Vigil@nce - Bind: cache pollution via Response Rate Limiting
September 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the Response Rate Limiting patch is installed on Bind, an
attacker can pollute the DNS cache.
Impacted products: BIND
Severity: 2/4
Creation date: 10/09/2013
DESCRIPTION OF THE VULNERABILITY
The RLL (Response Rate Limiting) patch can be installed on Bind.
It can be used to limit replies of the DNS server, so it cannot be
used as an amplifier to attack another site. So, if an attacker
sends numerous DNS queries, with a spoofed source IP address of
1.2.3.4, the server detects it, and does not send a reply to
1.2.3.4.
The "rate-limit" section of the Bind configuration contains a
"slip" parameter which indicates that replies to one of the IP
addresses used for the attack have to be rejected or truncated (so
the legitimate client will retry).
However the value "slip" 2 can be used to pollute a DNS cache.
Technical details are unknown.
When the Response Rate Limiting patch is installed on Bind, an
attacker can therefore pollute the DNS cache.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Bind-cache-pollution-via-Response-Rate-Limiting-13363