"DNS Forgery Pharming" Attack Against BIND 9 105
Monley writes "Help Net Security is running a story about a severe flaw in BIND's implementation that allows fraudsters to efficiently predict generated random numbers without the need to control the route between the user and the DNS server. (Here are HTML and PDF versions of the paper.) Using this vulnerability, fraudsters can remotely forge DNS responses and direct users to fraudulent websites, which can steal the user's sign-in credentials and do other mischief. The flaw was discovered by security researcher and Trusteer's CTO, Amit Klein." The ISC has released a patch to BIND 9.
New (Score:1, Insightful)
Maybe the headline should read,"Exploit which bored college students figured out fifteen years ago is finally released to the mainstream".
Come again? (Score:4, Insightful)
Re:New (Score:3, Insightful)
Our product not vulnerable to flaw we discovered.. (Score:4, Insightful)
The TFA recommends using Trusteer's product to defeat this attack:
So, to recap. Vendor discovers a flaw and recommends their product.Film at 11:00.
Re:Troll? Y'all are NEWBS! (Score:3, Insightful)
Don't Diss Bind (Score:4, Insightful)
In 2007, where 1000,s of "researchers" spend their lives trying to break the Internet.... This stuff happens. BIND, SendMail and classic solutions are attacked. Amazingly they hold up better than Windows!
Re:New (Score:4, Insightful)
Oh wait, that isn't ethical
Re:Yes but... (Score:2, Insightful)
It is related to MS DNS -- a SYSTEM you said did not have any vulnerabilities.
It's not hard to get a connection and a rooted machine in somebody's internal network. Also -- I can't think of anybody that would use MS DNS server outside on the Internet. If you do then that confirms my opinion of you.
Re:Don't Diss Bind (Score:2, Insightful)
Since this is Slashdot the parent post will be modded up and I'll be modded down, but the truth of the matter is that the DNS server that ships with Windows has never has a single vulnerability.
Wow, you must have a VERY short memory. Try thinking back to just earlier this year, when Microsoft Security Advisory (935964) [microsoft.com] came out. And that is just one of MANY flaws over the years in MS DNS server! Hell, their DNS server for NT4 and earlier releases of Win2K (pre SP3) ran so sloppy that most people had to write scripts to stop/restart their MS DNS servers nightly! I should know, I was one of them. It was the only way to fix memory leaking problems that would lead to cache lookup failures. And lets not forget the long era of MS DNS cache poisoning...
No, BIND has proven it self to be MUCH more reliable for serious Internet servers than MS DNS. Just like Unix/Linux has proven to be a better OS for serious Internet servers than MS Windows. There is a reason the REAL Internet servers of the world use Unix/Linux and BIND. It's because they handle more critical traffic than any thing else, they absolutely have to work, and MS products are NOT up to that task! No amount of marketing hype can counter the real world expeirence of professional network engineers, and the pro's choose Unix. Windows Server has become more reliable over the years, and is viable product for small and medium businesses. But it has never been, currently isn't, and may never be reliable enough for those really critical high end servers that large ISPs, governments, and businesses need.
The only reason people like you bitch about the popularity of Unix/Linux for high end servers is because you obviously know little about such things, but want to pretend that because you can install Windows 2003 Server and Exchange that you now know something about network engineering. Sorry, you don't... No one who does would have said "the DNS server that ships with Windows has never has a single vulnerability" because they would have had the real world expeirence of dealing with the problems that DO EXIST with that product! Knowing your way around a Windows server does make you talented, but it doesn't put you in a position where you know enough to go around dissing technologies you have obviously never even used...
Re:FOSSie fix!!! (Score:4, Insightful)
A medium number of programmers can make minor modifications to medium-sized software applications.
Very few programmers can make any sort of modification to very large software applications. Very, very few.
Bind is a very large, complex piece of software. A good portion of that complexity is due to poor documentation and badly designed algorithms (a problem I've had with bind from the first release on through today), but at this point the majority of the complexity is due to feature creep. I still use bind simply because I do not have the desire to write a replacement for it, and because the only other really good DNS package has a copyright and licence on it that makes it virtually unusable. Software gets stale as it gets older... if I can't keep software up to date after the original author has lost interest then I have no interest incorporating said software, no matter how good it is.
-Matt
Re:Troll? Y'all are NEWBS! (Score:3, Insightful)
Unfortunately a lot of people seem stuck in the past and still judge BIND from the 4.x and 8.x days.
So.. if BIND9 sucks.. what is an alternative? (Score:2, Insightful)
Re:Jeezus freaking A Christ (Score:4, Insightful)
Re:So.. if BIND9 sucks.. what is an alternative? (Score:3, Insightful)
djbdns is proprietary, source-available software. It's nowhere near BSD or GPL licensed.
Re:Complexity breeds problems. (Score:1, Insightful)