Slashdot Mirror
Potential 0-Day Vulnerability For BIND 9
Morty writes "BIND, the popular DNS server software, has been crashing all over the Internet. The root cause is believed to be a 0-day vulnerability in BIND's resolver. The ISC has issued an alert. Quoting: 'An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached. At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.'"
It's open source, and has had years to mature...so many eyes on it that this couldn't possibly happen.
We don't even know what is happening yet. Maybe it's just a DOS, maybe it's a potential exploit. What we do know is that no-one has any need to put recursive DNS servers on the internet unless they are running an ISP or a DNS service.
I can see this is going to be a long thread full of trolls about open source, but the fact of the matter is that an application "crashing" (really ABENDing) due to an assertion failure is actually a sign of software doing what it was designed to do. Assert statements are used to check for "impossible" conditions, and have the program scream and die if one is found. So what we have here is a careful programmer's backstop doing its job.
Microsoft code would typically leave out the assert, and happily stumble along. At least with the assert, you know what AND WHERE the Bad Thing (TM) happened, and have a clue as to where to look to fix it.
The "assertion"-problem is only tip of the iceberg.
If an assertion fails, this usually means that someone managed to make the code behave in an unintended way. Since the affect occurred simultaneously at several providers all over the world, this indicates a coordinated attack. The chances are real, someone managed to exploit a buffer overflow (or similar) in BIND.
So we have to look seriously into the possibility that people have a way to execute code with the same permissions as BIND has.
When i got the information this morning, this was an alert topic.
Yours, Martin
More likely, the unusual TXT lookups were someone streaming IP over DNS.
tasks(723) drafts(105) languages(484) examples(29106)
and not only did spammers plug up the queue with bad messages, it ended up being used for reflector attacks where the attacker set the target's address as the return and sent messages that would bounce to many different servers.
Theoretically, that is possible. In practice I haven't seen spammers use that mechanism.
I used to run qmail and I have seen it used for that.
The whole problem ended up being so bad that many that many mail admins considered servers running Qmail to be almost as bad as an open relay and there were people who actually maintained blacklists of servers running Qmail and that was right about when I stopped using it but I hear there have been patches to fix the worst of it's flaws since then.
A lot of people are irrationally against djb in any way. He's become like the president, every time something goes wrong people blame him. Those blacklists you speak of are less about addressing an operational problem and much more about irrational dick waving.
It's not irrational if you observe a problem only to be ignored. As I said earlier I used to run Qmail and I did so because of it's security benefits and while Qmail didn't get my box rooted the same way sendmail did, it still had it's problems. I have since moved to postifx and now have a que of 0 to 10 messages instead of the 300 to 1000 I had under Qmail despite the fact that I have 3x the number of domains and 5x the number of messages than I did before.