nanog mailing list archives

Re: Curing the BIND pain

From: Andy Dills <andy () xecu net>
Date: Thu, 27 Mar 2003 15:12:50 -0500 (EST)


On Thu, 27 Mar 2003 Michael.Dillon () radianz com wrote:

I suggest that an appropriate technique would be for the BIND server to
originate traffic on it's local subnet that would look suspicious and
possibly trigger intrusion alarms. Send out some packets to the broadcast
address. Do some portscanning of all addresses on the subnet. Find any
open port 80 and retrieve a URL containing
BIND/server/at/10.7.7.1/has/security/vulnerability, find any open port 25
and send email to postmaster containing the same message, etc.


Better yet, why not just have it print to console "BIND INSECURE, UPGRADE,
SHUTTING DOWN THE SERVER NOW" and then halt? Far more likely to get
noticed.

Not enough traffic to be a DoS but enough to show up in various logs in
case someone is looking at some of them.


If you have somebody looking a firewall or IDS logs, you won't need to be
told to upgrade bind. Besides, plenty of networks who do stay current on
application security would miss a little pretend DOS.

The best solutions I can come up with all revert to the undesired "stop
working" solution, in effect.

My favorite notion, which I didn't even suggest because of Paul's mandate
that the solution not involve breaking bind, would be to return, in
response to every query, the IP address of a special website that says
"THE VERSION OF BIND ON YOUR NAMESERVERS IS VULNERABLE" or whatever, and
include instructions on how to upgrade.

Sure, it will break everything except http, and flood this webserver with
a ridiculous amount of unwanted traffic (bgp anycast with filtering
everything not destined for port 80, to help stem that a little?), but at
least people will know why nothing is working, once they fire up a
browser.

Looming large, of course, is the fact that people would have to upgrade to
get any of this "security upgrade" functionality. So we'd really be only
partially solving a problem in which we won't see any benefit for years to
come, which is usually enough impetus to kill a project these days.

Andy

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Andy Dills                              301-682-9972
Xecunet, Inc.                           www.xecu.net
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dialup * Webhosting * E-Commerce * High-Speed Access

Current thread:

Curing the BIND pain Michael . Dillon (Mar 27)
- Re: Curing the BIND pain Nathan J. Mehl (Mar 27)
- Re: Curing the BIND pain Andy Dills (Mar 27)
- <Possible follow-ups>
- Re: Curing the BIND pain Crist J. Clark (Mar 28)