Re: dns attacks

[Michal Zalewski <lcamtuf () DIONE IDS PL>]

On Mon, 25 Sep 2000, M ixter wrote:

> lately, I've heard some rumours, unconfirmed however, about
> exploitation of an overflow in nameservers different from the old one,
> in older bind8 versions. as I couldn't confirm this in the source,
> maybe finding out if there are any active exploitation attempts of
> this bug might help to determine if it's a valid issue... if anyone
> running a secure/patched bind8 name server has recently experienced
> the following syslog message:
>
> Sep 25 18:12:25 host named[390]: bad iquery from <ip.address>
>
> ..it'd be interesting to hear about it.

Hi Mixter,

First of all, most security experts still believe there are several bind
8.2.2p5 security holes waiting to be fixed. As an example - quick and
dirty security audit performed approx. 2 months ago, shown me "DNS dynamic
update" code is at least unstable (well, in fact, I'm sure it can be
exploited under certain cirsumstances), but it's only an optional,
experimental feature.

But, at this point, noone is able to confirm specific vulnerability has
been found and exploited. So, I'm not denying existence of security holes
in bind - and I'm not denying existence of such holes in any other product
- but I'm almost sure no vulnerability is widely known in black-hat
community. There were some rumours about Apache overflows recently, as
well, and I guess it's only FUD.

Message you're getting isn't really unusual - I strongly suggest you
playing with random DNS query flooder. We used such tool, and get several
messages, some of them were much more strange for mere mortals, but
weren't able to crash bind, or to DoS in any other way.

_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=