Red Hat Bugzilla – Bug 873624
bind: Backport Response Rate Limiting (DNS RRL) patch into Red Hat Enterprise Linux 6
Last modified: 2014-12-16 15:29:26 EST
Description of problem:
Originally, the CVE-2006-0987 identifier has been assigned to the following issue:
The default configuration of ISC BIND, when configured as a caching name server, allows recursive queries and provides additional delegation information to arbitrary IP addresses, which allows remote attackers to cause a denial of service (traffic amplification) via DNS queries with spoofed source IP addresses.
This issue is covered in the bug #873618 (the bind package as shipped with Red Hat Enterprise Linux 6 is not affected by this issue in the default configuration).
But in the configuration where bind is configured to listen for requests from authorized clients, the DDoS attack might be possible.
Therefore the point of this bug is to request backport of DNS RRL patch suggested by Adam Tkac:
which would help mitigate the impact of DDoS attacks also for these configurations.
But since Red Hat Security Response Team would not consider this backport to be correcting a security flaw (its more a security hardening for a non-default configuration), it is reported under this record.
Version-Release number of selected component (if applicable):
See bug #873618 and its References for further details.
Note that it _is_ a security flaw.
Allowing our servers to become a functional part of an amplification attack is a security risk. It could damage the network the server is running in (as well as our reputation)
However, this is more a problem for bind when it is an authoritative server, not when it is a recursive server. The amplification bounces of the authoritative name servers, which _DO_ need to listen/answer to the world at large.
I believe it is prudent to apply the patch, and leave a commented out rate limit section in the named.conf file, so that _when_ people are being abused in an amplification attack, they have the option of simply enabling the rate limit option without the requirement for recompiles of a patched bind.
The patch has been tested on authoritatve servers powering large TLDs.
We just hit this today with the fedoraproject.org servers. ;(
An official package with the patches would be most welcome.
I can only imagine other places have hit this same issue, or will moving forward.
Created attachment 687546 [details]
graphical statistics of patch in action
success of the patch can be clearly seen here