We released security bulletin MS08-020 two months ago to improve the DNS transaction ID entropy. You can read more about the MS08-020 algorithm change in this blog entry. Increasing the entropy makes it more difficult for attackers to spoof DNS replies. Today, we released MS08-037 to further increase the difficulty of spoofing DNS transactions. We modified the DNS client and server resolvers to send requests from a random source port. Previously, an attacker would need to only guess the correct transaction ID. After applying MS08-037, an attacker will need to guess both the transaction ID and source port in order to successfully spoof a DNS reply. In short, randomized source ports for DNS transactions adds another unique piece of information to DNS transactions, which makes spoofing more difficult.
The default size of the randomized socket pool on Win2k3 and down-level platforms is 2500 ports which is configurable by modifying the registry value:
HKLM\System\CurrentControlSet\Services\DNS\Parameters\SocketPoolSize
Another notable registry value is
HKLM\CurrentControlset\services\tcpip\parameters\MaxUserPort
Refer to http://technet2.microsoft.com/windowsserver/en/library/730fb465-d402-4853-bacc-16ba78e9fcc01033.mspx?mfr=true for more information on MaxUserPort. On Win2k3, MaxUserPort is defined as the maximum port up to which ports may be allocated for wildcard binds. Basically, MaxUserPort, if set, defines the dynamic port range. It should also be noted that the MaxUserPort value has a different meaning in Vista and Win2k3. In Win2k3, MaxUserPort, if set, defines the dynamic port range (it starts from 1024 to MaxUserPort). In Vista, MaxUserPort, if set, signifies the number of dynamic ports, so the range is from StartRange (whatever has been configured, default is 49k) to StartRange+MaxUserPort. Refer to: http://support.microsoft.com/kb/929851.
To summarize, the fixed behavior on Win2k3 and down-level platforms after installing the patch are:
- If MaxUserPort is set, then allocate ports randomly from 1024-MaxUserPort
- If MaxUserPort is not set, then the ports will be allocated randomly from the 49152-65535 range.
The default port pool was chosen to pull random ports within a range consistent with BSD heritage where many systems have safely allocated ports dynamically from that range. Doing so outside of that range has a small chance of introducing network failure, but in most cases won’t cause problems. If you would like to add more entropy, you can grow the port limit by modifying the MaxUserPort and related registry keys.
- Security Vulnerability Research & Defense Bloggers
*Postings are provided “AS IS” with no warranties, and confers no rights.*