Critical Bind vulnerability could snuff out large parts of internet

A flaw in the Bind DNS server software that affects versions of BIND 9, from BIND 9.1.0 to BIND 9.10.2-P2, could be exploited to crash DNS servers running the software following a DoS attack.


The flaw was announced and patched by ISC earlier this week, but is critical as it could lead to attacks on both authoritative and recursive DNS servers using just a single packet. That DNS query packet would trigger a REQUIRE assertion failure, causing BIND to exit. The packet is said to be very easy to create.

Internet Systems Consortium Michael McNally, who has headed up efforts against the bug, said there are no other workarounds other than to apply the patch.

"The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer," said McNally. 

"I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analysing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind."

"Screening the offending packets with firewalls is likely to be difficult or impossible unless those devices understand DNS at a protocol level and may be problematic even then," he said.

Rob Graham, CEO of penetration testing firm Errata Security, warned in a blog post how easy crashing large parts of the internet could be.

“I could use my "masscan" tool to blanket the Internet with those packets and crash all publicly facing BIND9 DNS servers in about an hour,” he said. “A single vulnerability doesn't mean much, but if you look at the recent BIND9 vulnerabilities, you see a pattern forming. BIND9 has lots of problems -- problems that critical infrastructure software should not have.”

He said that biggest problem was that Bind has “too many features”.

“It attempts to implement every possible DNS feature known to man, few of which are needed on publicly facing servers. Today's bug was in the rarely used "TKEY" feature, for example. DNS servers exposed to the public should have the minimum number of features -- the server priding itself on having the maximum number of features is automatically disqualified,” said Graham.

Dave Larson, CTO at Corero Network Security told that the fact that another vulnerability has been identified, and yet another opportunity has been created to launch DDoS attacks is not really news at all. “DDoS attack motivations are wide-ranging, and the means to execute an attack are easier than ever before,” he said.

“Yet again companies could suffer outages as a result of a preventable DDoS attack. These types of attacks can easily be detected and blocked with proper protection mechanisms for your online service,” he added.

TK Keanini, CTO at Lancope, told that when ISC issues this type of urgency everyone should take notice and ultimately take action. “Know that attackers are certainly going to take action as their success is almost guaranteed,” he said.

“A well designed DNS system should have very little outages with the patch because the infrastructure is so distributed and putting the patched system into production can be cut over in seconds, tested, and rollback only another few seconds.  This is not hard stuff people, patch and patch now,” he added.

David Ashton of network security consultancy Sec-1 told that it would be difficult to estimate how likely attacks are that could wipe out large parts of the internet.

“All major service providers will be running some levels of DNS resilience so it's likely that they will be patching systematically in a way that mitigates any downtime,” he said.

“Given that this vulnerability affects every version of BIND other than the latest patched one and that there is no workaround then it is just a matter of ‘When?' and not ‘If?' a system is affected.

“During penetration testing we are still finding systems that are vulnerable to Heartbleed and Shellshock. These organisations that do not apply patches regularly are the ones that are most at risk and there are, in our experience, a lot of them out there. That being the case its almost certain that there will be parts of the internet that are affected.”

He said that protection mechanisms are limited right now other than upgrading to the latest version of Bind.

“Systems can be implemented that monitor missing patches or a user can run a vulnerability scanner like AppCheck NG to find if and where the vulnerability exists in their systems. On discovery the updates should be applied as soon as possible,” added Ashton.

This story originally appeared on

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.