Threats on the Rise
Unfortunately, hackers have no such compunctions and have access to all the latest tools for polling DNS servers for vulnerabilities. And the exposures created by BIND are well-known — and growing. It used to be that an organizations defenses were infrequently probed by outsiders, but that is no longer the case, said Keith Lowry, vice president of security operations at Pilot Network Services, which provides security as an outsourced service. "If you do not patch these kinds of holes, youre going to get hit," he said.
Pilot tallied a significant jump in the rate of DNS vulnerability scans — a form of reconnaissance by hackers — after the four new vulnerabilities were aired at the end of January, Lowry said. Pilot counted 35 DNS probes of its 300 clients in the first 12 days of February, compared with only 19 in January. On a month-to-month basis, that represents a 480 percent increase, he said. Others have seen similar increases in malicious activity.
"We are receiving reports of two to three times the previous number of probes" of BIND, accomplished by querying port 53 on DNS servers, said CERT technical staffer Jeff Havrilla.
Adding to the problem is the increasing availability of programs that automatically scan networks and query DNS servers. "Its the equivalent of jiggling your doorknob to see if its locked," said Scott Blake, security program manager at BindView, a provider of security assessments of BIND and other points of exposure. With the automated scans, snoopers can determine which version of BIND a DNS server is running. If it is one with exposures, they also have ready-made burglar tools.
"The tools to exploit these vulnerabilities are being automated in a way not seen before," Havrilla warned. The tools are posted to malicious hacker, or "cracker," sites, and few technical skills are needed to use them to compromise a server. Unless it is specifically configured otherwise, BIND automatically responds with its version number when it receives a "Who Is" query from any source. If it is any version prior to 8.2.3, then it most likely contains one of 12 holes already designated by CERT as hazardous.
"When vulnerabilities are first announced, a hacker can compromise a thousand servers very quickly," Riptechs Dunphy said.
Once compromised, the DNS server and others can be used to launch a distributed denial-of-service attack or other disruptions.
As Fluffy Bunny demonstrated, legitimate traffic can also be diverted to a dummy site. A clever hack may one day ask diverted customers to submit their user names and passwords at a look-alike site that has convinced visitors its where they intended to go, security experts warned.
In addition, a single DNS server at an ISP or colocation site often handles several companies traffic and Web sites. By sniffing that traffic, a practice that deciphers network packets but leaves no trace of the intruder, an interloper can gain user IDs and passwords, the names of key files and the servers on which theyre located and other supposedly private information.
"If you get into one server, you can get into two," often with system administrator privileges, which opens the door into the enterprise network, said Steve Hotz, chief technology officer at UltraDNS, a managed DNS service provider, who also worked on the mechanisms of DNS that were later adapted to BIND. It used to be that one organization could practice good, buttoned-down security and protect itself, remarked Peter Trahon, supervisor of the nine agents who make up the computer intrusion squad at the Federal Bureau of Investigations San Francisco division. "Now your neighbor has to practice good security too," he said.