[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: BIND-4.9.5-P1 possible denial of service attack (fwd)
OUCH! reproduced this on my linux too!
check this out:
~ >rpm -q bind
bind-4.9.5-2
if you have the same version, patch it NOW...
---------- Forwarded message ----------
Date: Sun, 09 Mar 1997 16:51:11 +1100
From: Mark.Andrews@cmis.csiro.au
To: Irwin Tillman <irwin@phoenix.princeton.edu>
Cc: bind-workers@vix.com
Subject: Re: BIND-4.9.5-P1 possible denial of service attack
> I'm forwarding this to bind-workers, since I've just seen
> a report related to this bug in comp.protocols.tcp-ip-domains.
>
> /irwin
>
> ------- Forwarded Message
>
> Date: Mon, 24 Feb 1997 16:47:50 -0500
> From: Irwin Tillman <irwin>
> To: Paul Vixie <paul@vix.com>
> Subject: BIND-4.9.5-P1 possible denial of service attack
>
> I ran into what looks like a bug in BIND-4.9.5-P1. I apologize in
> advance for mailing this to you rather than to bind-workers. I thought
> I should try this first, since the bug looks like it opens a potential
> denial of service attack, as well as a way to cause performance
> problems on hosts running named. If you feel I should send this
> to bind-workers or somewhere else instead, just let me know.
>
>
> To reproduce:
>
> From a SunOS client, I telnetted to port 53 of a host running BIND-4.9.5-P1.
> Once the connection was open, entered "foobar", hit return, then closed
> the telnet connection (control-rightbracket 'quit').
>
> The symptoms you see on the server is that named will no longer accept any
> TCP connections (zone transfers from the server fail, as well as simple
> TCP-based queries). The named process may also consume lots of CPU now,
> affecting the rest of the system.
>
> Tracing the named process shows that when it receives this bogus message, it
> tries (and keeps trying) to read and write this socket, first resulting in
> a ECONNRESET, and then result in repeated EPIPE. It appears to be in a prett
> y
> tight loop, presumably accounting for the system-wide impact.
>
> BIND-4.9.3-P1 doesn't have this problem. It just closed the socket and went
> back to the main polling loop.
>
>
> I tested on the following platform:
> Sun SPARCstation 5 running SunOS 4.1.4
> BIND-4.9.5-P1
> Default options.h file
> Default Makefile, with the standard sunos4.1.x section in the Makefile
> uncommented, using /usr/bin/cc, and not building the shared library version
>
> of libresolv.
> (Also tested on Solaris 2.5.1 with gcc.)
>
>
> --
>
> Irwin Tillman, irwin@princeton.edu
> CIT Network Systems, Princeton University
>
>
>
> ------- End of Forwarded Message
>
>
>
>
Apply the following patch. This is from inspection of the code.
If the socket has a non blocking error or EOF is detected just
close rather than trying to send a error message on the socket.
Mark
*** ns_main.c.001 Tue Jan 7 15:06:17 1997
--- ns_main.c Sun Mar 9 16:46:53 1997
***************
*** 866,871 ****
--- 866,877 ----
sp->s_bufp += n;
sp->s_size -= n;
}
+ if ((n == -1) && (errno == PORT_WOULDBLK))
+ continue;
+ if (n <= 0) {
+ sqrm(sp);
+ continue;
+ }
/*
* we don't have enough memory for the query.
* if we have a query id, then we will send an
***************
*** 909,920 ****
HFIXEDSZ);
}
continue;
- }
- if ((n == -1) && (errno == PORT_WOULDBLK))
- continue;
- if (n <= 0) {
- sqrm(sp);
- continue;
}
/*
* Consult database to get the answer.
--- 915,920 ----
--
Mark Andrews, CSIRO Mathematical and Information Sciences
Locked Bag 17, North Ryde, NSW 2113, Australia.
PHONE: +61 2 9325 3148 INTERNET: Mark.Andrews@cmis.csiro.au
MOBIL: +61 41 442 9884 UUCP:....!uunet!cmis.csiro.au!mark.andrews
----- End of forwarded message from Mark.Andrews@cmis.csiro.au -----
--
To err is human, to forgive is Not Company Policy.
--
Jared Mauch - CICNet - jared@cic.net - http://www.cic.net/ - visit my personal
page at http://puck.nether.net/~jared/