZ ISPs, and there are no doubt more. I won't bother naming, it's trivial for anyone to figure it out for themselves, and the affected ISPs (should) know who they are.

It's so tempting to name and shame, but someone talked me out of it. :)

Run this command:

dig +short porttest.dns-oarc.net txt

If it says "POOR" then you or your ISP needs to update DNS servers. If you want to test another server then try:

dig +short @ns1.someisp.net.nz porttest.dns-oarc.net txt

There is an exploit out there:

"US-CERT is aware of publicly available exploit code for a cache poisoning vulnerability in common DNS implementations. Exploitation of this vulnerability may allow an attacker to cause a nameserver's clients to contact the incorrect, and possibly malicious hosts for particular services. As a result, web traffic, email and other important network data could be redirected to systems under the attacker's control"

http://www.us-cert.gov/current/index.html#dns_cache_poisoning_public_exploit

Anyone else wishing NZ had our own CERT right now?

Sam.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog