873624 – bind: Backport Response Rate Limiting (DNS RRL) patch into Red Hat Enterprise Linux 6

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 873624 - bind: Backport Response Rate Limiting (DNS RRL) patch into Red Hat Enterprise Linux 6

Summary: bind: Backport Response Rate Limiting (DNS RRL) patch into Red Hat Enterprise...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	bind
Sub Component:
Version:	6.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Tomáš Hozza
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:	http://www.redbarn.org/dns/ratelimits
Whiteboard:
Depends On:
Blocks:	906312 1174953
TreeView+	depends on / blocked

Reported:	2012-11-06 10:59 UTC by Jan Lieskovsky
Modified:	2018-12-04 14:50 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1174953 (view as bug list)
Environment:
Last Closed:	2013-11-14 10:48:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
graphical statistics of patch in action (15.49 KB, image/png) 2013-01-25 16:27 UTC, Paul Wouters	no flags	Details
View All

Description Jan Lieskovsky 2012-11-06 10:59:04 UTC

Description of problem:
Originally, the CVE-2006-0987 identifier has been assigned to the following issue:

The default configuration of ISC BIND, when configured as a caching name server, allows recursive queries and provides additional delegation information to arbitrary IP addresses, which allows remote attackers to cause a denial of service (traffic amplification) via DNS queries with spoofed source IP addresses. 

This issue is covered in the bug #873618 (the bind package as shipped with Red Hat Enterprise Linux 6 is not affected by this issue in the default configuration).

But in the configuration where bind is configured to listen for requests from authorized clients, the DDoS attack might be possible.

Therefore the point of this bug is to request backport of DNS RRL patch suggested by Adam Tkac:
  http://www.redbarn.org/dns/ratelimits

which would help mitigate the impact of DDoS attacks also for these configurations.

But since Red Hat Security Response Team would not consider this backport to be correcting a security flaw (its more a security hardening for a non-default configuration), it is reported under this record.

Version-Release number of selected component (if applicable):
bind-9.8.2-0.10.rc1.el6_3.5

Additional info:
See bug #873618 and its References for further details.

Comment 3 Paul Wouters 2012-11-09 16:16:54 UTC

Note that it _is_ a security flaw.

Allowing our servers to become a functional part of an amplification attack is a security risk. It could damage the network the server is running in (as well as our reputation)

However, this is more a problem for bind when it is an authoritative server, not when it is a recursive server. The amplification bounces of the authoritative name servers, which _DO_ need to listen/answer to the world at large.

I believe it is prudent to apply the patch, and leave a commented out rate limit section in the named.conf file, so that _when_ people are being abused in an amplification attack, they have the option of simply enabling the rate limit option without the requirement for recompiles of a patched bind.

The patch has been tested on authoritatve servers powering large TLDs.

Comment 4 Kevin Fenzi 2013-01-24 20:44:58 UTC

We just hit this today with the fedoraproject.org servers. ;( 

An official package with the patches would be most welcome. 

I can only imagine other places have hit this same issue, or will moving forward.

Comment 10 Paul Wouters 2013-01-25 16:27:26 UTC

Created attachment 687546 [details]
graphical statistics of patch in action

success of the patch can be clearly seen here

Note You need to log in before you can comment on or make changes to this bug.