Date: Sun, 09 Mar 97 14:36:53 -0800 From: "That Doug Guy" <tiller@connectnet.com> To: "namedroppers@internic.net" <namedroppers@internic.net> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Fwd: BIND-4.9.5-P1 Denial of service attack Message-ID: <199703092237.OAA14069@smtp.connectnet.com>
next in thread | raw e-mail | index | archive | help
This is forwarded here with permission. I run a secondary dns
that uses 4.9.4-P1, so I'm wondering if this vulnerability exists there as
well.
Thank you,
Doug
PS, also forwarded to freebsd-security since the upcoming 2.2-Release
version makes use of Bind 4.9.5-P1 to my knowledge.
==================BEGIN FORWARDED MESSAGE==================
>Date: Sun, 9 Mar 1997 03:22:59 -0500
>Reply-To: Jared Mauch <jared@PUCK.NETHER.NET>
>From: Jared Mauch <jared@PUCK.NETHER.NET>
>Subject: BIND-4.9.5-P1 DoS Attack
>To: BUGTRAQ@NETSPACE.ORG
From the bind-workers list. This includes the relevant patch
to fix the problem.
- Jared
----- Forwarded message from Mark.Andrews@cmis.csiro.au -----
>From bind-workers-request@vix.com Sun Mar 9 03:21:17 1997
Message-Id: <9703090551.AA14395@dmssyd.syd.dms.CSIRO.AU>
To: Irwin Tillman <irwin@phoenix.princeton.edu>
Cc: bind-workers@vix.com
From: Mark.Andrews@cmis.csiro.au
Subject: Re: BIND-4.9.5-P1 possible denial of service attack
In-Reply-To: Your message of "Wed, 05 Mar 1997 09:48:20 EST."
<199703051448.JAA06909@scramble.Princeton.EDU>
Date: Sun, 09 Mar 1997 16:51:11 +1100
Sender: <bind-workers-request@vix.com>
Precedence: bulk
Reply-To: Mark.Andrews@cmis.csiro.au
> I'm forwarding this to bind-workers, since I've just seen
> a report related to this bug in comp.protocols.tcp-ip-domains.
>
> /irwin
>
> ------- Forwarded Message
>
> Date: Mon, 24 Feb 1997 16:47:50 -0500
> From: Irwin Tillman <irwin>
> To: Paul Vixie <paul@vix.com>
> Subject: BIND-4.9.5-P1 possible denial of service attack
>
> I ran into what looks like a bug in BIND-4.9.5-P1. I apologize in
> advance for mailing this to you rather than to bind-workers. I thought
> I should try this first, since the bug looks like it opens a potential
> denial of service attack, as well as a way to cause performance
> problems on hosts running named. If you feel I should send this
> to bind-workers or somewhere else instead, just let me know.
>
>
> To reproduce:
>
> From a SunOS client, I telnetted to port 53 of a host running BIND-4.9.5-P1.
> Once the connection was open, entered "foobar", hit return, then closed
> the telnet connection (control-rightbracket 'quit').
>
> The symptoms you see on the server is that named will no longer accept any
> TCP connections (zone transfers from the server fail, as well as simple
> TCP-based queries). The named process may also consume lots of CPU now,
> affecting the rest of the system.
>
> Tracing the named process shows that when it receives this bogus message, it
> tries (and keeps trying) to read and write this socket, first resulting in
> a ECONNRESET, and then result in repeated EPIPE. It appears to be in a prett
> y
> tight loop, presumably accounting for the system-wide impact.
>
> BIND-4.9.3-P1 doesn't have this problem. It just closed the socket and went
> back to the main polling loop.
>
>
> I tested on the following platform:
> Sun SPARCstation 5 running SunOS 4.1.4
> BIND-4.9.5-P1
> Default options.h file
> Default Makefile, with the standard sunos4.1.x section in the Makefile
> uncommented, using /usr/bin/cc, and not building the shared library version
>
> of libresolv.
> (Also tested on Solaris 2.5.1 with gcc.)
>
>
> --
>
> Irwin Tillman, irwin@princeton.edu
> CIT Network Systems, Princeton University
>
>
>
> ------- End of Forwarded Message
>
>
>
>
Apply the following patch. This is from inspection of the code.
If the socket has a non blocking error or EOF is detected just
close rather than trying to send a error message on the socket.
Mark
*** ns_main.c.001 Tue Jan 7 15:06:17 1997
--- ns_main.c Sun Mar 9 16:46:53 1997
***************
*** 866,871 ****
--- 866,877 ----
sp->s_bufp += n;
sp->s_size -= n;
}
+ if ((n == -1) && (errno == PORT_WOULDBLK))
+ continue;
+ if (n <= 0) {
+ sqrm(sp);
+ continue;
+ }
/*
* we don't have enough memory for the query.
* if we have a query id, then we will send an
***************
*** 909,920 ****
HFIXEDSZ);
}
continue;
- }
- if ((n == -1) && (errno == PORT_WOULDBLK))
- continue;
- if (n <= 0) {
- sqrm(sp);
- continue;
}
/*
* Consult database to get the answer.
--- 915,920 ----
--
Mark Andrews, CSIRO Mathematical and Information Sciences
Locked Bag 17, North Ryde, NSW 2113, Australia.
PHONE: +61 2 9325 3148 INTERNET:
Mark.Andrews@cmis.csiro.au
MOBIL: +61 41 442 9884
UUCP:....!uunet!cmis.csiro.au!mark.andrews
----- End of forwarded message from Mark.Andrews@cmis.csiro.au -----
--
To err is human, to forgive is Not Company Policy.
--
Jared Mauch - CICNet - jared@cic.net - http://www.cic.net/ - visit my
personal
page at http://puck.nether.net/~jared/
===================END FORWARDED MESSAGE===================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703092237.OAA14069>