Recent Bind9 Vulnerability could be used to shut down large parts of the Internet
The Check Point Incident Response Team (CPIRT) has received numerous reports of automated scans across the internet attempting to exploit the recently released BINDS DNS TKEY Vulnerability (CVE-2015-5477). This vulnerability allows a denial of service attack (DoS) against BIND DNS servers. BIND is open source software that supplies Domain Name System (DNS) protocols for the Internet. BIND is by far the most widely used DNS software on the Internet.
DNS is the glue that holds the Internet, including web and e-mail together. A successful attack may severely impact the availability of an organization’s public facing web sites and e-mail.
CPIRT recommends that all customers deploy Check Point IPS Signature CPAI-2015-0908 and apply the patch and/or update provided by their specific Linux/UNIX distribution vendor or source.
At this time, there is no workaround for this vulnerability. Administrators need to patch their vulnerable servers to prevent exploits on their DNS server. Major Linux distributions including Red Hat, CentOS and Ubuntu have issued patches.
Check Point understands that it can take time to apply vendor provided patches. IPS Signature CPAI-2015-0908 provides an effective solution for the exploit as well and can help block attacks prior to completion of the server patching process.
Administrators are encouraged to check their Bind logs for the “ANY TKEY” command to detect attack attempts. This is not a common request and could indicate an attempt to crash the Bind server.
The majority of reports received about attempts exploiting this vulnerability have been from Internet Service Providers and financial services companies running BIND as publically facing DNS servers. As this is an application layer DoS attack it requires minimal bandwidth to successfully DoS an organisation. Without patching or IPS signatures it is very difficult to block such an attack. A single packet can exploit this vulnerability.
Financial Services Customers
Financial services customers are being actively targeted with this exploit. Check Point strongly recommends that financial services organisations promptly apply the IPS update and patch their BIND Servers. Most financial services customers have deployed BIND DNS servers in their public facing DMZ to host their public DNS records. If a DoS attack is successful against these it could stop internet services to the organisation as well stop their customers from being able to use electronic services such as online banking.
Internet service providers
Most Internet Service Providers (ISPs) appear to have BIND deployed as the recursive lookup server for their customers. A successful DoS attack against these would cause widespread service interruptions to their customers. CPIRT has also seen recent increase in DoS attacks against ISP owned infrastructures.
In addition to enabling the relevant IPS signatures and patching the DNS servers it is vital that organisations have an incident response plans for dealing with (D)DoS attacks. Such a plan should include a printed list of numbers to call, a communications plan for informing relevant internal and external parties and pre-approved plan for what services may be turned off or otherwise interrupted to deal with an attack and ensure these plans are rehearsed. CPIRT can help create and rehearse these plans as well as providing expertise during an attack.
To protect against attackers exploiting the BIND TKEY DoS vulnerability it is important that customers:
- Deploy Check Point IPS signature CPAI-2015-0908
- Patch their BIND DNS servers.
- Have an Incident Response attack plan in place.
Check Point is a security industry leader of threat prevention solutions and incident response. Our team is here to help you plan for and respond to attacks. For further questions please contact your local Check Point team or contact the Check Point Incident Response team at [email protected]. For critical incidents call Check Point Incident Response customers can call +1(866) 923-0907.