Last week reports began to appear that a new vulnerability had been found in the Bind DNS server software. It was said to be such a simple denial of service exploit, and one that could affect so many different servers around the world, that unless those responsible for keeping systems updated patched it in short order, many of the most popular Internet destinations could be downed. It’s now just a few days later, and attacks have already begun.
“Because of its severity we’ve been actively monitoring to see when the exploit would be live,” Daniel Cid, founder and CTO of security firm Sucuri said in a blog post. He went on to point out that with the DNS server being such a major component of the Internet’s infrastructure, any downing of them on a large scale could see people’s ability to not only visit certain sites disappear, but could also affect email accounts.
Fortunately for those only just now discovering the problem, there is a simple fix. A patch was recently released that corrects the issue (available via Ars) and is currently the only method available to shore up a server’s defenses.
There is a method to discover if your server has been affected by the bug. To do so, check your logs for any mentions of “ANY TKEY.” If that turns up, chances are the DNS has been affected.
In reality, searching the logs for any mention of a TKEY request isn’t a bad plan, since they are not a common occurrence and are likely to indicate the exploitation of the security loop hole.
Keeping software up to date is always the best practice for protecting systems, but it’s not always easy with the way these flaws pop up.