ISC BIND 8 DNS Server Software Vulnerable to Attacks

DDoS uses null expiration times to cache resource records

November 13, 2002 - ISC BIND (Berkeley Internet Name Daemon) versions 8 to 8.3.3, a popular implementation for the Domain Name Service (DNS) server protocol, has been shown to be vulnerable to a Distributed Denial of Service (DDoS) attack. ISC BIND is frequently used on Unix as well as Linux servers.

A successful ISC BIND DNS attack begins with the hacker gaining control over an authoritative DNS server then forcing BIND 8 (also BIND 4) servers to cache SIG resource records with null expiration times. This can happen only when recursion is enabled, but recursion is enabled by default on many installations. After the records are deleted from the server's database, invalid referencing can result in a denial of service situation. When there is an attempt to retrieve the cached information, the flaw can cause a buffer overflow.

An attack that exploits this vulnerability can be prevented a variety of ways. One method is to upgrade BIND to version 9. Secondly, for DNS servers that have no recursion needs, the feature can be turned off from the BIND configuration file which is highly advised. If turning off recursion is not possible, filtering or blocking port 53, the TCP port, can help as most DDoS attacks use the TCP port. When blocking port 53, however, system administrators must make sure that the functionality of the DNS server is not compromised.

Source: AusCERT

About Secure64 Software Corporation
Secure64® is a software developer providing highly secure DNS and server applications with built-in denial-of-service protection features to help ensure your Internet-dependent business is always accessible. Based on the genuinely secure SourceT® microOS, Secure64 DNS remains highly available during network attacks and is immune to compromise from rootkits and malware.

DNS Security News Index