Something going on with BIND/DNS???

[Lv4]

Ok, I didn't know exactly where this post should go so I figured since it was IDS that alerted me then it should probably go here. Now on to my question...

Is there anything going on with BIND/DNS that I may have missed recently? I have seen a TREMENDOUS upswing on malformed inverse queries to my BIND boxes (BIND INFOLEAK exploit), quite a few DNS CHAOS queries, and I have also seen a smattering of oversized UDP DNS packets (one I'm not familiar with, and seems to be going hand in hand with the BIND stuff).

So is there some worm/virus that is exploiting these? Is there some new zero day I haven't seen on my mailing lists?

I know MyDoom is out, but I didn't think it had anything to do with DNS queries.


Anyway, for those of you wondering this is what my IDS is showing:

Code:

Time: 06:11:48 30-Jan-2004
Source File: packages/dns/infoleak.nfr
Line: 44
Host: one of my IDS boxes
Alert ID: dns_infoleak:infoleak_alert
Source ID: dns_infoleak:infoleak_source
Source: dns_infoleak
Source Description: DNS Infoleak
Source PID: 29135
Alert Message: attackers IP -> mynameservers IP id 32819 BIND INFOLEAK (length points past packet)
Severity Index: Attack

OVERVIEW
A malformed inverse query was received by the nameserver.

WHY THIS IS IMPORTANT
Certain versions of BIND will leak important information.

TECHNICAL INFORMATION
Inverse query processing, a deprecated feature of BIND, contains an error in logic that will leak
 pieces of BIND's execution stack back to the attacker. This information can be used to launch
 another attack, such as the TSIG overflow, with greater chances of success.

The error occurs when an attacker sends an inverse query with a single answer resource 
record. If the "rdlen" field of the resource record points past the message, BIND will return an 
error and include data past the message in memory.

FALSE POSITIVES
None known.

REFERENCES
CVE entry CVE-2001-0012
http://cve.mitre.org/cgi-bin/cvename...=CVE-2001-0012 
CERT CA-2001-02 Multiple Vulnerabilites In BIND
http://www.cert.org/advisories/CA-2001-02.html

Now as far as I can tell all of my boxes are protected from these types of attacks, and I usually only see something like this about once every other week or so. But lately (the last few days) I have seen probably 10-20 an hour to all of my BIND boxes. The oversized UDP packets are showing up about once an hour, and I'm only adding them to this equation because I have never seen them show up before and I'm guessing they are somehow related.

So anyone have a clue what's happening and why the sudden increase in these attacks?

As always, if you don't wish to discuss this in a public forum then feel free to PM me or email me.

[MrLinus]

May not just be you. Check out Incidents.org as they are reporting an upswing in DNS attacks.

[Lv4]

has anyone else been seeing this increase also? I see that incidents.org is tracking an upswing on DNS attacks, but I haven't seen any reason as to the upswing. (btw, thanks Ms Mittens )

One of my IDS's was going crazy on these over the weekend. I have several THOUSAND of them, all from different IP addresses... well there are some duplicates, but it seems to be spread out like a worm would be.

I'm just curious if anyone has seen any activity over the weekend like I have.

[MrLinus]

Well, I would think the more recent reason would be the attacks against SCO and Microsoft (slated to start later today/tomorrow).

[576869746568617]

I'd have to agree with you, MsMittens...sounds like MyDoom's DDoS attack to me.

[Highlander]

I just tried www.msmittens.com
and I get a 403 forbidden error

You don't have permission to access / on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request

Hmmmmm????

[Lv4]

well these are actual BIND attacks, not anything that I have seen from, nor associate with MyDoom. These are literally the same thing that I have listed above, and they are all directed at my BIND servers.

I could understand my dropping of connections to an affected DNS server, but since there are no known false positives on this type of attack, and they are definately being pointed at my servers then I have to start wondering a couple of things:

One - why are my servers being targeted like this, and are there other people out there that are seeing this same type of activity?

Two - is there a zero day that is out and about that some skiddies have gotten a hold of and are playing with?


I have two different types of IDS machines that are reflecting this type of activity, both Snort and NFR are trapping this stuff. I haven't moved one of my network points for ISS over to look at it, but I think I may task that for this afternoon. At this point I'm also running a sniffer on a couple of my external connections so that I can do some packet analysis to see what's really going on.

Perhaps I'm on the front wave of something? Maybe I'm on the back wave (like two years old???) of something? Bleh, I don't know... all I know is that it is unusual activity that I don't like seeing

So those of you running IDS in an environment that has BIND, take a look at your logs and see if you are seeing the same thing that I am.

[MrLinus]

Have you checked with BIND and/or one of their devel lists to see if anything is up? I don't remember seeing any vulnerabilities on it.

[Lv4]

The last vulnerability I remember seeing was from about three months ago, and we are patched up to that level.

I was going to drop a line both with the BIND folks and with the folks at NFR, Snort and ISS to see what they may know. I might drop a line on FD to see if anyone there has seen something, but that could just be an invitiation to trouble