Putting the Web in a Bind

Vulnerabilities from DNS server software escalating

Late last month, a hacker calling himself Fluffy Bunny attacked a Domain Name System server belonging to McDonalds fast food restaurants in England and redirected traffic to a dummy site in the U.S.

Visitors found the familiar golden arches, but not much else looked the same. The company name had been changed to McDicks, and, along with some suspect menu choices, the hacker had posted a repetitive description of his bunny character, including "The Fluffy Bunny likes to make babiez," and "The Fluffy Bunny is not wearing any pantiez."

The same day, a group called BL4F Crew hacked 10 Nintendo sites in Europe, exploiting the same vulnerabilities the McDonalds hacker had — holes that had been publicly identified for Internetwide upgrades 28 days earlier.

In one sense, the Feb. 26 hacks were in fun. Fluffy Bunny stopped short of X-rated comments and no credit-card numbers were stolen or business data damaged on any of the sites. But they illustrate how escalating problems with the so-called BIND open source code represent the single most common threat to businesses that are increasingly depending on Internet-based technologies to sell their products or communicate with their customers.

One of the weakest links on the self-governed Internet, the Berkeley Internet Name Domain (BIND) is the software that drives nearly 90 percent of all domain name servers on the Internet. BIND is used by DNS servers to resolve domain names, such as dinosaur.com, into numeric Internet Protocol (IP) addresses. Each Web site has a DNS server somewhere in front of it, though one DNS server may handle the addressing for many Web sites. Sixteen root DNS servers underlie all Internet operations, with roughly 500,000 DNS servers working on top of them. Of those running BIND, about 80 percent to 90 percent use versions that leave them vulnerable to exploits, according to the Computer Emergency Response Team (CERT) at Carnegie Mellon University.

The problem is not just the code, but also the system — or lack thereof — for making sure that upgrades are made after new holes are identified and publicized to everyone, including hackers.

That issue is compounded by a number of other factors, including the increasingly widespread availability of tools to exploit those holes, a lack of understanding by companies about when and how they are vulnerable and widespread resistance to any kind of user registration or notification system that might seem to violate the laissez-faire tradition of the Internet and its unregulated service providers.

The result? Perhaps the BL4F Crew summed it up best in a posting to the Nintendo sites: "Security is a complete myth on the Internet. Its frustrating. Thats what it is."

The problem is much more than frustrating, though. It is also hazardous to the health of electronic commerce and business-to-business information sharing. While commercial variations of BIND software exist, an estimated 85 percent to 90 percent of all Web sites servers run BIND. And the poor state of BIND leaves many of them available for use as zombies, puppets or victims of denial-of-service attacks like those that have taken down such Web giants as eBay, Microsoft and Yahoo!

"For such a critical piece of the infrastructure, BIND has had a lot of holes," said Brian Dunphy, director of analysis at Riptech, a managed security provider for dot-coms and corporate clients.

Carnegie Mellons CERT has publicly identified 12 such holes in the 4.x and 8.x versions of BIND, now used on most DNS servers. The McDonalds and Nintendo hacks took advantage of the latest four, published by CERT on Jan. 29.

With each new alert comes a fix. The challenge is in making sure the software running on each DNS server is patched. Although BIND distributors are notified of problems before CERT alerts are made public, there is no way to know if every company running a BIND DNS server is eventually made aware of the problem targeted by an alert. And many of those who are aware may choose not to upgrade, for fear it will result in costly downtime for their Web sites or networks.

With no central Internet authority to turn to, advocates of an open, unregulated Internet are at a loss to explain how the BIND exposures will ever get cleared up.

One of the few proposals to change the shaky state of BIND comes from Paul Vixie, chairman of the organization that oversees the maintenance and development of BIND, the Internet Software Consortium (ISC). Internet service providers (ISPs) could do more, polling their customers DNS servers to see if theyve been updated, he said in an e-mail exchange with Interactive Week.

So far, Interactive Week has found few ISP representatives eager to take Vixie up on the suggestion. ISPs are traditionally loath to take on any appearance of responsibility for their customers equipment or content. Polling the DNS servers on their networks, ISPs said, could be viewed as a violation of their customers privacy. And ISPs have little incentive to do such polling unless it is part of a paid service.

The ISC itself also declined to do polling or to generate a database of BIND users who might be automatically notified of updates. Asking people who download the BIND software to register or identify themselves "would be a privacy violation" unless users voluntarily opted to be registered in it, Vixie said.