FAQ for CVE-4854 – BIND Vulnerability

In order to help our customers with their DNS-related questions, we wrote this blog post regarding the recently announced BIND vulnerability, CVE-4854.

What happened?

ISC announced a critical vulnerability in the popular BIND DNS software. This might affect you.  BIND servers configured either as caching or authoritative are vulnerable. Read more

Developing a Framework to Improve Critical Infrastructure Cybersecurity

Here are thoughts from our CTO, Bill Worley PhD, on properly securing critical infrastructure in our highly connected world. They are particularly applicable with what we have seen in the last year with increased DDoS attacks focused on the DNS and compromised systems for the theft of intellectual property. Read more

DNSSEC Adoption is Slow for Government Agencies

Even though more than two years have passed since federal government agencies were required to support DNS Security Extensions (DNSSEC) on their web sites, only 57 percent of agencies have met these requirements. In other words, about 40 percent of federal agencies have not secured their domains to protect users from domain name hijacking and cache poisoning attacks.

As this Network World article explains, Read more

DNSSEC Deployment Lags

DNSSEC has been slow to be accepted by commercial sites, leading a lag in DNSSEC deployment, even though it is the best solution to prevent the exposure to site hijacking. This type of hijacking is possible because of a major flaw in DNS that makes it possible for hackers to launch cache poisoning, found by security researcher Dan Kaminsky 5 years ago. Read more

A New DNS Vulnerability

A new DNS vulnerability was found in BIND yesterday, CVE-2012-5688. It is listed as a critical vulnerability.

This adds to the list of major vulnerabilities discovered in BIND. Since February of 2011, a new high vulnerability has been found on average every 60 days. This is a worrisome trend for DNS administrators concerned with the increasing sophistication and level of attacks. None of these vulnerabilities have affected Secure64 DNS servers. Read more

Protecting Your DNS

There have been several recent Denial of Service attacks reported on banks, hosting providers and federal agencies around the world.  As always with these types of attacks, one of the victims is the DNS server. Attacking DNS is effective, once the DNS server is taken down by the hacker, customers can’t reach any of the victim’s servers including mail servers, web servers, etc.

Besides the effectiveness there are also other reasons why the DNS server is the bully victim of the Internet. One of the more technical reasons is that DNS service is UDP based and not TCP based like most other services. Many simple types of attacks can be performed towards UDP based system.  Additionally, UDP is also much easier to forge than TCP so the hacker does not have to reveal his IP-address in the attack. All of this makes the DNS a juicy target.

The traditional way of protecting DNS and other servers is via stateful firewalls. However, this protection mechanism does not work well for UDP based attacks. In fact, most firewalls actually contribute to the problem rather than helping since they are not designed to cope with large floods of small packets. You can verify that this is the case by reading the fine print in the specifications of your firewall. It is probably rated at an impressive number of gigabytes per second but if you look at the number of packets, it is not that high. And even if you have a firewall capable of millions of packets per second it will not do you much good as it is not doing much inspection of the DNS traffic. Traditional firewalls are not smart enough and do not look far enough into the packet to really be able to determine if the packet is legit or not.

What is really needed for adequate protection is a specialized DNS firewall that sits outside of the firewall. This device can either be configured with the DNS data so that it can respond directly or simply forward the scrubbed traffic to “softer” DNS servers behind it.

Secure64’s products can be used in such a setup. Our products defend against Denial of Service attacks and other types of attacks directed towards the DNS servers while we are still able to respond to legitimate traffic. For more information on our products please visit us at our web site.

GoDaddy’s DNS Outage Exposes the Need for DNS Redundancy

The GoDaddy DNS outage had wide spread effect. Hacktivists claimed to have caused it but Interim CEO Scott Wagner said the service outage was due to a series of internal network events that corrupted route data tables.

No matter what the cause, whether it was internal errors or external attacks, the outage Read more

Botnets, Route Hijacking, and Other Security Threats

Cyber crime has become big business. In the past, hackers tended to work alone or in small groups, and their impact was usually quite minimal. Sometimes it was done just for bragging rights rather than monetary gain, and often had no adverse affects on most of the general public. Read more

Lack of DNSSEC Deployment on Financial Services Web Sites

It comes as a real surprise that one of the industries (financial services) that should be most interested in the security of their web sites has not implemented a key piece of protection, Domain Name System Security Extensions (DNSSEC). DNSSEC is a technology that was developed to add critically needed security to the domain name system. Without DNSSEC, internet users cannot be certain that they Read more

Four Vulnerabilities in Infrastructure Defense

“The basic underpinnings of the Internet — BGP, DNS, and SSL — we take for granted they were built in much friendlier times when friendly people wanted to communicate with friendly people. The Internet was built to be survivable, not trustable,” said John Pescatore, vice president and research fellow for Gartner Research. This quote was sited in an article in Darkreading by Kelly Jackson Higgins. Read more