Hackers could take advantage of a newly-discovered flaw in the BIND DNS server software to disrupt the internet, experts have warned.
The flaw was announced and patched by the Internet Systems Consortium late last week, but it is critical as it could lead to attacks on both authoritative and recursive DNS servers using just a single packet.
That DNS query packet would trigger a REQUIRE assertion failure, causing BIND to exit. The packet is said to be very easy to create.
The vulnerability is already being exploited in the wild. ISC today said it had been informed proof-of-concept code for an exploit had been made public, and advised affected parties to act immediately.
"As this development significantly increases the potential risk that this vulnerability will be exploited by those with a mind to do so, please take steps to patch or upgrade to a secure version as soon as possible," it advised.
ISC's Michael McNally, who has headed up efforts to address the bug, said there are no other workarounds other than to apply the patch.
"The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer," McNally said.
"I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analysing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind.
"Screening the offending packets with firewalls is likely to be difficult or impossible unless those devices understand DNS at a protocol level and may be problematic even then," he said.
Rob Graham, CEO of penetration testing firm Errata Security, warned in a blog post how easy crashing large parts of the internet could be.
“I could use my "masscan" tool to blanket the internet with those packets and crash all publicly facing BIND9 DNS servers in about an hour,” he said.
“A single vulnerability doesn't mean much, but if you look at the recent BIND9 vulnerabilities, you see a pattern forming. BIND9 has lots of problems -- problems that critical infrastructure software should not have.”
He said the biggest problem was that Bind has “too many features”.
“It attempts to implement every possible DNS feature known to man, few of which are needed on publicly facing servers. [This] bug was in the rarely used "TKEY" feature, for example," he said.
"DNS servers exposed to the public should have the minimum number of features -- the server priding itself on having the maximum number of features is automatically disqualified."
TK Keanini, CTO at Lancope, said affected parties should apply the patch as soon as possible.
“Know that attackers are certainly going to take action as their success is almost guaranteed,” he said.
“A well designed DNS system should have very little outages with the patch because the infrastructure is so distributed and putting the patched system into production can be cut over in seconds, tested, and rollback only another few seconds.
"This is not hard stuff people, patch and patch now."
David Ashton of network security consultancy Sec-1 said it was difficult to estimate the affect of the vulnerability.
“All major service providers will be running some levels of DNS resilience so it's likely that they will be patching systematically in a way that mitigates any downtime,” he said.