Something going on with BIND/DNS???
Results 1 to 9 of 9

Thread: Something going on with BIND/DNS???

  1. #1
    Senior Member
    Join Date
    Mar 2003
    Posts
    372

    Something going on with BIND/DNS???

    Ok, I didn't know exactly where this post should go so I figured since it was IDS that alerted me then it should probably go here. Now on to my question...

    Is there anything going on with BIND/DNS that I may have missed recently? I have seen a TREMENDOUS upswing on malformed inverse queries to my BIND boxes (BIND INFOLEAK exploit), quite a few DNS CHAOS queries, and I have also seen a smattering of oversized UDP DNS packets (one I'm not familiar with, and seems to be going hand in hand with the BIND stuff).

    So is there some worm/virus that is exploiting these? Is there some new zero day I haven't seen on my mailing lists?

    I know MyDoom is out, but I didn't think it had anything to do with DNS queries.


    Anyway, for those of you wondering this is what my IDS is showing:

    Code:
    Time: 06:11:48 30-Jan-2004
    Source File: packages/dns/infoleak.nfr
    Line: 44
    Host: one of my IDS boxes
    Alert ID: dns_infoleak:infoleak_alert
    Source ID: dns_infoleak:infoleak_source
    Source: dns_infoleak
    Source Description: DNS Infoleak
    Source PID: 29135
    Alert Message: attackers IP -> mynameservers IP id 32819 BIND INFOLEAK (length points past packet)
    Severity Index: Attack
    
    OVERVIEW
    A malformed inverse query was received by the nameserver.
    
    WHY THIS IS IMPORTANT
    Certain versions of BIND will leak important information.
    
    TECHNICAL INFORMATION
    Inverse query processing, a deprecated feature of BIND, contains an error in logic that will leak
     pieces of BIND's execution stack back to the attacker. This information can be used to launch
     another attack, such as the TSIG overflow, with greater chances of success.
    
    The error occurs when an attacker sends an inverse query with a single answer resource 
    record. If the "rdlen" field of the resource record points past the message, BIND will return an 
    error and include data past the message in memory.
    
    FALSE POSITIVES
    None known.
    
    REFERENCES
    CVE entry CVE-2001-0012
    http://cve.mitre.org/cgi-bin/cvename...=CVE-2001-0012 
    CERT CA-2001-02 Multiple Vulnerabilites In BIND
    http://www.cert.org/advisories/CA-2001-02.html

    Now as far as I can tell all of my boxes are protected from these types of attacks, and I usually only see something like this about once every other week or so. But lately (the last few days) I have seen probably 10-20 an hour to all of my BIND boxes. The oversized UDP packets are showing up about once an hour, and I'm only adding them to this equation because I have never seen them show up before and I'm guessing they are somehow related.

    So anyone have a clue what's happening and why the sudden increase in these attacks?

    As always, if you don't wish to discuss this in a public forum then feel free to PM me or email me.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    May not just be you. Check out Incidents.org as they are reporting an upswing in DNS attacks.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    has anyone else been seeing this increase also? I see that incidents.org is tracking an upswing on DNS attacks, but I haven't seen any reason as to the upswing. (btw, thanks Ms Mittens )

    One of my IDS's was going crazy on these over the weekend. I have several THOUSAND of them, all from different IP addresses... well there are some duplicates, but it seems to be spread out like a worm would be.

    I'm just curious if anyone has seen any activity over the weekend like I have.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Well, I would think the more recent reason would be the attacks against SCO and Microsoft (slated to start later today/tomorrow).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    I'd have to agree with you, MsMittens...sounds like MyDoom's DDoS attack to me.
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  6. #6
    Senior Member
    Join Date
    Jul 2001
    Posts
    343
    I just tried www.msmittens.com
    and I get a 403 forbidden error

    You don't have permission to access / on this server.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request

    Hmmmmm????
    Franklin Werren at www.bagpipes.net
    Yes I do play the Bagpipes!

    And learning to Play the Bugle

  7. #7
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    well these are actual BIND attacks, not anything that I have seen from, nor associate with MyDoom. These are literally the same thing that I have listed above, and they are all directed at my BIND servers.

    I could understand my dropping of connections to an affected DNS server, but since there are no known false positives on this type of attack, and they are definately being pointed at my servers then I have to start wondering a couple of things:

    One - why are my servers being targeted like this, and are there other people out there that are seeing this same type of activity?

    Two - is there a zero day that is out and about that some skiddies have gotten a hold of and are playing with?


    I have two different types of IDS machines that are reflecting this type of activity, both Snort and NFR are trapping this stuff. I haven't moved one of my network points for ISS over to look at it, but I think I may task that for this afternoon. At this point I'm also running a sniffer on a couple of my external connections so that I can do some packet analysis to see what's really going on.

    Perhaps I'm on the front wave of something? Maybe I'm on the back wave (like two years old???) of something? Bleh, I don't know... all I know is that it is unusual activity that I don't like seeing

    So those of you running IDS in an environment that has BIND, take a look at your logs and see if you are seeing the same thing that I am.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Have you checked with BIND and/or one of their devel lists to see if anything is up? I don't remember seeing any vulnerabilities on it.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    The last vulnerability I remember seeing was from about three months ago, and we are patched up to that level.

    I was going to drop a line both with the BIND folks and with the folks at NFR, Snort and ISS to see what they may know. I might drop a line on FD to see if anyone there has seen something, but that could just be an invitiation to trouble

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •