Scatter Chart Gallery
Samples of worrisome nameserver scatter charts

The following nameserver scatter charts were provided to us by the early testers of this system. They were generated from the queries of actual, worrisome nameservers that were not doing the best job possible to protect the users who depend upon the accuracy (and non-spoofability) of their results.

You may click any of the reduced-size charts to see the full-size original.

A sample of two very good chart pairs with important notes:

good-lo-dense-thumb    good-hi-dense-thumb

A Sampling of disappointing scatter charts:

Gee . . . do you see any “pattern” over there on the left? And look at the left chart's Bit Predictability bars: Eleven of them are pinned at 100%. That's quite predictable. Each chart in a pair (left and right) always records the same number of query samples. So you can see that all those dots on the left chart have been squeezed into a single very restricted range of port numbers. They are not all the same single port number, otherwise all 16 of the port's bits would be 100% predictable. But it appears that there are only sixteen different ports. So an attacker stumbling upon one of those ports by guessing, or just trying the same one over and over and waiting for a “hit”, would be feasible. And the "Port Analysis" chart is not very happy either. It shows three ratings of "Very Bad" which is the worst rating possible. If this were the DNS server that my ISP was offering me, I would be looking elsewhere for resolution of my network's domain names.
Here we have a less awful version of the preceding example. As can be seen by the density of the dots on the right, we received a large number of queries from this nameserver during the course of the spoofability testing. The left chart shows that all of those dots have been squeezed into a “band” of ports occupying a central region of the possible port range. The Bit Predictability chart also shows, as would be expected, a corresponding heightened predictability for the most significant bits of the port. The left chart's Port Analysis, while not as bad as the extreme example above, shows only "Moderate" and "Good" ratings for the port selection. While the chances of an attacker stumbling upon a port match are much better than they are in the example above, this remains less than ideal.
This sample is a close relative to the preceding one. Once again we see a restricted range of ports, but this time they are high-numbered, clustered up at the high-end of the possible port range. The Bit Predictability chart shows that the first two high-order bits are guaranteed to be 1's while the next three have a slight tendency to be so. Since this restricted port range occupies approximately one quarter of the entire possible range, an attacker who was aware of this and designed a spoofing attack accordingly would have four times more chance of hitting a matching port number than if the nameserver's query ports were spread out and occupying the entire possible 65,535 port range.
In case you were starting to get bored, here's one fresh off the wacky farm. As usual, the transaction ID's shown in the right chart are wonderfully random. No one seems to have any trouble with that. But you sure can't say the same for this nameserver's query ports. Checkers anyone? Since the charts represent a time line flowing from the left to the right, it appears that at any given time the nameserver is emitting queries from two to four restricted ranges of ports. It's also worth noting that this is an instance where the Bit Predictability chart is somewhat misleading, since it computes the bit predictability when taking the entire chart as a whole. But in the case of this wacky nameserver, at any moment in time the "short term" predictability is significantly greater. Like the two samples of port-restricted bands above, this is certainly less random and therefore more predictable. But to take advantage of this an attacker would need to tune an attack tool to this server's immediate port range(s), which seems unlikely.
This is an interesting case to test your scatter chart analysis capabilities. Think about the chart on the left before reading further . . .
The spoofability scatter charts represent a graphical time line flowing from left to right. This nameserver was initially emitting queries within a narrow range of ports occupying approximately the second quarter of the entire port range. Then, before the test was halfway completed the nameserver began emitting queries from two different ranges, approximately the second and fourth quarters of the entire port range. And then at approximately the middle of the test the lower quarter ports dropped out and all queries were coming only from the upper quarter of the possible port range. Being a variation on the single band and the checkerboarding we've seen before, an attacker who understood this behavior could do much better than random guessing, but in the best case (of all queries coming from a single range) the attacker would still be needing to guess one port in approximately 16,384 (one quarter of the entire port range).
You may wish to click on this chart to give it a better look. What's interesting about this chart is that our extremely pattern sensitive human visual system readily detects something decidedly non-random about the distribution of this nameserver's query ports. Although the port numbers are jumping around throughout most of the entire port range (they never seem to get near to the bottom nor all the way to the top), they appear to be jumping to somewhat predictable locations, resulting in many clumps of upward-sloping groupings. Whatever is going on here, the result is certainly not highly random and a careful analysis of the pattern might provide a heightened spoofability for this nameserver.
You needed to see this one, just to know such nameservers exist. What this "scatter" chart shows is very little in the way of scatter. Although there are several discontinuities, what we see is a linearly increasing port number which, after it hits the maximum value, "wraps around" by returning to a low value and resuming its upward climb. Although this constantly changing port number is much better than one that's entirely fixed. A motivated attacker could likely succeed in hitting the jackpot without undue trouble. The attack tool would need to continually synchronize itself with the nameserver's present port position, but doing so is entirely feasible. If you have a number that looks like this one you may want to consider your alternatives.
Despite the industry-wide attention that was brought to this issue early in 2008, the charts above were taken from our discussion forum contributors in mid to late 2008 and depict the query randomness of actual and significantly less than ideal DNS nameservers operating on the Internet. In addition, independent studies have determined that approximately 25% of all Internet nameservers remain “unpatched” against easy spoofability exploitation. Presumably those nameservers emit all of their queries from a single fixed port. <<shudder>>

GRC's DNS Nameserver Spoofability Testing Pages:
DNS Tests Usage Statistics:
 Standard   CustomCrashTest
Daily Usage:219315
Total Usage:645,6176,94658,879

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Dec 19, 2008 at 09:35 (3,898.40 days ago)Viewed 6 times per day