Remember how just last week I told all you
dedicated system and network administrators that you weren't going to be
starting your holiday weekend early because of a serious NTP security hole? Well, turn your car around and head back to the server room. The Internet Systems Consortium (ISC) has taken the site down for maintenance because they "believe we may be infected with malware."
ISC,
the home for the BIND DNS program, was infected with malware. Time to
take a long, hard look at your BIND-based DNS servers.
O'Reilly Media
Oh boy.
OK,
so those of you are battle-hardened network and sysadmins already know
why this is bad news and you're already logging in via ssh to your
Domain Name System (DNS) servers. For the rest of you, here is why this could be really, really bad news.
ISC is the group behind the open-source Berkeley Internet Name Domain (BIND) program.
BIND is arguably the most popular DNS software on the planet. It is
certainly the most used DNS program on the Unix and Linux systems that
make up most of the Internet's fundamental infrastructure.
DNS is the master address list of the Internet. It's what translates every human-readable Internet address in the world, say http://www.google.com,
into its IPv4 and IPv6 addresses. These numeric addresses are then used
by routers and switches to move data from your computer, smartphone,
tablet, whatever, to your Web sites, your e-mail server, and back again.
In other words, it's really important. Without DNS, there is no functional Internet.
If
the BIND code itself has been corrupted, and you've updated your DNS
BIND server with the code, you could be in for a world of hurt. Your
site might now have a security hole on it. It's also all too possible
that it could be used for a Distributed Denial of Service (DDoS) attack.
Adding insult to injury, ISC runs the F DNS root server. This is one of the 13 root servers that the Internet relies upon for global DNS services.
Before you start hyperventilating, it may not be that bad.
Cyphort, an Internet security company, reported that they'd told ISC that their site had malware
on it on December 22. ISC's main site, which used an out of date
version of WordPress, had, according to Cyphort had been compromised to
point visitors to the sites infected with Angler Exploit Kit. Fortunately, for the Internet, if not Windows users, Angler is a Windows specific malware package.
On
the other hand, while ISC's DNS code and DNS servers are on separate
servers from the front-end WordPress driven site, where there's' been
one security compromise there might have been have been other, more
critical ones.
For now, there are no such reports on the BIND announcement or BIND-user
mailing lists. On the static page that now greets you on the ISC site,
ISC recommends that anyone who's visited the site recently "scan any
machine that has accessed this site recently for malware."
In a separate issue, on December 9th, Carnegie Mellon University's Community Emergency Response Team (CERT) has reported that there is a new DNS exploit
by which recursive DNS resolvers can be knocked out of service by an
infinite chain of referrals if provoked a malicious DNS authoritative
server. At this time, December 26, ISC hasn't fixed BIND for this
potential problem. Other major DNS software providers, including
Microsoft, NLnet, and PowerDNS haven't fixed this bug either. There have
been no reports to date of this hole being exploited.
So, it
looks like the chances are that ISC's problem is limited to Windows PC
malware and it hasn't effected BIND or ISC's DNS site. But, do you
really want to take that chance?
I didn't think so. Start
checking your sites for malware now and looking at your DNS logs for
suspicious activity. That's what I'm doing now. Lucky us.
Steven J. Vaughan-Nichols, aka sjvn, has been writing
about technology and the business of technology since CP/M-80 was the
cutting edge, PC operating system; 300bps was a fast Internet
connection; WordStar was the state of the art word processor; and we
liked it.His work has been published in everything from highly technical
publications...
No comments:
Post a Comment