BIND name server vulnerable to DoS attacks
A vulnerability in the popular open source BIND9 name server allows attackers to remotely trigger a server crash. According to the error report, a single specially crafted "dynamic update" packet is all that is required to prevent IP addresses from being translated into server addresses. Authorised name-servers use dynamic updates to add, or remove, resource records to, or from, a zone.
This DoS problem presents a particular threat because attackers don't require any authentication to exploit the hole, and because the server doesn't need to be specially configured for processing dynamic updates. However, according to the vendor, Internet Systems Consortium (ISC), the attack is only successful in systems where BIND has been set up as a master for a zone – slave zones reportedly remain unaffected.
An exploit for crafting a malicious packet can be found in the original bug report. The ISC therefore advises users to update to BIND versions 9.4.3-P3, 9.5.1-P3 or BIND 9.6.1-P1. The Linux distributors have already released updated packets, which users are advised to install immediately.
- BIND Dynamic Update DoS ISC advisory.
- ISC BIND 9 vulnerable to denial of service via dynamic update request US-CERT advisory.