[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: BIND-4.9.5-P1 possible denial of service attack (fwd)




OUCH! reproduced this on my linux too!
check this out:
~ >rpm -q bind
bind-4.9.5-2

if you have the same version, patch it NOW...

---------- Forwarded message ----------
Date: Sun, 09 Mar 1997 16:51:11 +1100
From: Mark.Andrews@cmis.csiro.au
To: Irwin Tillman <irwin@phoenix.princeton.edu>
Cc: bind-workers@vix.com
Subject: Re: BIND-4.9.5-P1 possible denial of service attack


> I'm forwarding this to bind-workers, since I've just seen
> a report related to this bug in comp.protocols.tcp-ip-domains.
>
> /irwin
>
> ------- Forwarded Message
>
> Date:    Mon, 24 Feb 1997 16:47:50 -0500
> From:    Irwin Tillman <irwin>
> To:      Paul Vixie <paul@vix.com>
> Subject: BIND-4.9.5-P1 possible denial of service attack
>
> I ran into what looks like a bug in BIND-4.9.5-P1.   I apologize in
> advance for mailing this to you rather than to bind-workers.  I thought
> I should try this first, since the bug looks like it opens a potential
> denial of service attack, as well as a way to cause performance
> problems on hosts running named.  If you feel I should send this
> to bind-workers or somewhere else instead, just let me know.
>
>
> To reproduce:
>
> From a SunOS client, I telnetted to port 53 of a host running BIND-4.9.5-P1.
> Once the connection was open, entered "foobar", hit return, then closed
> the telnet connection (control-rightbracket 'quit').
>
> The symptoms you see on the server is that named will no longer accept any
> TCP connections (zone transfers from the server fail, as well as simple
> TCP-based queries).  The named process may also consume lots of CPU now,
> affecting the rest of the system.
>
> Tracing the named process shows that when it receives this bogus message, it
> tries (and keeps trying) to read and write this socket, first resulting in
> a ECONNRESET, and then result in repeated EPIPE.  It appears to be in a prett
> y
> tight loop, presumably accounting for the system-wide impact.
>
> BIND-4.9.3-P1 doesn't have this problem.  It just closed the socket and went
> back to the main polling loop.
>
>
> I tested on the following platform:
>  Sun SPARCstation 5 running SunOS 4.1.4
>  BIND-4.9.5-P1
>  Default options.h file
>  Default Makefile, with the standard sunos4.1.x section in the Makefile
>   uncommented, using /usr/bin/cc, and not building the shared library version
>
>   of libresolv.
> (Also tested on Solaris 2.5.1 with gcc.)
>
>
> --
>
> Irwin Tillman, irwin@princeton.edu
> CIT Network Systems, Princeton University
>
>
>
> ------- End of Forwarded Message
>
>
>
>
        Apply the following patch. This is from inspection of the code.
        If the socket has a non blocking error or EOF is detected just
        close rather than trying to send a error message on the socket.

        Mark

*** ns_main.c.001       Tue Jan  7 15:06:17 1997
--- ns_main.c   Sun Mar  9 16:46:53 1997
***************
*** 866,871 ****
--- 866,877 ----
                                sp->s_bufp += n;
                                sp->s_size -= n;
                        }
+                       if ((n == -1) && (errno == PORT_WOULDBLK))
+                               continue;
+                       if (n <= 0) {
+                               sqrm(sp);
+                               continue;
+                       }
                        /*
                         * we don't have enough memory for the query.
                         * if we have a query id, then we will send an
***************
*** 909,920 ****
                                                HFIXEDSZ);
                            }
                            continue;
-                       }
-                       if ((n == -1) && (errno == PORT_WOULDBLK))
-                               continue;
-                       if (n <= 0) {
-                               sqrm(sp);
-                               continue;
                        }
                        /*
                         * Consult database to get the answer.
--- 915,920 ----
--
Mark Andrews, CSIRO Mathematical and Information Sciences
Locked Bag 17, North Ryde, NSW 2113, Australia.
PHONE: +61 2 9325 3148                 INTERNET: Mark.Andrews@cmis.csiro.au
MOBIL: +61 41 442 9884           UUCP:....!uunet!cmis.csiro.au!mark.andrews

----- End of forwarded message from Mark.Andrews@cmis.csiro.au -----

--
To err is human, to forgive is Not Company Policy.
--
Jared Mauch - CICNet - jared@cic.net - http://www.cic.net/ - visit my personal
page at http://puck.nether.net/~jared/