[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Nuke attack? No, bug in DNS! (fwd)
I think this is the main cause of all strange things happening on the
net for last few days.
Vipul
Rishab A. Ghosh Wrote :
> Was I the only one nuked by the DNS/BIND crash yesterday? I hope
> I've not been automatically unsubscribed from the list. As not
> everyone here reads c.p.tcp-ip.d I've attached Karl Denninger's
> analysis. For those who were luckily immune, my ISP (best.com) like
> many others, had it's DNS crash for _local_ domain names (belonging
> to the ISP and customers like me) through most of yesterday. No,
> not a virus, but bad DNS records "floating around" as Karl puts it,
> that happened to expose a bug in the latest version of BIND.
>
> So much for immunity to nuclear war!
>
> Rishab
>
> > From: [email protected] (Karl Denninger)
> > Newsgroups: comp.protocols.tcp-ip.domains
> > Subject: SERIOUS PROBLEM WITH DNS SERVERS AND BAD RECORDS - Rev 4.9.4
> > Date: 23 Aug 1996 10:10:39 -0500
> > Organization: MCSNet Ops, Chicago, IL
> > Message-ID: <[email protected]>
> >
> > CAUTION!
> >
> > There are a series of bad nameserver records floating around on the net
> > which are blowing up BIND versions 4.9.4 (REL and T5B) and possibly other
> > releases as well.
> >
> > This has been VERIFIED to be impacting multiple ISPs and their DNS servers.
> >
> > We are shutting off updates from ANY DNS server which presents bogus data,
> > which stops it from killing our code, but is of no help to the large number
> > of domains which are presumably rendered unreachable.
> >
> > At present, this list is:
> >
> > bogusns 204.94.129.65 158.43.192.7
> > ;
> > bogusns 199.3.12.2 38.241.98.5 199.71.224.105 206.215.3.10
> > bogusns 134.75.30.253 198.41.0.4 128.63.2.53 198.41.0.4
> > bogusns 206.66.184.11 206.66.104.37
> > ;
> > bogusns 163.173.128.6 163.173.128.254 200.6.39.1 192.33.4.12 128.174.36.254
> > bogusns 129.79.1.9 128.174.5.58
> >
> >
> > All of these have presented at least one malformed record to us in the
> > last two hours!
> >
> > Folks, if you run one of these servers, start tracking down the problem on
> > your end. If this is bad cached data, THOSE AFFECTED MUST FLUSH IT
> > AS SOON AS POSSIBLE TO TRY TO PREVENT PROPAGATION.
> >
> > This problem started as an isolated set of incidents yesterday, and is now
> > spreading like wildfire.
> >
> > The actual bad data appears to be a domain name being returned in an
> > authority record which is of the form "domain.com<tab>com". We have not
> > yet caught a bad returned record in a debug file; that is being attempted
> > now.
> >
> > When this goes through "dn_expand" in the BIND code, it causes memory
> > arena corruption and subsequent failure to resolve VALID zones which you
> > are authoritative for. First signs are reports of "corrupted authority data"
> > if you are using "dig" to check zones which you hold authority records for.
> >
> > We are working on a way to "harden" the code against this kind of junk data,
> > but until we can get one deployed our defense is to shut down communication
> > from those who are presenting us the garbage.
> >
> > PLEASE CHECK YOUR NAMESERVERS OUT AND TAKE NECESSARY STEPS YOURSELF! This
> > is a serious problem which has the possibility of melting significant parts
> > of the Internet infrastructure.
> >
> > --
> > --
> > Karl Denninger ([email protected])| MCSNet - The Finest Internet Connectivity
> > http://www.mcs.net/~karl | T1 from $600 monthly; speeds to DS-3 available
> > | 23 Chicagoland Prefixes, 13 ISDN, much more
> > Voice: [+1 312 803-MCS1 x219]| Email to "[email protected]" WWW: http://www.mcs.net/
> > Fax: [+1 312 248-9865] | Home of Chicago's only FULL Clarinet feed!
> >
> >
> > --
> > bryant durrell http://www.innocence.com/~durrell
> > [email protected] http://www.innocence.com/fengshui
> > [email protected] http://www.innocence.com/shadowfist
> > big black nemesis parthenogenesis no one move a muscle as the dead come home
> >
>
>