BIND, the dominant DNS server software on the Internet, is vulnerable to a serious cache-poisoning attack that could enable an attacker to fool users rather easily into visiting a malicious Web site.
The attack, which is similar to other, previously disclosed cache-poisoning techniques used against BIND and other DNS servers, takes advantage of the fact that the DNS transaction ID numbers are predictable in BIND 9. This weakness allows an attacker to then trick a DNS server into caching his malicious DNS record as the authentic record for a legitimate Web site. Then, as users visit the site's legitimate URL, they would be served the attacker's page instead of the one they were requesting. The possibilities for the attacker at this point are myriad.
The new attack method was laid out in a paper on BIND 9 flaws by Amit Klein , chief technology officer of security vendor Trusteer, who has done quite a bit of work on Web-related threats in the past. Klein says that his technique makes it much easier for attackers to poison the DNS server cache than did previously known attacks. "The net effect is that pharming attacks are feasible against BIND 9 caching DNS servers, without the need to directly attack neither DNS servers nor clients (PCs)," he writes in the paper.
Berkeley Internet Name Domain (BIND) is the de facto standard for DNS server software, and has been in wide use on the Internet for more than 20 years. BIND 9 is the latest version of the server, and was rebuilt from the ground up in an effort to do away with some of the earlier problems in the original code base. According to Klein's paper, all versions of BIND from 9.0 through 9.4 are vulnerable to the attack.
In the SANS Internet Storm Center's daily diary , ISC handler Johannes Ulrich said the attack does not appear to be difficult to implement. "Once the attacker knows the 'state' of the target's BIND install, it is possible to forge a response. DNS uses UDP by default. Each query sent by the DNS server includes a random transaction ID. The server responding to the query will include this transaction ID so the querying DNS server knows what query is answered by this particular response. BIND always uses the same source port for its queries. The attack appears to be quite feasible. Probably the main difficulty will be to get the spoofed packet routed. But unless the attackers network implements strict egress filtering, this is very much a feasible attack. Best to patch your BIND server soon," Ullrich writes.
The Internet Systems Consortium, which maintains BIND, has issued a new version of the software, BIND 9.4.1 , which corrects the transaction ID predictability problem.