• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

BIND9 – Denial of Service Exploit in the Wild

August 2, 2015Daniel Cid

FacebookTwitterSubscribe

BIND is one of the most popular DNS servers in the world. It comes bundled with almost every cPanel, VPS and dedicated server installation and is used by most DNS providers.

A week ago, the Internet Systems Consortium (ISC) team released a patch for a serious denial of service vulnerability (CVE-2015-5477) that allows a remote and unauthenticated attacker to crash the BIND (named) daemon, taking down a DNS server.

This happens because of an error in the way BIND handles TKEY queries, which with a single UDP packet can trigger a required assertion failure, causing the DNS daemon to exit.

Exploits in the Wild

Because of its severity we’ve been actively monitoring to see when the exploit would be live. We can confirm that the attacks have begun. DNS is one of the most critical parts of the Internet infrastructure, so having your DNS go down also means your email, HTTP and all other services will be unavailable.

If You Have Not Patched Your DNS Server, Do it Now!

All major Linux distributions (Redhat, Centos, Ubuntu, etc) have already provided patches for it and a simple “yum update” on Redhat/Centos or “apt-get update” on Debian-based systems will get you protected. Remember though, for the change to take affect you must restart BIND after the update.

If you run your own DNS server, a quick way to see if you are being targeted is to look for the “ANY TKEY” in your DNS logs:

Aug 2 10:32:48 dns named[2717]: client a.b.c.d#42212 (foo.bar): view north_america: query: foo.bar ANY TKEY + (x.y.z.zz)

In fact, you can look for any type of TKEY request, as they are not very common, and see if there have been any attempts. The example above is from one of the public exploits released. Note that you need to have querylog enabled (which you can do with the command “rndc querylog on“).

Clients using our DNS server, part of our Website Firewall, are already protected against this vulnerability. For existing customers, you can enable the use of our DNS manager and find instructions in our knowledgebase.

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website SecurityTags: DDoS

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. Daniel

    August 2, 2015

    yum update is not enough for centos 6, you need to enable continuous release repo first:
    https://www.centos.org/forums/viewtopic.php?f=17&t=53532

  2. The AlieN

    August 5, 2015

    I saw this on another site: You can also apply the following patch to your vulnerable version of BIND 9.

    diff –git a/lib/dns/tkey.c b/lib/dns/tkey.c
    index 66210d5..34ad90b 100644
    — a/lib/dns/tkey.c
    +++ b/lib/dns/tkey.c
    @@ -654,6 +654,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
    * Try the answer section, since that’s where Win2000
    * puts it.
    */
    + name = NULL;
    if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
    dns_rdatatype_tkey, 0, &name,
    &tkeyset) != ISC_R_SUCCESS) {

    Can you confirm if the patch can be applied in lieu of the update.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.