Slashdot Mirror

← Back to Stories (view on slashdot.org)

"DNS Forgery Pharming" Attack Against BIND 9

Posted by kdawson on from the better-hope-sitekey-works dept.

Monley writes "Help Net Security is running a story about a severe flaw in BIND's implementation that allows fraudsters to efficiently predict generated random numbers without the need to control the route between the user and the DNS server. (Here are HTML and PDF versions of the paper.) Using this vulnerability, fraudsters can remotely forge DNS responses and direct users to fraudulent websites, which can steal the user's sign-in credentials and do other mischief. The flaw was discovered by security researcher and Trusteer's CTO, Amit Klein." The ISC has released a patch to BIND 9.

28 of 105 comments (clear)

  1. Come again? by Angst+Badger · · Score: 4, Insightful

    Since when is a severe flaw in BIND's implementation news?

    --
    Proud member of the Weirdo-American community.
  2. Re:New by dave562 · · Score: 2, Insightful

    Maybe those bored college students should have gotten off their asses, put down the bongs and published some research that they would have been paid for.

  3. Re:New by countSudoku() · · Score: 2, Interesting

    We'll thank goodness the people who are claiming the exploit *also* happen to have a product to defeat said exploit...

    "Existing desktop security solutions cannot protect against this type of attacks since DNS forgery pharming does not involve the user's computer or the DNS server but rather the cached data on the DNS server. Mutual authentication solutions, such as Trusteer's Rapport, which strongly authenticates the destination website and prevents access to unauthenticated websites, can defeat the attack."

    How convenient! ;)

    What version of BIND is going to have the fix? I've got 9.3.2 at the moment.

    --
    This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
  4. Re:New by Charles+Dodgeson · · Score: 4, Interesting

    How long has BIND been using the same random number generator? I'm a little bit skeptical that Mr. Klein is the first person to consider the possibility of mimicking its behavior

    If you read the PDF, you will see that a good history of this kind of attack (and previous responses to it) are detailed. Apparently there has been is history of research into this kind of attack, with various counter measures. But the new attack (which seems like it would apply to almost all versions of BIND9 takes a different approach at "cracking" the PRNG which looks like it could be run against real-world servers.

    I don't pretend to understand everything (or even most things) in the PDF, but it looks like solid research to me.

    --
    Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
  5. Our product not vulnerable to flaw we discovered.. by fahrbot-bot · · Score: 3, Insightful
    The flaw was discovered by security researcher and Trusteer's CTO, Amit Klein.

    The TFA recommends using Trusteer's product to defeat this attack:

    Mutual authentication solutions, such as Trusteer's Rapport, which strongly authenticates the destination website and prevents access to unauthenticated websites, can defeat the attack.
    So, to recap. Vendor discovers a flaw and recommends their product.
    Film at 11:00.
    --
    It must have been something you assimilated. . . .
  6. Again.... by gweihir · · Score: 3, Funny

    Bind was and is a mess. The patch is to use something else....

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  7. Re:New by e9th · · Score: 3, Informative
    This weakness of BIND has been griped about for TEN YEARS!

    http://www.openbsd.org/advisories/res_random.txt http://cr.yp.to/djbdns/forgery-cost.txt

  8. Re:Complexity breeds problems. by Kreggan · · Score: 3, Informative

    Frankly, yes. The basic concepts of a DNS server are fairly straightforward, but as demonstrated by this attack, the devil is in the details. This attack uses reasonably advanced cryptanalysis, and exploits the predictable behaviour of DNS clients. I suspect that this attack would also have been mitigated by the use of DNSSEC, but the roll-out of that has been held up for years - and DNSSEC itself introduces even more cryptographic complexity.

  9. Re:wow... by Anonymous Coward · · Score: 2, Informative



    OpenBSD's patched and native Bind9 is immune to this attack and has been for many years.

  10. Re:Troll? Y'all are NEWBS! by TheRaven64 · · Score: 2, Insightful

    Consider this: BIND is the only server that I've ever seen a distro package so as to be easily chrooted. Why do you suppose that is?

    Because BIND is the only one that's easy to run in a chroot. OpenBSD also runs Apache in a chroot, but it means you lose features, like the ability to share everyone's ~/public_html. BIND is quite rare among servers in that it's non-trivial but has fairly meagre requirements when it comes to disk access. I can't think of any others off the top of my head that meet this requirement, with the exception of an ftpd that is only used for anonymous FTP, and these tend to support chroot too now.
    --
    I am TheRaven on Soylent News
  11. Don't Diss Bind by toonerh · · Score: 3, Insightful

    Bind has been around since the dawn of Vint Cerf's IP, but it has been redesigned and rewritten several times. The RFC that says replies go via UDP make it a security risk, but also make the net work better.

    In 2007, where 1000,s of "researchers" spend their lives trying to break the Internet.... This stuff happens. BIND, SendMail and classic solutions are attacked. Amazingly they hold up better than Windows!

    1. Re:Don't Diss Bind by SaDan · · Score: 2, Informative

      http://www.microsoft.com/technet/security/Bulletin /MS07-029.mspx

      What was that again?

    2. Re:Don't Diss Bind by Anonymous Coward · · Score: 2, Insightful

      Yeah, better than Windows.

      Since this is Slashdot the parent post will be modded up and I'll be modded down, but the truth of the matter is that the DNS server that ships with Windows has never has a single vulnerability.

      Wow, you must have a VERY short memory. Try thinking back to just earlier this year, when Microsoft Security Advisory (935964) came out. And that is just one of MANY flaws over the years in MS DNS server! Hell, their DNS server for NT4 and earlier releases of Win2K (pre SP3) ran so sloppy that most people had to write scripts to stop/restart their MS DNS servers nightly! I should know, I was one of them. It was the only way to fix memory leaking problems that would lead to cache lookup failures. And lets not forget the long era of MS DNS cache poisoning...

      No, BIND has proven it self to be MUCH more reliable for serious Internet servers than MS DNS. Just like Unix/Linux has proven to be a better OS for serious Internet servers than MS Windows. There is a reason the REAL Internet servers of the world use Unix/Linux and BIND. It's because they handle more critical traffic than any thing else, they absolutely have to work, and MS products are NOT up to that task! No amount of marketing hype can counter the real world expeirence of professional network engineers, and the pro's choose Unix. Windows Server has become more reliable over the years, and is viable product for small and medium businesses. But it has never been, currently isn't, and may never be reliable enough for those really critical high end servers that large ISPs, governments, and businesses need.

      The only reason people like you bitch about the popularity of Unix/Linux for high end servers is because you obviously know little about such things, but want to pretend that because you can install Windows 2003 Server and Exchange that you now know something about network engineering. Sorry, you don't... No one who does would have said "the DNS server that ships with Windows has never has a single vulnerability" because they would have had the real world expeirence of dealing with the problems that DO EXIST with that product! Knowing your way around a Windows server does make you talented, but it doesn't put you in a position where you know enough to go around dissing technologies you have obviously never even used...

  12. Re:New by hal9000(jr) · · Score: 3, Insightful

    Maybe those bored college students should have gotten off their asses, put down the bongs and and written some bots that they would have been paid for.

    Oh wait, that isn't ethical ...

  13. djbdns by jsdcnet · · Score: 2, Interesting

    I've been using djbdns for years. It takes some getting used to if you're coming from BIND-land but it's worth making the effort.

    --
    no longer working for cnet
    1. Re:djbdns by Antique+Geekmeister · · Score: 3, Interesting

      Try looking at the copyright on djbdns. None, I repeat *none*, of Dan Bernstein's technically excellent solutions have propagated to broad use because of his extremely poor documentation, installation instructions, violations of the UNIX FileSystem Hierarchy, unwillingness to allow others to fork his code even for ease of packaging reasons, confusing licensing, etc.

      The functionality of clever tools like QMail and djbdns and daemontools has thus wound up sidelined and ignored by mainline developers. There are numerous lengthy and well-frounded rants on this, such as http://linuxmafia.com/~rick/faq/index.php?page=war ez#djb. And like the absurd licensing conditions of Pine and the University of Washington wu-imapd, the refusal to accept input or insights from others or cooperate with its packaging for more stable configurations has led to their being discarded from most distributions.

    2. Re:djbdns by Anonymous Coward · · Score: 2, Interesting

      No, Djbdns is not acceptable. Its list of root name servers is five years out of date, and there is a remote denial of service security problem which has not been fixed. Heck, it won't even compile in any Linux distribution from the last three years or so.

      And, no, you can't fix these issues and distribute a "djbdns-fixed.0.1.tar.bz2" file with the fixes in place, because djbdns is not open source.

      djbdns is dead and has been dead for years now.

  14. Re:Yes but... by matthewmok · · Score: 2, Insightful

    Moron,

    It is related to MS DNS -- a SYSTEM you said did not have any vulnerabilities.

    It's not hard to get a connection and a rooted machine in somebody's internal network. Also -- I can't think of anybody that would use MS DNS server outside on the Internet. If you do then that confirms my opinion of you.

  15. Jeezus freaking A Christ by m.dillon · · Score: 3, Interesting

    Why the hell is bind trying to implement its own random number generator? It's a piece of junk compared to the random numbers modern BSD OS's generate via libc.

    -Matt

    1. Re:Jeezus freaking A Christ by TheRaven64 · · Score: 2, Informative

      Probably because BIND has to be cross-platform. I'm sorry to break this to you Matt, but some people use inferior operating systems without good random number generation function.

      --
      I am TheRaven on Soylent News
    2. Re:Jeezus freaking A Christ by eggnet · · Score: 4, Insightful

      Probably because BIND has to be cross-platform. I'm sorry to break this to you Matt, but some people use inferior operating systems without good random number generation function. That doesn't prevent BIND from using superior OS provided services for platforms that do have good random number generators. They decided not to do it, plain and simple.
  16. Re:FOSSie fix!!! by m.dillon · · Score: 3, Insightful

    A large number of programmers can make minor modifications to small software applications.

    A medium number of programmers can make minor modifications to medium-sized software applications.

    Very few programmers can make any sort of modification to very large software applications. Very, very few.

    Bind is a very large, complex piece of software. A good portion of that complexity is due to poor documentation and badly designed algorithms (a problem I've had with bind from the first release on through today), but at this point the majority of the complexity is due to feature creep. I still use bind simply because I do not have the desire to write a replacement for it, and because the only other really good DNS package has a copyright and licence on it that makes it virtually unusable. Software gets stale as it gets older... if I can't keep software up to date after the original author has lost interest then I have no interest incorporating said software, no matter how good it is.

    -Matt

  17. Re:wow... by Wdomburg · · Score: 2, Interesting

    I personally like my DNS servers to follow the relevent standards personally.

    Of course I could go ahead and run the recommended DJB configuring using rsync + openssh to propogate zone files. Then I would avoid the 10 vulnerabilities filed against BIND9 over it's seven year life span, but open myself to the 40 or so against OpenSSH, 30 or so against OpenSSL, and 10 or so against rsync.

  18. Re:Troll? Y'all are NEWBS! by Wdomburg · · Score: 2, Insightful

    Eh? BIND9 has a relatively tame history in terms of vulnerabilities. Just using the updates to RHEL3 as a quick and dirty metric, there have been two security updates compared to 5 openssh, 6 openssl, 11 php, 12 apache, 20 kernels, etc.

    Unfortunately a lot of people seem stuck in the past and still judge BIND from the 4.x and 8.x days.

  19. So.. if BIND9 sucks.. what is an alternative? by wethion · · Score: 2, Insightful

    Lets see, it has to be GPLed or BSDed, run on every platform, be insanely robust, free as in beer, tested so thoroughly that it ought to make the law of gravity look like shaky science. So, based on those criteria, what DNS software could hold up? Just wondering. Peace, V

    --
    Jon Postel, R.I.P. You are missed.
    1. Re:So.. if BIND9 sucks.. what is an alternative? by Just+Some+Guy · · Score: 2, Insightful

      Well, one answer: djbdns

      djbdns is proprietary, source-available software. It's nowhere near BSD or GPL licensed.

      --
      Dewey, what part of this looks like authorities should be involved?
    2. Re:So.. if BIND9 sucks.. what is an alternative? by elp · · Score: 2, Interesting

      Don't forget DJB's legendary personality as well.

      I've been using PowerDNS to manage several thousand domains for almost 3 years and its been the best thing I ever did. Besides being GPL it has an SQL backend so doing things like changing the TTL for 300 domains takes a few seconds instead of the slog or scripting nightmare with BIND. I use mysql replication to keep my slaves uptodate which is also flawless. Load average handling around 150 queries a second is less than 1%

      There is a postgres backend for it as well although I have never tried it.

  20. Just an idea by master_p · · Score: 2, Interesting

    Shouldn't login into a web site be bi-directional? not only a user logs in a web site but the web site should log in a user by submitting to the user a password (let's name this password back-password).

    The login sequence should be:

    1) user submits his username.
    2) site submits the back-password.
    3) if back-password is correct, user submits his password.

    By using bi-directional login, if the site is spoofed, the login process will fail, unless the spoofed site knows the back-password.

    After login, communication should be encrypted so as that no 3rd party can eavesdrop on the communications.