Anyone who currently owns a dedicated server or works in an IT department with several web-facing servers knows about BIND. BIND is the most widely used DNS software on the internet. There is a problem with BIND which makes it vulnerable to a form of attack called ‘cache poisoning.’ Because of this, network administrators are being warned to patch the software immediately.
The vulnerability in BIND allows for an attack that is similar to other cache poisoning techniques used against BIND and other DNS servers in the past. It takes advantage of the fact that the DNS transaction ID number is predictable in all versions of BIND 9.
The vulnerability will allow and attacker to trick the DNS server into caching a malicious DNS record as the legitimate record for a website. Once a user visits the website, using the legit and known URL, the malicious DNS records take over and direct the user to the attacker’s website instead. The danger for this type of attack is severe, and there are several possible attack vectors to exploit.
Amit Klein, a researcher for Trusteer, wrote about the vulnerability in a recent research paper published to the web. In the abstract for the paper, Klein explains that “BIND 9 DNS queries are predictable – i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the "next" query (10 in the basic attack, and 1 in the advanced attack), thereby overcoming whatever protection offered by the transaction ID mechanism.”
This enables, Klein said, “a much more effective DNS cache poisoning than the currently known attacks against BIND 9. The net effect is that Pharming attacks are feasible against BIND 9 caching DNS servers, without the need to directly attack neither DNS servers nor clients (PCs). The results are applicable to all BIND 9 releases, when BIND (the named daemon) is in caching DNS server configuration.”
“Once the attacker knows the "state" of the targets BIND install, it is possible to forge a response. DNS uses UDP by default. Each query sent by the DNS server includes a random transaction ID. The server responding to the query will include this transaction ID so the querying DNS server knows what query is answered by this particular response. BIND always uses the same source port for its queries. The attack appears to be quite feasible. Probably the main difficulty will be to get the spoofed packet routed. But unless the attackers network implements strict egress filtering, this is very much a feasible attack. Best to patch your BIND server soon,” said The Internet Storm Center (ISC) when they explained the attack.
The Internet Systems Consortium, who maintains BIND has released a patch which can be located here:http://www.isc.org/index.pl?/sw/bind/view/?release=9.4.1-P1
Vulnerable versions of BIND include:
BIND versions not affected are:
KnobeeJul 31st, 2008 - 00:01:44
While the versions were correct when this article was originally posted, the new 'Dan Kaminsky' attack has brought out a new set with the following revisions. UPDATE NOW. (please). 9.3.5-P1 9.4.2-P1 9.5.0-P1 Thanks, KnobeeThanks!Knobee
Report this comment