Title: Nameserver Traffic Amplification and NS Route Discovery Vulnerability
Severity: MODERATE
Description:
A potential denial of service (hence forth referred to as DoS) attack exists in the default configuration of many popular DNS servers. If a server allows for remote hosts to query it for hosts other than those it serves, causing recursion, it may be possible to cause traffic amplification. While the numbers of packets amplified by a single server will not be likely to cause a denial of service, by exploiting the hierarchical nature of DNS, it becomes possible to cause large amounts of traffic to be directed to a single site.
The vulnerability exists in the way name servers will behave in the event that they are unable to receive replies for a domain from a nameserver they consider authoritative. When a nameserver receives a query, it is typically forwarded up a chain of DNS server. If the query cannot be resolved because there is no nameserver listening on the remote host, every forwarding nameserver will attempt to resolve the nameserver themselves. These are typically retried three times, at 0, 12 and 24 seconds. In this case, the traffic is significantly multiplied. By abusing multiple nameservers, it becomes possible to send a large quantity of data to a given network, with packet sizes as large as 500 bytes.
Affected Products:
- HP HP-UX 10.10.0
- HP HP-UX 10.20.0
- HP HP-UX 10.24.0
- HP HP-UX 11.0.0
- HP HP-UX 11.0.0 4
- HP HP-UX 11.11.0
- ISC BIND 4.9.7
- ISC BIND 4.9.7-T1B
- ISC BIND 8.1.0
- ISC BIND 8.1.1
- ISC BIND 8.1.2
- ISC BIND 8.2.0
- ISC BIND 8.2.1
- ISC BIND 8.2.2
References:
- ISC: ISC BIND
- Teso: Teso Security Team Home Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
