Re: Continued DoS seen on BIND8.2.2p7

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Sat, 3 Mar 2001, Paul Makepeace wrote:

> I was under the impression BIND8.2.2p7 was fixed re: recent DoS
> exploits. I'm still seeing named die from time to time, always preceded
> by the same signature:

No, not at all.  Anything before 8.2.3-REL has serious problems.  There is
an exploitable overflow in the version you're running, which if not done
just right (or if the attacker doesn't care) results in a crash (a DoS)
rather than code being pushed.  Or there may be exploits that push code
AND crash, I don't know.  You need to upgrade in any case.

> Is this a new attack? I have added allow-transfer directives to
> named.conf (finally :)

I don't believe that helps much.  The exploit is supposed to be possible
over UDP as well.

                                        Ryan