Denial of Service vulnerabilities back in the spotlight – patch BIND now!

Until recently, only remote code execution vulnerabilities have made the mainstream news.

These are the bug strains which may let an attacker get into your computer if you do nothing more than simply read an email, look at a web page, or even just connect to the internet.

But simple Denial of Service (DoS) vulnerabilities are newsworthy again, it seems. A DoS – not to be confused with DOS, which was an operating system of sorts – is where an attacker tries to slow down or to crash a computer.

That DoS vulnerabilities are back in the spotlight is hardly surprising, given the rabble-rousing noise made recently by Anonymous to encourage individuals to join voluntary DoS attacks against major companies such as MasterCard and PayPal. (When lots of computers initiate a DoS attack at the same time, the result is a DDoS, or Distributed Denial of Service attack. A DDoS is just a DoS scaled up for even greater havoc.)

DoSses are a big deal. Uptime is a significant measure of the on-line credibility of a business these days. If you have seen the film The Social Network you’ll probably remember Fake Mark Zuckerberg ranting about how Facebook never goes down, mustn’t go down, can’t go down. For Fake Mark, that was a key business differentiator.

And the latest DoS vulnerability on the newswires is potentially troublesome. It’s a flaw in BIND, almost certainly the most widely-used DNS server in the world. DNS, or the Domain Name Services, is the global system which converts names such as into IP numbers such as To say it’s an important service is a serious understatement.

The details of the vulnerability can be found against vulnerability identifier CVE-2011-0414.

In short, authoritative name servers can be tricked into a deadlock when an incremental zone transfer (IXFR) happens.

To explain: an authoritative name server is one which contains official data about name-to-number mappings for a domain. (Caching name servers simply ask authoritative name servers and remember the answers for a while to help reduce load on the authoritatives.) A zone transfer is when one name server sends information to another server about changes to the official DNS records. And an incremental zone transfer, if you will pardon me stating the obvious, is one in which only recent changes are exchanged, to save time and bandwidth.

Finally, deadlock is when a computer program gets stuck. Part A waits for part B, but part B waits for part A. Deadlock, in a literary flourish rarely seen in computer science, is also known as deadly embrace.

The internet is very large, and changes very rapidly. Over the past five years, the number of computers online has increased by about 300,000 per day – and that’s just the aggregate increase, not taking account of the total number added and removed.

So IXFRs between authoritative name servers are a vital part of keeping DNS both alive and correct. Indeed, DNS servers are at the heart of many cloud-style security services, providing the mechanism by which up-to-date blocklist data is published. IXFRs between cloud-security DNS servers are critical in order to keep the latest blocklist information right up to date.

What does this mean?

If you are running a BIND DNS server, and you’re on version 9.7, you should update as soon as you can to the latest patch release, version 9.7.3.

(As an aside, Apple ships every Macintosh with a copy of BIND. Most users don’t run it, and so aren’t affected. Those who do are lucky this time – OS X 10.6.6, the latest version, comes with BIND 9.6. Sometimes, being behind the curve is a good thing.)