Pierluigi Paganini August 04, 2015

Recently we reported a new vulnerability affecting Bind, now experts at Sucuri confirmed that the flaw is being exploited in DNS server attacks.

A few days ago we wrote about the BIND software flaws that were discovered, affecting important companies, and last week a patch was released for the denial-of-service flaw (CVE-2015-5477), which was affecting all versions of BIND 9.

The flaw can be exploited by sending a malformed packet to the vulnerable server, which when receives it will crash.

The vulnerability could be exploited by attackers to crash both authoritative and recursive DNS servers.

Researchers were predicting that attackers were going to try to exploit the flaw, and today we can officially confirm it.

“We can confirm that the attacks have begun,”, “DNS is one of the most critical parts of the Internet infrastructure, so having your DNS go down, it also means your email, HTTP and all other services will be unavailable.” wrote David Cid, founder of security company Sucuri.

Everyone is advised to patch his DNS servers since there is no workaround, and the only way to really stop the attacks is the installation of the patch.

“All major Linux distributions (Redhat, Centos, Ubuntu, etc) have already provided patches for it and a simple “yum update” on Redhat/Centos or “apt-get update” on Debian-based systems will get you protected. Remember though, for the change to take affect you must restart BIND after the update.”

If you run your own DNS server and want to check if you are being targeted, you need to look for “ANY TKEY” in your DNS logs:

Aug 2 10:32:48 dns named[2717]: client a.b.c.d#42212 (foo.bar): view north_america: query: foo.bar ANY TKEY + (x.y.z.zz)

Here is the tip, so please patch your DNS servers.

Edited by Pierluigi Paganini

(Security Affairs – BIND,  hacking)