BIND 9 denial of service being seen in the wild

[Posted November 17, 2011 by jake]

The BIND 9 DNS name server is undergoing a concerted denial of service attack, according to this Internet Systems Consortium advisory. "Organizations across the Internet reported crashes interrupting service on BIND 9 nameservers performing recursive queries. Affected servers crashed after logging an error in query.c with the following message: "INSIST(! dns_rdataset_isassociated(sigrdataset))" Multiple versions were reported being affected, including all currently supported release versions of ISC BIND 9. [...] An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached. At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit." We should be seeing distributions releasing updated versions soon.

(Log in to post comments)

BIND 9 denial of service being seen in the wild

Posted Nov 17, 2011 16:23 UTC (Thu) by paravoid (subscriber, #32869) [Link] (2 responses)

Debian issued a security update (DSA 2347-1) and pushed updated for oldstable and stable yesterday.

BIND 9 denial of service being seen in the wild

Posted Nov 17, 2011 16:49 UTC (Thu) by CodyRobertson (guest, #73942) [Link] (1 responses)

Waiting for RHEL to pick up their feet :(

https://bugzilla.redhat.com/show_bug.cgi?id=754398

BIND 9 denial of service being seen in the wild

Posted Nov 17, 2011 20:18 UTC (Thu) by mbaldessari (guest, #36769) [Link]

RHEL Advisories and updates have appeared

BIND 9 denial of service being seen in the wild

Posted Nov 17, 2011 17:12 UTC (Thu) by jhardin (guest, #3297) [Link] (1 responses)

One thing I haven't seen explicitly addressed: if named is configured with "recursive no" is it immune?

BIND 9 denial of service being seen in the wild

Posted Nov 17, 2011 18:06 UTC (Thu) by jeleinweber (subscriber, #8326) [Link]

Apparently the attack scenario involves a recursive query which hits a rogue server that provides an NXDOMAIN result with attached resource records.

Iterative only (authoritative) servers should be immune, yes.

BIND 9 denial of service being seen in the wild

Posted Nov 17, 2011 17:53 UTC (Thu) by bjartur (guest, #67801) [Link] (1 responses)

Does the patch simply strip the executable of the false assertion?

BIND 9 denial of service being seen in the wild

Posted Nov 17, 2011 18:04 UTC (Thu) by eigenstr (guest, #5205) [Link]

Basically, yes.

BIND 9 denial of service being seen in the wild

Posted Nov 17, 2011 18:17 UTC (Thu) by brad@vaxxine.com (guest, #6399) [Link] (2 responses)

I am glad I took my lumps and disabled public recursive resolving many years ago on my BIND installations. Only do that for local IP ranges! This eliminates all the resolver issues. Also I found that when the DNS server was open I was getting a constant stream of repeated unusual TXT lookups from remote IP's which were for oddball domains. These TXT records contained many K of data. I suspect these requests were fake source IP requests being used as some sort of bandwidth DOS attack, working like a Smurf PING attack.

I think it was must simpler...

Posted Nov 17, 2011 19:47 UTC (Thu) by khim (subscriber, #9252) [Link]

Are you sure it was something nefarous? Perhaps it was just a simple IP-over-DNS?

BIND 9 denial of service being seen in the wild

Posted Nov 18, 2011 11:48 UTC (Fri) by terryburton (subscriber, #26261) [Link]

"Only do that for local IP ranges! This eliminates all the resolver issues."

There may be many ways of coercing your local hosts to make lookups that you did not intend, such as including links in web content that the browser pre-caches as well as basic SMTP reception and mail content scanning. Enable query logging on your resolver to see the scope of this.