isc.org provides attack mitigation

Published: 2006-06-22
Last Updated: 2006-06-23 14:28:42 UTC
by donald smith (Version: 2)
0 comment(s)

A new version of BIND 9.3.3b1 was recently released. The changes file had one security fix listed. That fix addresses a ddos reflection issue.

ISSUE:
Some services respond to potentially spoofed udp packets. 

MITIGATION for DNS servers.

Upgrade to bind 9.3.3b1 OR

Drop udp packets from standard services ports 7,13,19, 37 and 464 (echo, daytime, chargen, time, and kpasswd) towards your DNS server(s). You will probably never see any valid queries from such a low port. In general dns queries should be sourced from ports > 1024.

MITIGATION for other udp services:

Disable or restrict access to UDP services that don't need to be open to the internet.

Detailed Description:
The basic issue here is very old. It was originally reported in 1999. The CVE number for it is CVE-1999-0103. http://nvd.nist.gov/nvd.cfm?cvename=CVE-1999-0103
"Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm."  

If you consider DNS to be one side of an "other combination" of UDP services this is not new. What is new is that this version of bind will not send FORMERR packets if the original packet came from the set of well known UDP ports listed above. ISC.ORG has added some code to mitigate attacks with well known spoofed source ports. I do not know of any other DNS software vendor that has added this capability.

7 years ago CERT and others warned us not to leave things like echo and chargen open.
However some OSes and network equipment vendors still ship products with those types of services enabled by default and open to the world. Those services haven't not been in common usage since the 1990's.

From the CHANGES file from 9.3.3b1 source code directory.
--- 9.3.3b1 released ---
<SNIP>
1951.    [security]           Drop queries from particular well known ports.
<SNIP>

Keywords:
0 comment(s)

Comments


Diary Archives