|
-
January 30th, 2004, 07:53 PM
#1
Something going on with BIND/DNS???
Ok, I didn't know exactly where this post should go so I figured since it was IDS that alerted me then it should probably go here. Now on to my question...
Is there anything going on with BIND/DNS that I may have missed recently? I have seen a TREMENDOUS upswing on malformed inverse queries to my BIND boxes (BIND INFOLEAK exploit), quite a few DNS CHAOS queries, and I have also seen a smattering of oversized UDP DNS packets (one I'm not familiar with, and seems to be going hand in hand with the BIND stuff).
So is there some worm/virus that is exploiting these? Is there some new zero day I haven't seen on my mailing lists?
I know MyDoom is out, but I didn't think it had anything to do with DNS queries.
Anyway, for those of you wondering this is what my IDS is showing:
Code:
Time: 06:11:48 30-Jan-2004
Source File: packages/dns/infoleak.nfr
Line: 44
Host: one of my IDS boxes
Alert ID: dns_infoleak:infoleak_alert
Source ID: dns_infoleak:infoleak_source
Source: dns_infoleak
Source Description: DNS Infoleak
Source PID: 29135
Alert Message: attackers IP -> mynameservers IP id 32819 BIND INFOLEAK (length points past packet)
Severity Index: Attack
OVERVIEW
A malformed inverse query was received by the nameserver.
WHY THIS IS IMPORTANT
Certain versions of BIND will leak important information.
TECHNICAL INFORMATION
Inverse query processing, a deprecated feature of BIND, contains an error in logic that will leak
pieces of BIND's execution stack back to the attacker. This information can be used to launch
another attack, such as the TSIG overflow, with greater chances of success.
The error occurs when an attacker sends an inverse query with a single answer resource
record. If the "rdlen" field of the resource record points past the message, BIND will return an
error and include data past the message in memory.
FALSE POSITIVES
None known.
REFERENCES
CVE entry CVE-2001-0012
http://cve.mitre.org/cgi-bin/cvename...=CVE-2001-0012
CERT CA-2001-02 Multiple Vulnerabilites In BIND
http://www.cert.org/advisories/CA-2001-02.html
Now as far as I can tell all of my boxes are protected from these types of attacks, and I usually only see something like this about once every other week or so. But lately (the last few days) I have seen probably 10-20 an hour to all of my BIND boxes. The oversized UDP packets are showing up about once an hour, and I'm only adding them to this equation because I have never seen them show up before and I'm guessing they are somehow related.
So anyone have a clue what's happening and why the sudden increase in these attacks?
As always, if you don't wish to discuss this in a public forum then feel free to PM me or email me.
Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote