Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

BIND 9 DoS attacks in the wild

Published: 2009-07-29
Last Updated: 2009-07-29 19:53:16 UTC
by Bojan Zdrnja (Version: 1)
7 comment(s)

Earlier today Marc posted a short diary about a vulnerability in the Internet Systems Consortium's BIND 9 (all versions). As you almost certainly know, BIND is the most popular DNS service application running on majority of DNS servers today – and DNS is one service that we *really* need.

As the DoS attacks have been seen in the wild, and simple scripts that can be used to reproduce the attack are also easily available, this is not really surprising.

I wanted to draw your attention to this vulnerability (if you are running a BIND DNS server) – although the vulnerability exists in the dynamic update feature of BIND, even installations that have dynamic updates disabled are affected! This makes this vulnerability especially dangerous.

Only servers hosting master zones are vulnerable though, so even if the master DNS servers are down, all slaves should still continue to work (I'm not sure what happens if those slaves are masters for some other zones and they are subsequently taken down).

No workarounds exist – you might be able to create some firewall rules that will drop these packets though. In any case, it is recommended to upgrade your BIND DNS servers urgently from https://www.isc.org/node/474

--
Bojan

Keywords: bind dns dos
7 comment(s)

Increasing number of attacks on security sites

Published: 2009-07-29
Last Updated: 2009-07-29 18:16:42 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

In last couple of weeks we have been all witnesses of multiple compromises of (in some cases) pretty high profile web sites (and other servers). Today there was another victim of such a compromise, a well known security company.

The group which purportedly compromised most of these servers released their e-zine, named ZF0 (Zero For Owned). The e-zine is full of articles that show a lot of details that the group gathered from the compromised servers – the shown logs definitely confirm that this group managed to compromised all these servers as there was no other way to obtain the information pasted in the e-zine.

After going through all articles, it is still not possible to say how they managed to compromise the servers – I know that there was a lot of FUD about the OpenSSH 0-day exploit. However, even if such thing exists, it is impossible to say if they used it or not.

I spent some time going through the articles and in some cases it appears that the attackers managed to compromise the hosting server, through which they owned all other hosted web sites. This is, indeed, a very viable option since we have been witnesses of such cases for many times. The e-zine authors actually even mention this, to quote them: "So if a site on a shared host is being tested, just because site1.com is "secure" that does NOT in anyway mean that the server is secure, because site2.com could easily be vulnerable to all sorts of simple attacks.". This is very true – I wrote a diary about a very similar attack back in 2007 (see the diary Mass website hosting = mass defacements at http://isc.sans.org/diary.html?storyid=3078).

The issue here is that it can be very difficult to properly limit what each hosted web site and/or account can do in order to protect other customers on the same server. There were also cases when attackers simply bought a web hosting package (they can easily get it for $10 with a stolen credit card) and the web hosting company put their web on a server shared with other, high profile web sites. Of course, in this case, the attacker's job is much easier since in some cases they already have a relatively limited shell access to the server!

So what can we do to protect ourselves? As always, make sure that you remove any application that is not necessary and keep needed applications up to date, together with the operating system. If you use services such as SSH make sure that you use SSH keys, as well as limit access to only trusted IP addresses if possible. I would like to remind everyone to password protect their SSH keys – the worst case scenario is if an attacker gets access to one of your accounts and then just jumps through other (often internal) sites because you had those SSH keys in the open.

Finally, I hope that some of the high profile security sites that have been hit will be able to analyze the attacks and share some useful information about how the attackers got in.

--
Bojan
 

Keywords: compromise
0 comment(s)

BIND 9 Issue

Published: 2009-07-29
Last Updated: 2009-07-29 00:11:12 UTC
by Marcus Sachs (Version: 1)
1 comment(s)

The Internet Systems Consortium announced a DoS condition in BIND 9.  Details are on their web site.  There are proofs of concept available online for those with good searching skills.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
1 comment(s)
Diary Archives