Let's assume that BIND has a way to know when it is dangerously out of date. The mechanism used would be up to ISC and I'll admit that it would probably involve some sort of DNS records in an ISC-run domain because that's the only way that has a high likelihood of working given the number of firewalls and caching nameservers that may be between a given BIND box and ISC. Seems to me that ISC has always maintained that there are two version numbers, one 4.x and one 8.x, that are always the oldest ones you can run and still be secure against known exploits. So the info stored in the ISC DNS server really doesn't need to be more than those two version numbers. OK, now assume that we have a BIND server which has detected that it is out of date and at risk of attack. What should it do? Well, first of all, what would a human being do if if realised that it was at risk of attack and they had no means of contacting their friends or the police. A child might cry out and an adult might yell for help in case someone was near enough to hear. BIND is in a similar situation. It doesn't know if there is anyone looking after it but it is hurting, so let's make it cry out. I suggest that an appropriate technique would be for the BIND server to originate traffic on it's local subnet that would look suspicious and possibly trigger intrusion alarms. Send out some packets to the broadcast address. Do some portscanning of all addresses on the subnet. Find any open port 80 and retrieve a URL containing BIND/server/at/10.7.7.1/has/security/vulnerability, find any open port 25 and send email to postmaster containing the same message, etc. Not enough traffic to be a DoS but enough to show up in various logs in case someone is looking at some of them. Even then, this is still a string and sealing wax solution. It's situations like this that demonstrate just how primitive our supposedly high technology really is. --Michael Dillon
In the immortal words of Michael.Dillon@radianz.com (Michael.Dillon@radianz.com):
I suggest that an appropriate technique would be for the BIND server to originate traffic on it's local subnet that would look suspicious and possibly trigger intrusion alarms.
Good lord. I'm a little stuck for a proper analogy for this. A car that "helpfully" starts emitting noxious smoke to let you know that it's time for a tune-up? A refridgerator that drips bleach into your vegetable drawers to remind you to replace the coolant? An answering machine that replaces the outgoing message with a stream of profanities to alert callers that the incoming message tape is full? If people are so concerned about BIND's security that they're willing to seriously consider implementing ideas like this, why are they not willing to either consider replacing BIND with DNS software that is secure by design (*cough* *cough*), or paying the ISC to produce a properly secured BIND? The solution to the Ford Pinto problem was not to recommend that people duct-tape sofa cushions and homemade warning lights to the back bumper. -n ------------------------------------------------------------<memory@blank.org> "Thus do `Snuff Movies' take their place with `Political-Correctness,' `Sex Addiction,' and `Postmodernism' as Godzillas of bogus moral panic, always threatening to crush the nation in their jaws, but never quite willing to take the final step of biting down. (--www.suck.com) <http://blank.org/memory/>----------------------------------------------------
Might I suggest that you put together a group of you - four or five should do fine, and draw up a list of all the things that you want changed in "super BIND" or whatever you want to call it, pass it through the group for a public airing and then send it to the IETF's DNS WG's as a request. If you are not getting what you need to operate your networks, then a commitment to proactive responses requires this, or something like it. Tell them what you need to accomplish and not how to do it, and they will build a protocol to satisfy this request whether they redesign or morph BIND. It will also do wonders for both organizations politically. Just a thought. Todd -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Nathan J. Mehl Sent: Thursday, March 27, 2003 6:25 AM To: nanog@merit.edu Subject: Re: Curing the BIND pain In the immortal words of Michael.Dillon@radianz.com (Michael.Dillon@radianz.com):
I suggest that an appropriate technique would be for the
BIND server to
originate traffic on it's local subnet that would look suspicious and possibly trigger intrusion alarms.
Good lord. I'm a little stuck for a proper analogy for this. A car that "helpfully" starts emitting noxious smoke to let you know that it's time for a tune-up? A refridgerator that drips bleach into your vegetable drawers to remind you to replace the coolant? An answering machine that replaces the outgoing message with a stream of profanities to alert callers that the incoming message tape is full? If people are so concerned about BIND's security that they're willing to seriously consider implementing ideas like this, why are they not willing to either consider replacing BIND with DNS software that is secure by design (*cough* *cough*), or paying the ISC to produce a properly secured BIND? The solution to the Ford Pinto problem was not to recommend that people duct-tape sofa cushions and homemade warning lights to the back bumper. -n ------------------------------------------------------------ <memory@blank.org> "Thus do `Snuff Movies' take their place with `Political-Correctness,' `Sex Addiction,' and `Postmodernism' as Godzillas of bogus moral panic, always threatening to crush the nation in their jaws, but never quite willing to take the final step of biting down. (--www.suck.com) <http://blank.org/memory/>---------------------------------- ------------------
On Thu, 27 Mar 2003 Michael.Dillon@radianz.com wrote:
I suggest that an appropriate technique would be for the BIND server to originate traffic on it's local subnet that would look suspicious and possibly trigger intrusion alarms. Send out some packets to the broadcast address. Do some portscanning of all addresses on the subnet. Find any open port 80 and retrieve a URL containing BIND/server/at/10.7.7.1/has/security/vulnerability, find any open port 25 and send email to postmaster containing the same message, etc.
Better yet, why not just have it print to console "BIND INSECURE, UPGRADE, SHUTTING DOWN THE SERVER NOW" and then halt? Far more likely to get noticed.
Not enough traffic to be a DoS but enough to show up in various logs in case someone is looking at some of them.
If you have somebody looking a firewall or IDS logs, you won't need to be told to upgrade bind. Besides, plenty of networks who do stay current on application security would miss a little pretend DOS. The best solutions I can come up with all revert to the undesired "stop working" solution, in effect. My favorite notion, which I didn't even suggest because of Paul's mandate that the solution not involve breaking bind, would be to return, in response to every query, the IP address of a special website that says "THE VERSION OF BIND ON YOUR NAMESERVERS IS VULNERABLE" or whatever, and include instructions on how to upgrade. Sure, it will break everything except http, and flood this webserver with a ridiculous amount of unwanted traffic (bgp anycast with filtering everything not destined for port 80, to help stem that a little?), but at least people will know why nothing is working, once they fire up a browser. Looming large, of course, is the fact that people would have to upgrade to get any of this "security upgrade" functionality. So we'd really be only partially solving a problem in which we won't see any benefit for years to come, which is usually enough impetus to kill a project these days. Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, Inc. www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
participants (4)
-
Andy Dills
-
Michael.Dillon@radianz.com
-
Nathan J. Mehl
-
todd glassey