Patches for DNS vulnerability put the brakes on servers
Paul Vixie, head of BIND vendor ISC, admitted on the BIND mailing list that the anti-cache poisoning patches for the BIND nameserver could cut performance in systems under heavy loads. In the development and testing stage, it became evident that the patches slowed down recursive resolving servers with more than 10,000 queries per second. Because time was short, developers decided to solve the security problem first, and then deal with the performance problem with a later update.
According to Vixie, a beta version of the patch, called P2, is already available for BIND 9.4.3 and BIND 9.5.1. The final versions, 9.3.5-P2, 9.4.2-P2 and 9.5.0-P2, should be available by the end of this week. These should also further improve port allocation. When in doubt, Vixie advises administrators to wait for the final version, instead of using P1. He felt that stopping up security holes was more important than server performance.
Meanwhile cache poisoning attacks are at full tilt. According to US media reports, AT&T nameservers have been manipulated to redirect customers to faked Google pages. Interestingly, it was H.D. Moore of all people, one of the authors of the DNS exploit, who first discovered the problem at AT&T. His Texas company, BreakingPoint, is on the AT&T network. But Moore was not amused with the way that PC World magazine depicted the incident, implying that his systems had been affected. That implication prompted him to correct the PC World article.
While it is eminently clear that AT&T has not yet completely patched its systems, there are contradictory reports about the patch status of Telekom. While T-Online announces on its pages that: "Telekom's nameservers have already been patched and protected from potential attacks", Telekom spokesman Domagala again emphasised to heise Security that not all systems were patched. But his comments contradict independent security specialists, like Florian Weimer of the Debian project. At least the nameservers for T-DSL users have been patched.
On top of all this, various online test tools that try to determine whether a nameserver is vulnerable merely cause confusion. For example the test at DNS-OARC, which has now been reworked – it no longer rates source port allocation as simply POOR or GREAT. A GOOD rating has been added, which is how the Telekom servers are currently shown. The strict test also gave the false impression that Kabel Deutschland had not yet patched its systems. According to Kabel Deutschland's Kathrin Wittmann, all of the company's affected server systems had already been updated as of July 9.
Since available tests only analyse source port randomness, they are not able to detect additional measures. But Kabel Deutschland and other ISPs claim to have already implemented such measures, without revealing what they are.
- ISC statement about BIND9's recent -P1 releases, opinion from Paul Vixie
- DNS Attack Writer a Victim of His Own Creation, report from PC World
- DNS hole - no patch yet from Apple
- DNS vulnerability exploits released
- DNS security problem details released
- Massive DNS security problem endangers the internet