Linux News Today features the latest news from the global Linux community. This site is updated daily. Click here to return to our homepage. Get the lowest cost and the best tech support on any Linux web hosting plan. Click here for details.
                                          home   |   news archives   |   linux forum   |   advertise on our site   |   contact

Promote your company. Reach over 450,000 Linux software developers, Linux users, Web hosting companies, etc. Boost your sales and promote your brand. Read more, click here.

Do it right this time. Click here and we will take good care of you!

Get all the details by clicking here!

Plans begin at $24.95 a month. Get more details, click here.

Install your server in Sun Hosting's modern colocation center in Montreal. Get all the details by clicking here.

Do it right this time. Click here and we will take good care of you!

New glitch discovered in BIND DNS software

Add to     Digg this story Digg this

Get a great Linux dedicated server for less than $4 a day!

Share on Twitter

Feb. 24, 2011

Open source developers have made available a security patch to repair a high-risk software glitch in BIND, the widely used DNS (Domain Name Services) system used in all Web servers today.

Without DNS, Internet servers would be unable to communicate with other servers on the Web, effectively cutting off all Internet services such as Web surfing, eCommerce, email, instant messaging, file transfers, etc.

The software glitch in BIND creates a potential mechanism for miscreants and hackers to crash server systems running a vulnerable version of the software. In a nutshell, DNS' main function is to quickly translate domain names into IP addresses in order that millions of servers on the Internet can rapidly find which domain name is associated to which IP (Internet Protocol) address. Each domain name is unique, as are all IP addresses-- they are all unique.

Originally developed by Internet researchers at MIT and Berkeley University, BIND is now managed by the Internet Systems Consortium (ISC). Based in Redwood City, Calif., ISC is a non-profit public corporation dedicated to supporting the infrastructure of the Internet and the autonomy of its participants by developing and maintaining core production quality software and protocols.

Left unaddressed, and if the BIND software glitch were to replicate itself in 100 percent of all Web servers, the security vulnerability would provide an effective means to cause BIND servers to deadlock and completely halt the process of all Internet IP query requests, rendering the Web totally unusable.

Authoritative name servers can be pushed into a deadlock condition when processing incremental zone transfer (IXFR) updates. These updates deal with recent changes in DNS records, more specifically with name servers, with unchanged records omitted to save bandwidth and processing power.

An official advisory by the Internet Systems Consortium explains "When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition."

Potential attacks or voluntary disturbances on the authoritative name servers that underpin the Internet's "yellow page" system have the potential to severely disrupt Internet surfing, eCommerce activities and e-mail service even to users that could still reach websites by using their respective IP address instead of the domain name of the site they wanted to reach because of the way that BIND works.

Discovered by Internet software firm Neustar, the BIND software glitch affects BIND version 9.7.1 and 9.7.2.

Neither earlier versions of BIND nor BIND 9.8 are vulnerable, however.

No real exploits against the vulnerability exist, but system admins and NOC (network operations center) managers are still being urged to update to BIND version 9.7.3, which fully addresses the glitch.

In July 2008, would be Internet hackers were actively exploiting a critical security flaw in the Web's DNS IP address lookup system that can cause millions of Internet surfers to receive bogus Web pages when they try to access online banking services and similar types of sites.

According to Dan Kaminsky, the researcher who first warned of the DNS vulnerability on July 25, "there are definitely other confirmed attacks," but non-disclosure agreements prevent him from giving any details.

The first confirmed instance came yesterday, when security researcher H D Moore discovered a DNS (domain-name service) server operated by AT&T that had been compromised the day before. The attack caused Moore and other AT&T subscribers to be redirected to a fake Google page that tried to push affiliate advertising sites.

Equally worrisome is the sophistication the AT&T attackers showed in carrying out their attacks. Rather than using exploit code added last week to Metasploit, a penetration testing kit that just happens to be maintained by Moore, the hackers fashioned their own program that stealthily redirected users trying to visit Google to an imposter site.

Kaminsky said "that was a wildly mature attack. Someone out there had an entire infrastructure built to attack Google's click-fraud system. By any of today's standards, that's a significant amount of code."

AT&T has been one of the many laggard ISPs (internet service providers) largely reported to be dragging their feet in applying security patches that fix the devastating DNS flaw. Kaminsky says more ISPs appear to be getting the message. Last Thursday, about 51 per cent of unique name servers tested on his site all showed up as vulnerable. Now, he says it's closer to 35 percent.

There's obviously still a lot of room for improvement.

For more than the past 10 days now, other researchers pointed to an increase in queries to DNS servers and other evidence suggesting emminent attacks, but the AT&T exploit is the first to be specifically documented.

In most cases, installing the DNS security patch is a very straight-forward affair, but not always. Paul Vixie, head of the organization that maintains BIND (Berkeley Internet Name Domain), the Internet's most popular DNS server software, recently said security updates patching the hole could possibly reduce performance under heavy loads at certain times of the day.

Vixie added that he believes fixing the flaw was more important than suffering a potentially slower server performance. An update that will greatly improve the performance is in the works, however.

Even still, it's been more than three weeks since Kaminsky, Vixie and a whole slew of other influential and prominent experts began imploring organizations to install the patch on their DNS servers.

Now that the attacks have been confirmed almost everywhere, it's difficult to imagine any further justification for not doing so.

In June 2002, Internet security organizations issued an alert about another BIND software vulnerability that could see companies face DoS (denial-of-service attacks). The vulnerability was found in version 9 of the Internet Software Consortium's BIND (Berkeley Internet Name Domain) server.

If it was exploited by an attacker, the BIND server would stop responding until rebooted, according to an advisory issued by U.S.-based security advisory CERT.

"Because the normal operation of most services on the Internet depends on the proper operation of DNS servers, other services could be affected if this vulnerability is exploited," the advisory stated.

Click here to order the best dedicated server and at a great price.

According to CERT, only version 9 prior to 9.2.1--and not versions 4 or 8--of the BIND server were affected, however.

By sending a specific DNS packet, which is designed to trigger an internal consistency check, an attacker is able to cause the shutdown, CERT said. "It is also possible to accidentally trigger this vulnerability using common queries found in routine operation, especially queries originating from SMTP servers (outgoing mail servers), which would have an even more detrimental impact by spewing out unwanted spam email on top of rendering legitimate mail servers useless."

Robert Mead, coordination center manager at the Australian Computer Emergency Response team (AusCERT), urged companies to keep the vulnerability in perspective. Mead said AusCERT had yet to receive any reports of businesses in Australia being affected. AusCERT provides incidence-response assistance and training to its members.

According to Mead, most Australian businesses are more likely to be using either "cut-down" versions of 8, or current versions of BIND 9. "It's unlikely to have a significant impact on security-sensitive environments," he said.

Grant Slender, principal consultant for Australia at Internet Security Systems (ISS), said he believes the alert signals a need for companies and system admins to maintain vigilance by being aware of security vulnerabilities that could open them up to DoS attacks.

Slender sees government and large commercial organizations as the most likely to be affected. "It's critical that organizations take concrete steps immediately to protect their DNS services from being removed from operation," he warned.

Source: The Internet Systems Consortium.

Add to     Digg this story Digg this

Get a great Linux dedicated server for less than $4 a day!

Share on Twitter

All logos, trade marks or service marks on this website are the property of their respective companies or owners.

Article featured on Tech Blog and on Business 5.0

Get a best price and the most dependable server colocation reliability from the experts at Sun Hosting. Learn more. This article was featured on Tech Blog and Business 5.0.

Linux News is read by over 450,000 people involved in the field of Linux application development, professional Web hosting services, Linux security, Linux Web development, etc. Inquire about our reasonable advertising rates on our news website. One of our advertising representatives will be in touch with you. Simply email us to learn about our ad rates and how we can help drive relevant traffic to your website. Advertising space is limited.

  Site powered by Linux Hosting      Sponsored by DMZ eMail and by Sun Hosting.      Linux news while they are still fresh.   Linux is a registered trademark of Linus Torvalds.