Botnet Malware issue on bind BIND 9.7.1-P2
Michael Graff
mgraff at isc.org
Mon Dec 5 16:54:08 UTC 2011
I see many valid IP addresses in your list. But that said, are the responses going back "large" individually, or is it the number of them that is "large"?
If you think this is attempting to crash the server with a single large answer, that's different than if your server is getting a lot of queries from others, where the number of them is large.
Is your server crashing due to these queries?
Are these clients ones you intend to provide service to? If not, can you limit access to your server to only those clients you intend to provide service for?
--Michael
On Dec 5, 2011, at 10:42 AM, jagan padhi wrote:
> Hi,
>
>
> There are huge request are coming frm the valid ip with .ws domain which are not exist and causes degrade the server performance.
>
>
> Thanks,
> Jagan
>
> www3.cbox.ws.barnasinternational.com. (65)
> 14:24:41.223958 IP 211.164.230.208.17125 > 103.145.184.40.domain: 64+ A? mlvabdz.ws. (28)
> 14:24:41.300652 IP 61.246.253.55.44111 > 208.73.210.76.domain: 47143 [1au] A? xoguzsdl.ws. (40)
> 14:24:41.338215 IP 211.178.172.128.fpitp > 103.145.184.32.domain: 20686+ A? ppckbydtbr.ws. (31)
> 14:24:41.342505 IP 61.246.253.53.7628 > 208.73.210.76.domain: 28787 [1au] A? lodqbvd.ws. (39)
> 14:24:41.346545 IP 211.178.164.175.23186 > 103.145.184.32.domain: 2298+ A? jdzojm.ws. (27)
> 14:24:41.350427 IP 211.164.232.28.1028 > 103.145.184.32.domain: 52540+ A? ujtkmid.ws. (28)
> 14:24:41.518083 IP 211.174.99.37.10290 > 103.145.184.40.domain: 17039+ A? phkaxt.ws. (27)
> 14:24:41.597469 IP 61.246.253.53.53556 > 208.73.210.76.domain: 5848 [1au] A? jdzojm.ws. (38)
> 14:24:41.608805 IP 61.246.253.55.gbs-stp > 208.73.210.76.domain: 60602 [1au] A? rvoykpdvuw.ws. (42)
> 14:24:41.613744 IP 211.174.93.126.10443 > 103.145.184.32.domain: 57+ A? yphpeqeq.ws. (29)
> 14:24:41.647610 IP 211.174.158.140.20813 > 103.145.184.32.domain: 119+ A? qhfibjvct.ws. (30)
> 14:24:41.648165 IP 211.174.158.140.20814 > 103.145.184.40.domain: 119+ A? qhfibjvct.ws. (30)
> 14:24:41.649318 IP 211.174.158.140.20813 > 103.145.184.32.domain: 120+ A? aplsmxcne.ws. (30)
> 14:24:41.650589 IP 211.174.158.140.20814 > 103.145.184.40.domain: 120+ A? aplsmxcne.ws. (30)
> 14:24:41.651435 IP 211.174.69.219.fpitp > 103.145.184.32.domain: 18969+ A? xoguzsdl.ws. (29)
> 14:24:41.802136 IP 211.174.110.194.mcp-port > 103.145.184.32.domain: 63099+ A? ujtkmid.ws. (28)
> 14:24:41.828624 IP 211.174.77.240.12803 > 103.145.184.32.domain: 42241+ A? ujtkmid.ws. (28)
> 14:24:41.896891 IP 211.174.96.42.10349 > 103.145.184.32.domain: 10320+ A? rvoykpdvuw.ws.HUL-RS.COM. (42)
> 14:24:41.951168 IP 211.174.76.161.directv-tick > 103.145.184.32.domain: 51760+ A? jdzojm.ws. (27)
> 14:24:41.978719 IP 61.246.253.51.60690 > 208.73.210.76.domain: 22757 A? ppckbydtbr.ws. (31)
> 14:24:41.992364 IP 211.178.145.35.18834 > 103.145.184.40.domain: 102+ A? bfrdqsraipi.ws. (32)
> 14:24:41.995598 IP 211.164.42.255.iad1 > 103.145.184.32.domain: 62681+ A? mdbyqndydim.ws. (32)
> 14:24:41.998899 IP 211.164.42.255.1028 > 103.145.184.32.domain: 49093+ A? xopcz.ws. (26)
> 14:24:41.999731 IP 211.174.98.2.unet > 103.145.184.32.domain: 8066+ A? plzpbuzykzi.ws. (32)
> 14:24:42.063680 IP 211.164.24.202.traversal > 103.145.184.32.domain: 29788+ A? mlvabdz.ws. (28)
> 14:24:42.080591 IP 211.178.149.74.26153 > 103.145.184.40.domain: 94+ A? plzpbuzykzi.ws. (32)
> 14:24:42.081309 IP 211.178.149.74.26152 > 103.145.184.32.domain: 94+ A? plzpbuzykzi.ws. (32)
> 14:24:42.083018 IP 211.178.149.74.26153 > 103.145.184.40.domain: 95+ A? ofqliyah.ws. (29)
> 14:24:42.084333 IP 211.178.149.74.26152 > 103.145.184.32.domain: 95+ A? ofqliyah.ws. (29)
> 14:24:42.212815 IP 211.164.230.208.17132 > 103.145.184.40.domain: 73+ A? mlvabdz.ws. (28)
> 14:24:42.213857 IP 211.164.230.208.17133 > 103.145.184.32.domain: 73+ A? mlvabdz.ws. (28)
> 14:24:42.254075 IP 211.178.182.51.17331 > 103.145.184.32.domain: 31124+ A? xopcz.ws. (26)
> 14:24:42.257642 IP 211.174.43.2.21902 > 103.145.184.32.domain: 22199+ A? vqdqp.ws. (26)
> 14:24:42.257967 IP 61.246.253.53.62271 > 208.73.210.76.domain: 10273 A? xoguzsdl.ws. (29)
> 14:24:42.259110 IP 211.174.43.2.21919 > 103.145.184.32.domain: 22704+ A? kuatmftlz.ws. (30)
> 14:24:42.360653 IP 211.165.222.201.av-emb-config > 103.145.184.32.domain: 16608+ A? phkaxt.ws. (27)
> 14:24:42.376847 IP 211.174.36.28.danf-ak2 > 103.145.184.32.domain: 18594+ A? xopcz.ws. (26)
> 14:24:42.389801 IP 211.164.230.208.17132 > 103.145.184.40.domain: 75+ A? mlvabdz.ws.DOMAIN. (35)
> 14:24:42.390902 IP 211.164.230.208.17133 > 103.145.184.32.domain: 75+ A? mlvabdz.ws.DOMAIN. (35)
> 14:24:42.392527 IP 61.246.253.51.36056 > 192.36.148.17.domain: 18602 [1au] A? mlvabdz.ws.DOMAIN. (46)
> 14:24:42.393726 IP 61.246.253.55.43598 > 192.33.4.12.domain: 42970 [1au] A? mlvabdz.ws.DOMAIN. (46)
> 14:24:42.398797 IP 61.246.253.51.30802 > 208.73.210.76.domain: 1409 A? kuatmftlz.ws. (30)
> 14:24:42.424327 IP 211.165.57.59.10944 > 103.145.184.32.domain: 4917+ A? ymkvpdpwls.ws. (31)
> 14:24:42.432527 IP 211.174.74.193.4668 > 103.145.184.32.domain: 35472+ A? vqdqp.ws. (26)
> 14:24:42.434196 IP 61.246.253.53.6805 > 208.73.210.76.domain: 17224 [1au] A? aplsmxcne.ws. (41)
> 14:24:42.484865 IP 61.246.253.55.27520 > 208.73.210.76.domain: 51875 A? ymkvpdpwls.ws. (31)
> 14:24:42.512574 IP 61.246.253.53.36451 > 208.73.210.76.domain: 5405 A? wlxmyclyaht.ws. (32)
> 14:24:42.589319 IP 61.246.253.51.34837 > 208.73.210.76.domain: 34857 [1au] A? qpuhhohm.ws. (40)
> 14:24:42.599949 IP 61.246.253.51.28712 > 208.73.210.76.domain: 62962 [1au] A? etvmtyf.ws. (39)
> 14:24:42.603904 IP 211.174.93.126.10452 > 103.145.184.32.domain: 64+ A? rvoykpdvuw.ws. (31)
> 14:24:42.609177 IP 211.165.218.206.14730 > 103.145.184.32.domain: 33533+ A? tmwijxdp.ws. (29)
> 14:24:42.673250 IP 211.164.212.189.55838 > 103.145.184.32.domain: 49878+ AAAA? www.cbox.ws. (29)
> 14:24:42.743605 IP 61.246.253.53.25801 > 208.73.210.76.domain: 56882 A? feyfj.ws. (26)
> 14:24:42.744744 IP 61.246.253.51.31298 > 208.73.210.76.domain: 34332 A? mdbyqndydim.ws. (32)
> 14:24:42.813185 IP 211.164.19.173.21518 > 103.145.184.40.domain: 13+ A? vqdqp.ws. (26)
> 14:24:42.884638 IP 211.164.26.57.28259 > 103.145.184.32.domain: 63377+ A? www.funny-games.ws. (36)
> 14:24:42.923262 IP 211.174.110.194.3828 > 103.145.184.32.domain: 64214+ A? mdbyqndydim.ws. (32)
> 14:24:42.925213 IP 61.246.253.55.55735 > 208.73.210.76.domain: 37051 [1au] A? mdbyqndydim.ws. (43)
> 14:24:42.934709 IP 61.246.253.55.23021 > 208.73.210.76.domain: 40765 [1au] A? mntqpfyirzi.ws. (43)
> 14:24:42.938709 IP 211.178.17.37.19290 > 103.145.184.40.domain: 107+ A? kkzkaiga.ws. (29)
> 14:24:42.943065 IP 61.246.253.51.42664 > 208.73.210.76.domain: 17629 [1au] A? ofqliyah.ws. (40)
> 14:24:42.951063 IP 211.174.76.161.directv-tick > 103.145.184.32.domain: 51760+ A? jdzojm.ws. (27)
> 14:24:42.996052 IP 211.174.98.2.unet > 103.145.184.32.domain: 8066+ A? plzpbuzykzi.ws. (32)
> 14:24:42.995365 IP 211.164.42.255.iad1 > 103.145.184.32.domain: 62681+ A? mdbyqndydim.ws. (32)
> 14:24:42.997370 IP 211.174.98.2.finisar > 103.145.184.32.domain: 27527+ A? fmwhaasofkl.ws. (32)
> 14:24:42.999262 IP 211.164.42.255.1028 > 103.145.184.32.domain: 49093+ A? xopcz.ws. (26)
> 14:24:43.009556 IP 211.165.223.62.solid-mux > 103.145.184.32.domain: 56200+ A? ymkvpdpwls.ws. (31)
> 14:24:43.011237 IP 61.246.253.51.29769 > 208.73.210.76.domain: 38822 [1au] A? ymkvpdpwls.ws. (42)
> 14:24:43.182372 IP 211.174.115.35.53165 > 103.145.184.32.domain: 4217+ A? vqdqp.ws. (26)
> 14:24:43.193921 IP 211.164.186.236.13354 > 103.145.184.32.domain: 42474+ A? vqdqp.ws. (26)
> 14:24:43.246211 IP 211.164.166.146.lofr-lm > 103.145.184.32.domain: 26238+ A? wddfrxg.ws. (28)
> 14:24:43.339091 IP 61.246.253.51.48097 > 208.73.210.76.domain: 44091 [1au] A? ppckbydtbr.ws. (42)
> 14:24:43.546815 IP 211.165.69.29.62611 > 103.145.184.32.domain: 58185+ A? ofqliyah.ws. (29)
> 14:24:43.549997 IP 211.165.69.29.62611 > 103.145.184.32.domain: 48149+ A? tmwijxdp.ws. (29)
> 14:24:43.602986 IP 211.174.93.126.10452 > 103.145.184.32.domain: 66+ A? rvoykpdvuw.ws. (31)
> 14:24:43.606440 IP 211.174.93.126.10452 > 103.145.184.32.domain: 67+ A? yphpeqeq.ws. (29)
> 14:24:43.654195 IP 211.174.69.219.fpitp > 103.145.184.32.domain: 18969+ A? xoguzsdl.ws. (29)
> 14:24:43.746537 IP 61.246.253.51.13075 > 208.73.210.76.domain: 11447 [1au] A? yphpeqeq.ws. (40)
> 14:24:43.758846 IP 211.174.11.119.61529 > 103.145.184.32.domain: 41419+ A? www.ppmi.ws. (29)
> 14:24:43.803248 IP 211.174.110.194.mcp-port > 103.145.184.32.domain: 63099+ A? ujtkmid.ws. (28)
> 14:24:43.920999 IP 211.174.110.194.3828 > 103.145.184.32.domain: 64214+ A? mdbyqndydim.ws. (32)
> 14:24:43.934230 IP 211.164.159.34.dmidi > 103.145.184.32.domain: 44380+ A? etvmtyf.ws. (28)
> 14:24:43.935805 IP 61.246.253.53.52183 > 208.73.210.76.domain: 52674 [1au] A? etvmtyf.ws. (39)
> 14:24:43.993927 IP 61.246.253.51.14041 > 208.73.210.76.domain: 9095 [1au] A? bfrdqsraipi.ws. (43)
> 14:24:43.995418 IP 211.174.98.2.unet > 103.145.184.32.domain: 8066+ A? plzpbuzykzi.ws. (32)
> 14:24:43.996722 IP 211.174.98.2.finisar > 103.145.184.32.domain: 27527+ A? fmwhaasofkl.ws. (32)
> 14:24:44.001139 IP 211.165.223.62.solid-mux > 103.145.184.32.domain: 56200+ A? ymkvpdpwls.ws. (31)
> 14:24:44.090254 IP 61.246.253.51.5737 > 208.73.210.76.domain: 20944 [1au] A? tnfabezpbwh.ws. (43)
> 14:24:44.167332 IP 211.174.74.193.4669 > 103.145.184.32.domain: 6300+ A? ujtkmid.ws. (28)
> 14:24:44.168079 IP 211.174.74.193.4669 > 103.145.184.40.domain: 6300+ A? ujtkmid.ws. (28)
> 14:24:44.230372 IP 211.174.152.165.metasage > 103.145.184.32.domain: 44055+ A? fmwhaasofkl.ws. (32)
> 14:24:44.312821 IP 211.165.22.10.codima-rtp > 103.145.184.32.domain: 49875+ A? sjvarwo.ws. (28)
> 14:24:44.315393 IP 61.246.253.51.43249 > 64.70.19.80.domain: 62132 [1au] A? sjvarwo.ws. (39)
> 14:24:44.317895 IP 211.164.155.114.mxxrlogin > 103.145.184.32.domain: 21787+ A? lodqbvd.ws. (28)
> 14:24:44.323124 IP 61.246.253.55.26832 > 64.70.19.70.domain: 16161 [1au] A? tijkdbyg.ws. (40)
> On Fri, May 27, 2011 at 6:56 PM, Larissa Shapiro <larissas at isc.org> wrote:
> Change: BIND 9.4-ESV-R4-P1 is now available.
> Title: Large RRSIG RRsets and Negative Caching can crash named.
>
> Summary: A BIND 9 DNS server set up to be a caching resolver is
> vulnerable to a user querying a domain with very large resource record
> sets (RRSets) when trying to negatively cache a response. This can cause
> the BIND 9 DNS server (named process) to crash.
>
> Document ID: CVE-2011-1910
>
> Posting date: 26 May 2011
>
> Program Impacted: BIND
>
> Versions affected: 9.4-ESV-R3 and later, 9.6-ESV-R2 and later, 9.6.3,
> 9.7.1 and later, 9.8.0 and later
>
> Severity: High
>
> Exploitable: Remotely
>
> CVSS Score: Base 7.8
>
> (AV:N/AC:L/Au:N/C:N/I:N/A:C)
>
> For more information on the Common Vulnerability Scoring System and to
> obtain your specific environmental score please visit:
> http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
>
> Description:
>
> DNS systems use negative caching to improve DNS response time. This will
> keep a DNS resolver from repeatedly looking up domains that do not
> exist. Any NXDOMAIN or NODATA/NOERROR response will be put into the
> negative cache.
>
> The authority data will be cached along with the negative cache
> information. These authoritative “Start of Authority” (SOA) and
> NSEC/NSEC3 records prove the nonexistence of the requested name/type. In
> DNSSEC, all of these records are signed; this adds one additional RRSIG
> record, per DNSSEC key, for each record returned in the authority
> section of the response.
>
> In this vulnerability, very large RRSIG RRsets included in a negative
> cache can trigger an assertion failure that will crash named (BIND 9
> DNS) due to an off-by-one error in a buffer size check.
>
> The nature of this vulnerability would allow remote exploit. An attacker
> can set up an DNSSEC signed authoritative DNS server with a large RRSIG
> RRsets to act as the trigger. The attacker would then find ways to query
> an organization’s caching resolvers, using the negative caches and the
> “trigger” the vulnerability. The attacker would require access to an
> organization’s caching resolvers. Access to the resolvers can be direct
> (open resolvers), through malware (using a BOTNET to query negative
> caches), or through driving DNS resolution (a SPAM run that has a domain
> in the E-mail that will cause the client to do look up a negative cache).
>
> Workarounds: Restricting access to the DNS caching resolver
> infrastructure will provide partial mitigation. Active exploitation can
> be accomplished through malware or SPAM/Malvertizing actions that will
> force authorized clients to look up domains that would trigger this
> vulnerability.
>
> Solution:
>
> Upgrade to: 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 or 9.8.0-P2
> ftp://ftp.isc.org/isc/bind9/9.8.0-P2
> ftp://ftp.isc.org/isc/bind9/9.7.3-P1
> ftp://ftp.isc.org/isc/bind9/9.6-ESV-R4-P1
> ftp://ftp.isc.org/isc/bind9/9.4-ESV-R4-P1
>
> Exploit Status: High. This issue has caused unintentional outages.
>
> US CERT is tracking this issue with INC000000152411.
>
> Credits:
>
> Thanks to Frank Kloeker and Michael Sinatra for getting the details to
> this issue to the DNS Operations community and to Michael Sinatra, Team
> Cmyru, and other community members for testing.
>
> Revision History: Added the 9.4-ESV-R4-P1 download. 2011-May-27
>
> Questions regarding this advisory should go to security-officer at isc.org.
> Questions on ISC's Support services or other offerings should be sent to
> sales at isc.org. More information on ISC's support and other offerings are
> available at: http://www.isc.org/community/blog/201102/BIND-support
> --
> Larissa Shapiro
> Internet Systems Consortium Product Manager
> Technology Leadership for the Common Good
> +1 650 423 1335
> www.isc.org
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111205/71e7554e/attachment.html>
More information about the bind-users
mailing list