ISC BIND Amplification Attack

To: tech-security%netbsd.org@localhost
Subject: ISC BIND Amplification Attack
From: "Brian A. Seklecki" <lavalamp%spiritual-machines.org@localhost>
Date: Mon, 26 Jan 2009 12:52:33 -0500 (EST)

All:

  Do we want take a position on the recently exploited DNS cache query/
  response amplification?

  NANOG Thread:
  http://www.merit.edu/mail.archives/nanog/msg14428.html

  NetBSD-4 has BIND 9.4.x which features 'additional-from-cache' and
  'allow-query-cache' configuration options.

  Since its not a code issue, but protocol/configuration issue with
  contrib/3rdparty code, I dont think an advisory is called for.  Also,
  major cross-brand merges of contrib/3rdparty code are not common.

  However, its only a matter of time before someone labels this as a
  security vulnerability.

  Maybe just an official position that authoritative nameservers
  running 3.x and 2.x upgrade to BIND 9.5.x via Pkgsrc?

Version Summary:

 NetBSD-5: BIND 9.5.0-P2
 NetBSD-4: BIND 9.4.2-P2
 NetBSD-3: BIND 9.3.5-P1

~BAS

Follow-Ups:
- Re: ISC BIND Amplification Attack
  - From: Geert Hendrickx
- Re: ISC BIND Amplification Attack
  - From: Jeremy C. Reed

Prev by Date: Re: CFLAGS='-fstack-protector -D_FORTIFY_SOURCE=2'
Next by Date: Re: ISC BIND Amplification Attack
Previous by Thread: CFLAGS='-fstack-protector -D_FORTIFY_SOURCE=2'
Next by Thread: Re: ISC BIND Amplification Attack
Indexes:

Home | Main Index | Thread Index | Old Index