Bind DNS Server major flaw could let a script kiddie bring down large number of DNS servers

  • BIND is most widely used DNS Server to date.

  • A major flaw was found in BIND’s versions from 9.1.0 to 9.8.x, 9.9.0 to 9.9.7-P1, and 9.10.0 to 9.10.2-P2. (CVE-2015-5477)

  • Attackers can exploit it by sending vulnerable servers a malformed packet that’s quite easy to create. Vulnerable servers, in turn, will promptly crash.- This happens because of an error in the way BIND handles TKEY queries, which with a single UDP packet can trigger a required assertion failure, causing the DNS daemon to exit.

  • TKEY queries are used in the context of TSIG, a protocol DNS servers can use to authenticate to each other.

  • Patches for this vulnerability have been released and can be simply installed by running “yum update” or “apt-get update” on *nix systems.

  • If you run your own DNS server, a quick way to see if you are being targeted is to look for the “ANY TKEY” in your DNS logs. An example is shown below:- Aug 2 10:32:48 dns named[2717]: client a.b.c.d#42212 (foo.bar): view north_america: query: foo.bar ANY TKEY + (x.y.z.zz)

 
[https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html](https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html)
[http://arstechnica.com/security/2015/08/exploits-start-against-flaw-that-could-hamstring-huge-swaths-of-internet/](http://arstechnica.com/security/2015/08/exploits-start-against-flaw-that-could-hamstring-huge-swaths-of-internet/)
Show Comments