OpenBCM V1.07b12 (Linux)

Packet Radio Mailbox

SR1BSZ

[Szczecin_PL JO73GK]

 Login: GUEST





  
VE4KLM > JNOS     20.03.21 21:01z 53 Lines 1924 Bytes #999 (0) @ WW
BID : A0DAC_VE4KLM
Read: GUEST
Subj: malformed DNS packets, NOS crashing, and a first fix ..
Path: SR1BSZ<SR8BBS<OK0NBR<OK2PEN<VE3CGR<K5DAT<N2NOV<VE4KLM
Sent: 210320/2039z @:VE4KLM.#WPG.MB.CAN.NOAM [Winnipeg] $:A0DAC_VE4KLM

>From ve4klm%ve4klm.#wpg.mb.can.noam@n2nov.ampr.org Sat Mar 20 16:40:39 2021
Received: from n2nov.ampr.org by n2nov.ampr.org (JNOS2.0m.5F) with SMTP
	id AA201951 ; Sat, 20 Mar 2021 16:40:39 EDT
Message-Id: <A0DAC_VE4KLM@ve4klm.bbs>
>From: ve4klm@ve4klm.#wpg.mb.can.noam
X-JNOS-User-Port: Uplink   (VE4KLM on port axipv)  -> Sending message

Good day,

What I originally thought was DNS attacks, seem to be more a case of 
JNOS querying
some DNS server, and getting a malformed response, looks like it 
anyways. Thanks to
Jean for the PI time and allowing me access, and Janusz for his gdb 
reports and such.

It does happen, sometimes it suggests networking issues or other 
factors, I'm not an
expert on what causes malformed responses, outside of malicious activity 
... so at the
same time if you see 'malformed dns packet' it doesn't mean the firewall 
should come
out right away ? any experts out there to add to this or correct my 
train of thought ?

I have a patch (technically very simple, checking qdcount for starters) 
that should be a
big help in stopping JNOS from crashing on most malformed DNS packets. I 
suspect
the reports I hear from time to time about JNOS crashing all the time, 
could very well
be because of this DNS issue. Seems to be more prevalent these days I hear.

You can rsync (if you already do) or you can download specific patch below :

    https://www.langelaar.net/jnos2/januszDNSfix.tar

It contains domhdr.c, domain.[ch], most of those have not changed for 
eons, so you can
probably work them into any version of JNOS from the past few years or 
so. Make sure,
and do a diff just to be on the safe side. I have also improved the 
error logging for some
of the DNS packet functions. If you get a malformed packet, logfile will 
now say so, and
you should see the IP address of the server in question.

This is the first fix, I'm sure it will get refined over time.

Maiko / VE4KLM




Read previous mail | Read next mail

 29.04.2024 02:11:38zGo back Go up