Get a great Linux dedicated server for less than $4 a day!
Share on Twitter
Feb. 24, 2011
Open source developers have made available a security patch to repair a high-risk software glitch in BIND, the widely
used DNS (Domain Name Services) system used in all Web servers today.
Without DNS, Internet servers would be unable to communicate with other servers on the Web, effectively cutting off all
Internet services such as Web surfing, eCommerce, email, instant messaging, file transfers, etc.
The software glitch in BIND creates a potential mechanism for miscreants and hackers to crash server systems running
a vulnerable version of the software. In a nutshell, DNS' main function is to quickly translate domain names into IP
addresses in order that millions of servers on the Internet can rapidly find which domain name is associated to which
IP (Internet Protocol) address. Each domain name is unique, as are all IP addresses-- they are all unique.
Originally developed by Internet researchers at MIT and Berkeley University, BIND is now managed by the Internet Systems Consortium
(ISC). Based in Redwood City, Calif., ISC is a non-profit public corporation dedicated to supporting the infrastructure
of the Internet and the autonomy of its participants by developing and maintaining core production quality software and
Left unaddressed, and if the BIND software glitch were to replicate itself in 100 percent of all Web servers, the
security vulnerability would provide an effective means to cause BIND servers to deadlock and completely halt the process
of all Internet IP query requests, rendering the Web totally unusable.
Authoritative name servers can be pushed into a deadlock condition when processing incremental zone transfer (IXFR)
updates. These updates deal with recent changes in DNS records, more specifically with name servers, with unchanged
records omitted to save bandwidth and processing power.
An official advisory by the Internet Systems Consortium explains "When an authoritative server processes a successful
IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query
may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or
a high update rate will increase the probability of this condition."
Potential attacks or voluntary disturbances on the authoritative name servers that underpin the Internet's "yellow page"
system have the potential to severely disrupt Internet surfing, eCommerce activities and e-mail service even to users
that could still reach websites by using their respective IP address instead of the domain name of the site they wanted to
reach because of the way that BIND works.
Discovered by Internet software firm Neustar, the BIND software glitch affects BIND version 9.7.1 and 9.7.2.
Neither earlier versions of BIND nor BIND 9.8 are vulnerable, however.
No real exploits against the vulnerability exist, but system admins and NOC (network operations center) managers are
still being urged to update to BIND version 9.7.3, which fully addresses the glitch.
In July 2008, would be Internet hackers were actively exploiting a critical security flaw in the Web's DNS
IP address lookup system that can cause millions of Internet surfers to receive bogus Web pages
when they try to access online banking services and similar types of sites.
According to Dan Kaminsky, the researcher who first warned of the DNS vulnerability
on July 25, "there are definitely other confirmed attacks," but non-disclosure agreements prevent him
from giving any details.
The first confirmed instance came yesterday, when security researcher H D Moore discovered a
DNS (domain-name service) server operated by AT&T that had been compromised the day before. The
attack caused Moore and other AT&T subscribers to be redirected to a fake Google page that tried
to push affiliate advertising sites.
Equally worrisome is the sophistication the AT&T attackers showed in carrying out their attacks.
Rather than using exploit code added last week to Metasploit, a penetration testing kit that just
happens to be maintained by Moore, the hackers fashioned their own program that stealthily redirected
users trying to visit Google to an imposter site.
Kaminsky said "that was a wildly mature attack. Someone out there had an entire infrastructure
built to attack Google's click-fraud system. By any of today's standards, that's a significant
amount of code."
AT&T has been one of the many laggard ISPs (internet service providers) largely reported to be
dragging their feet in applying security patches that fix the devastating DNS flaw. Kaminsky says more
ISPs appear to be getting the message. Last Thursday, about 51 per cent of unique name servers tested
on his site all showed up as vulnerable. Now, he says it's closer to 35 percent.
There's obviously still a lot of room for improvement.
For more than the past 10 days now, other researchers pointed to an increase in queries to
DNS servers and other evidence suggesting emminent attacks, but the AT&T exploit is the first to
be specifically documented.
In most cases, installing the DNS security patch is a very straight-forward affair, but not always.
Paul Vixie, head of the organization that maintains BIND (Berkeley Internet Name Domain), the Internet's
most popular DNS server software, recently said security updates patching the hole could possibly reduce
performance under heavy loads at certain times of the day.
Vixie added that he believes fixing the flaw was more important than suffering a potentially slower
server performance. An update that will greatly improve the performance is in the works, however.
Even still, it's been more than three weeks since Kaminsky, Vixie and a whole slew of other
influential and prominent experts began imploring organizations to install the patch on their DNS
Now that the attacks have been confirmed almost everywhere, it's difficult to imagine any further
justification for not doing so.
In June 2002, Internet security organizations issued an alert about another BIND software vulnerability that could
see companies face DoS (denial-of-service attacks). The vulnerability was found in version 9 of the Internet Software
Consortium's BIND (Berkeley Internet Name Domain) server.
If it was exploited by an attacker, the BIND server would stop responding until rebooted, according to an advisory
issued by U.S.-based security advisory CERT.
"Because the normal operation of most services on the Internet depends on the proper operation of DNS servers, other
services could be affected if this vulnerability is exploited," the advisory stated.
According to CERT, only version 9 prior to 9.2.1--and not versions 4 or 8--of the BIND server were affected, however.
By sending a specific DNS packet, which is designed to trigger an internal consistency check, an attacker is able to
cause the shutdown, CERT said. "It is also possible to accidentally trigger this vulnerability using common queries found
in routine operation, especially queries originating from SMTP servers (outgoing mail servers), which would have an even
more detrimental impact by spewing out unwanted spam email on top of rendering legitimate mail servers useless."
Robert Mead, coordination center manager at the Australian Computer Emergency Response team (AusCERT), urged companies
to keep the vulnerability in perspective. Mead said AusCERT had yet to receive any reports of businesses in Australia
being affected. AusCERT provides incidence-response assistance and training to its members.
According to Mead, most Australian businesses are more likely to be using either "cut-down" versions of 8, or current
versions of BIND 9. "It's unlikely to have a significant impact on security-sensitive environments," he said.
Grant Slender, principal consultant for Australia at Internet Security Systems (ISS), said he believes the alert
signals a need for companies and system admins to maintain vigilance by being aware of security vulnerabilities that could
open them up to DoS attacks.
Slender sees government and large commercial organizations as the most likely to be affected. "It's critical that
organizations take concrete steps immediately to protect their DNS services from being removed from operation," he warned.
Source: The Internet Systems Consortium.
Get a great Linux dedicated server for less than $4 a day!
Share on Twitter
All logos, trade marks or service marks on this website are the property of their respective
companies or owners.
Linux News Today.org is read by over 450,000 people involved in the field of Linux application development,
professional Web hosting services, Linux
security, Linux Web development, etc.
Inquire about our reasonable advertising rates
on our news website. One of our advertising representatives will be in touch with you. Simply email us to learn
about our ad rates and how we can help drive relevant traffic to your website. Advertising space is limited.