Putting the Web in a Bind

By eweek  |  Posted 2001-03-12

Putting the Web in a Bind

Late last month, a hacker calling himself Fluffy Bunny attacked a Domain Name System server belonging to McDonalds fast food restaurants in England and redirected traffic to a dummy site in the U.S.

Visitors found the familiar golden arches, but not much else looked the same. The company name had been changed to McDicks, and, along with some suspect menu choices, the hacker had posted a repetitive description of his bunny character, including "The Fluffy Bunny likes to make babiez," and "The Fluffy Bunny is not wearing any pantiez."

The same day, a group called BL4F Crew hacked 10 Nintendo sites in Europe, exploiting the same vulnerabilities the McDonalds hacker had — holes that had been publicly identified for Internetwide upgrades 28 days earlier.

In one sense, the Feb. 26 hacks were in fun. Fluffy Bunny stopped short of X-rated comments and no credit-card numbers were stolen or business data damaged on any of the sites. But they illustrate how escalating problems with the so-called BIND open source code represent the single most common threat to businesses that are increasingly depending on Internet-based technologies to sell their products or communicate with their customers.

One of the weakest links on the self-governed Internet, the Berkeley Internet Name Domain (BIND) is the software that drives nearly 90 percent of all domain name servers on the Internet. BIND is used by DNS servers to resolve domain names, such as dinosaur.com, into numeric Internet Protocol (IP) addresses. Each Web site has a DNS server somewhere in front of it, though one DNS server may handle the addressing for many Web sites. Sixteen root DNS servers underlie all Internet operations, with roughly 500,000 DNS servers working on top of them. Of those running BIND, about 80 percent to 90 percent use versions that leave them vulnerable to exploits, according to the Computer Emergency Response Team (CERT) at Carnegie Mellon University.

The problem is not just the code, but also the system — or lack thereof — for making sure that upgrades are made after new holes are identified and publicized to everyone, including hackers.

That issue is compounded by a number of other factors, including the increasingly widespread availability of tools to exploit those holes, a lack of understanding by companies about when and how they are vulnerable and widespread resistance to any kind of user registration or notification system that might seem to violate the laissez-faire tradition of the Internet and its unregulated service providers.

The result? Perhaps the BL4F Crew summed it up best in a posting to the Nintendo sites: "Security is a complete myth on the Internet. Its frustrating. Thats what it is."

The problem is much more than frustrating, though. It is also hazardous to the health of electronic commerce and business-to-business information sharing. While commercial variations of BIND software exist, an estimated 85 percent to 90 percent of all Web sites servers run BIND. And the poor state of BIND leaves many of them available for use as zombies, puppets or victims of denial-of-service attacks like those that have taken down such Web giants as eBay, Microsoft and Yahoo!

"For such a critical piece of the infrastructure, BIND has had a lot of holes," said Brian Dunphy, director of analysis at Riptech, a managed security provider for dot-coms and corporate clients.

Carnegie Mellons CERT has publicly identified 12 such holes in the 4.x and 8.x versions of BIND, now used on most DNS servers. The McDonalds and Nintendo hacks took advantage of the latest four, published by CERT on Jan. 29.

With each new alert comes a fix. The challenge is in making sure the software running on each DNS server is patched. Although BIND distributors are notified of problems before CERT alerts are made public, there is no way to know if every company running a BIND DNS server is eventually made aware of the problem targeted by an alert. And many of those who are aware may choose not to upgrade, for fear it will result in costly downtime for their Web sites or networks.

With no central Internet authority to turn to, advocates of an open, unregulated Internet are at a loss to explain how the BIND exposures will ever get cleared up.

One of the few proposals to change the shaky state of BIND comes from Paul Vixie, chairman of the organization that oversees the maintenance and development of BIND, the Internet Software Consortium (ISC). Internet service providers (ISPs) could do more, polling their customers DNS servers to see if theyve been updated, he said in an e-mail exchange with Interactive Week.

So far, Interactive Week has found few ISP representatives eager to take Vixie up on the suggestion. ISPs are traditionally loath to take on any appearance of responsibility for their customers equipment or content. Polling the DNS servers on their networks, ISPs said, could be viewed as a violation of their customers privacy. And ISPs have little incentive to do such polling unless it is part of a paid service.

The ISC itself also declined to do polling or to generate a database of BIND users who might be automatically notified of updates. Asking people who download the BIND software to register or identify themselves "would be a privacy violation" unless users voluntarily opted to be registered in it, Vixie said.

Threats on the Rise

Threats on the Rise

Unfortunately, hackers have no such compunctions and have access to all the latest tools for polling DNS servers for vulnerabilities. And the exposures created by BIND are well-known — and growing. It used to be that an organizations defenses were infrequently probed by outsiders, but that is no longer the case, said Keith Lowry, vice president of security operations at Pilot Network Services, which provides security as an outsourced service. "If you do not patch these kinds of holes, youre going to get hit," he said.

Pilot tallied a significant jump in the rate of DNS vulnerability scans — a form of reconnaissance by hackers — after the four new vulnerabilities were aired at the end of January, Lowry said. Pilot counted 35 DNS probes of its 300 clients in the first 12 days of February, compared with only 19 in January. On a month-to-month basis, that represents a 480 percent increase, he said. Others have seen similar increases in malicious activity.

"We are receiving reports of two to three times the previous number of probes" of BIND, accomplished by querying port 53 on DNS servers, said CERT technical staffer Jeff Havrilla.

Adding to the problem is the increasing availability of programs that automatically scan networks and query DNS servers. "Its the equivalent of jiggling your doorknob to see if its locked," said Scott Blake, security program manager at BindView, a provider of security assessments of BIND and other points of exposure. With the automated scans, snoopers can determine which version of BIND a DNS server is running. If it is one with exposures, they also have ready-made burglar tools.

"The tools to exploit these vulnerabilities are being automated in a way not seen before," Havrilla warned. The tools are posted to malicious hacker, or "cracker," sites, and few technical skills are needed to use them to compromise a server. Unless it is specifically configured otherwise, BIND automatically responds with its version number when it receives a "Who Is" query from any source. If it is any version prior to 8.2.3, then it most likely contains one of 12 holes already designated by CERT as hazardous.

"When vulnerabilities are first announced, a hacker can compromise a thousand servers very quickly," Riptechs Dunphy said.

Once compromised, the DNS server and others can be used to launch a distributed denial-of-service attack or other disruptions.

As Fluffy Bunny demonstrated, legitimate traffic can also be diverted to a dummy site. A clever hack may one day ask diverted customers to submit their user names and passwords at a look-alike site that has convinced visitors its where they intended to go, security experts warned.

In addition, a single DNS server at an ISP or colocation site often handles several companies traffic and Web sites. By sniffing that traffic, a practice that deciphers network packets but leaves no trace of the intruder, an interloper can gain user IDs and passwords, the names of key files and the servers on which theyre located and other supposedly private information.

"If you get into one server, you can get into two," often with system administrator privileges, which opens the door into the enterprise network, said Steve Hotz, chief technology officer at UltraDNS, a managed DNS service provider, who also worked on the mechanisms of DNS that were later adapted to BIND. It used to be that one organization could practice good, buttoned-down security and protect itself, remarked Peter Trahon, supervisor of the nine agents who make up the computer intrusion squad at the Federal Bureau of Investigations San Francisco division. "Now your neighbor has to practice good security too," he said.

Small Business at Risk

Small Business at Risk

That means the DNS servers of small businesses are especially at risk. One of the few legitimate organizations running periodic BIND queries is Men & Mice, a Reykjavik, Iceland, DNS management software company that publishes the International Domain Health Survey. One day after the Jan. 29 CERT alert, it took a snapshot that showed one-third of the Fortune 1000 had at least one faulty version of BIND on a DNS server, said Petur Petursson, chief executive of Men & Mice. Three weeks later, that figure had dropped to one-eighth of the Fortune 1000, he said, indicating a rapid upgrade at large companies on the heels of the CERT announcement.

Petursson, however, said he doubts small businesses and nonprofits upgraded their sites as quickly.

At many smaller organizations, DNS servers were set up by outside consultants or by an information technology (IT) staffer who eventually departed for another job, Dunphy said. Once set up, DNS servers tend to run themselves without further assistance and eventually become "a dust-covered server in a closet that nobody knows about," he said.

Its possible for an administrator of a Web site to read news of a CERT BIND alert and say, "Thank goodness we dont have any of those on our network," when, in fact, he or she does, Dunphy said.

When asked why more system administrators dont upgrade BIND on their DNS servers, ISCs Vixie said it is purely their option to do so. The ISC does not monitor BIND users or notify them of changes. Registering BIND users is contrary to the concept of freely available software as open source code, he added. The only requirement asked of a downloader is "to use it in good health," he said. Vixie said BIND users may sign up for a newsletter that fills them in on patches and when upgrades are available, but fewer than 500 have done so. He estimated there are at least 30,000 administrators of DNS servers who would need to be notified.

Creating a central registry is more difficult than it sounds, since not all copies of BIND are distributed through the ISC site. BIND is included in each of the major versions of Unix, such as IBMs AIX, Hewlett-Packards HP-UX and Sun Microsystems Solaris, as well as in the products of some firewall makers, like Secure Computings Sidewinder. Their BIND versions are updated conscientiously but may still lag discovery of new holes by two to three months, Dunphy said.

And once a hole is identified, it is extremely difficult for operating system or firewall users to apply patches or implement upgraded versions of BIND on their own. Users would not generally upgrade BIND as a separate component unless the vendor of their operating system or firewall software sent a patch. And even upgrading the DNS server with a patch requires extensive testing to make sure the patch doesnt disrupt something else, he added.

Microscopic Roots

Microscopic Roots

The main problem with BIND is its roots. It was designed for a network that was microscopic by todays standards — a few nodes at the Department of Defense and a handful of universities. Its users were select government officials and university professors, who exchanged thousands of bits of information, not billions of dollars in commercial transactions, each day.

BIND began as an open source code project, presided over by John Postel and Paul Mockapetris. They eventually moved on, and responsibility for the BIND project fell onto the shoulders of Vixie. BINDs volunteer developers frequently had to modify and expand the code, trying to keep it abreast of the Internets constantly growing needs. As a result, BIND is complex. The name-to-IP address translation engine alone is 39,000 lines of code.

Secure software "has well-constrained behaviors and small subcomponents," observed Theo de Raadt, head of the OpenBSD (Berkeley Unix) project, in an Internet chat discussion of BIND vulnerabilities.

Given the wide entrenchment of BIND vulnerabilities, "a really nasty bug could hit really hard," said de Raadt. Fear of that as yet unborn bug is growing.

BIND is undergoing a major rewrite in Version 9.0, but it may take such a bug to encourage a broadbased surge of BIND upgrades.

For overall security to be improved, many parties need to upgrade their versions of BIND concurrently, but answering that need collides with the Internets tradition of self-regulation. Thus far, the ethos of the Internet, said Jody Patilla, chief analyst at Metases, a managed security provider, has been: "If youre going to run with the big dogs, youre going to have to take responsibility for yourself," including patching your DNS server.

Incognito Software supplies a commercial substitute for BIND, called DNS Commander, which is available only as binary code, or compiled ones and zeros, not source code. That means DNS Commander is more secure, said Chief Executive Patricia Steadman, because it makes it more difficult to detect holes in the software. At the same time, commercial implementations of DNS, such as Microsofts Internet Information Server, are known to contain holes of their own, Riptechs Dunphy said.

That means the health of most servers on the Internet rests "on the conscientiousness of a handful of overworked individuals" at small businesses, dot-com start-ups, educational organizations and other lightly-staffed IT organizations, Patilla said.

If BIND users need prompting to upgrade their servers, they should be required to register with the ISC before receiving their BIND download, suggested Dave McClure, lobbyist at the U.S. Internet Industry Association. If they did so, security advocates might be less inclined to lean on ISPs to provide more notification and prompts to update, he said.

But Vixie countered, "Let ISPs do it." Because ISPs already have a relationship that involves serving their customers traffic, "we have recommended that ISPs probe their customers name servers, looking for well-known problems and notify affected customers of the need to upgrade," he said.

"Such probing by the Internet Software Consortium would be a privacy violation, but being probed by ones own ISP is not a problem," he said.

When the ISP is providing the DNS service, its not an issue, since it has set up and is managing the server, several ISPs agreed. But in many cases, customers insist on maintaining their own name servers. Large enterprises, in particular, like to maintain their own master DNS records, said Mike Matthews, security master at Exodus Communications, a large Santa Clara, Calif., ISP and colocation services provider.

"If my ISP were to scan my corporations DNS server, I would hit them with a lawsuit or promise them a visit from the FBI," said BindViews Blake.

Exodus upgraded its 60 DNS servers to a safe version within two days of the Jan. 29 CERT alert. "We are constantly polling our servers as a matter of course," Matthews said. Exodus offers an assessment of the security of a customers servers, including its DNS server, which means reviewing the version of BIND running. The solution for customers that dont upgrade, he said, is to educate them on the need for an outside service, such as Exodus. His firm charges $2,750 to perform the service.

Despite the shared need, however, no one can point to an authority, other than the ISC, to enforce the upgrade process, and Vixie made clear that the only central database it will maintain is one where users voluntarily "opt in."

"From the military point of view, central control is good. But it hasnt worked that well with the Internet," said Dunphy, a former U.S. Air Force lieutenant who worked at the Department of Defenses version of CERT.

Even if the ISC were willing to poll users and send threatening e-mails to wayward sites, "what are you going to do — shut down a business for noncompliance?" Dunphy asked. Disabling the DNS server would block traffic to the Web sites behind it, and any organization that might do that in the U.S. would provoke a storm of protest from other countries, he noted.

Without some regulation of BIND, however, denial-of-service attacks launched from many servers and other BIND exploits are likely to get worse, not better. "If you do have a BIND server, you need to religiously monitor it. If nobody knows about it, thats why theyre attacked. They make great victims," Dunphy said.

Rocket Fuel