Time to Remove Bind

Discussion in 'Server Stuff' started by Mun, May 23, 2014.

  1. Mun

    Mun Administrator

    One of the biggest things about VPS, virtual private servers, is there unneeded software. It isn’t per say crapware, but you don’t need them by default. They lowers the total capacity/functionality of your VPS node, they are security risk, and they are frankly bad for you in the long run.

    However, for this discussion I am going to talk about one program in particular, and it is called Bind. Bind, is a DNS, domain name server, handling application and is very popular, and very useful when used properly. It is commonly installed on the VPS by default for this reason. However, this can be very bad if used improperly.

    As per Wikipedia:

    BIND (pron.:/ˈbaɪnd/), or named (/ˈneɪmdiː/), is the most widely used DNS software on the Internet.[3][4] On Unix-like operating systems it is the de facto standard.

    Originally written by four graduate students at the Computer Systems Research Group at the University of California, Berkeley (UCB), the name originates as an acronym from Berkeley Internet Name Domain,[5] reflecting the application’s use within UCB.

    BIND was first released with Berkeley Software Distribution 4.3BSD, and as such, it is free and open source software. Paul Vixie started maintaining it in 1988 while working for Digital Equipment Corporation. As of 2012, the Internet Systems Consortium maintains, updates, and writes new versions of BIND.

    To this day it is still very powerful, and I even use it in certain cases like DNS recursive/proxy handling at the school district I work for. Not only is it extremely powerful in this functionality, but has made our internal DNS extremely resilient and fast. That particular server has been up for over 100 days and counting, and is a champ at handling ~1600 computers DNS queries on a daily basis. It does all this on a small 2 core VM with the average load of .20.

    However, many providers use a common template for OpenVZ environments, and in this template is usually bind, and a few other things. This in actually is a bad thing, as many people don’t even know it is installed, and thus oblivious to one of its most damaging problems. This problem is DNS reflection attacks, and they are probably one of the worst type of attacks that are currently roaming the internet. These attacks are commonly apart of a much larger attack called a DDOS, or distributed denial of service.
    Time to get technical:
    To do this an attacker creates a malformed packet. This malformed packet has a source address of the attackers victim. This is then sent by the attacker to a vulnerable DNS server, and asks for the root name server schema, which is then sent to the attackers victim. By asking for the root name server schema, the attacker has also amplified the attackers total bandwidth, and hidden his own attacking IP address. An attacker usually uses a large number of different hijacked nodes to query hundreds if not thousands of vulnerable DNS servers in a single attack. The main point of these attacks is to deny service to a said site, app, or host.

    How is this possible? Well this is possible due to the network fabric that DNS was built on, called UDP. Unlike TCP, UDP doesn’t require a verification/confirmation packet. It simply sends and “prays” that it gets to the destination. i.e. phone calls. Since no verification is needed the DNS server unknowingly sends the response to the victim.

    [​IMG]

    This is showing off a simple DNS reflection attack

    The pic above shows a simple attack using only one vulnerable DNS node. All the attacker would have to do is query one of the many other nodes shown to expand the attack.


    Now you may ask why should you care? Well you should care because if you have bind installed on your VPS then you may unintentionally be used in this said attack as one of the many vulnerable DNS nodes. This not only will use up your bandwidth, but you or your provider will also receive abuse tickets, and possibly even TOS violations. Now you aren’t intentionally attacking the victim, but you are being used, without your consent as a participant in a said DDOS.

    Long story short, if you don’t need bind, uninstall it.

    For Debian / Ubuntu / Mint or any other .deb platform:
    Code:
    
      apt-get remove bind9 bind9*
    
      read the prompt carefully, and type “y” if you see no dependency issues.
    
    For Centos, and Yum based platfoms:
    Code:
      yum remove bind
    
      read the prompt carefully, and type “y” if you see no dependency issues.
    
    For any other operating systems not shown, take a gander at google, and there should be a guide floating around the internet someplace.

    If you do need it, then check out NDS, or cloudflare.com who will host your DNS for free. (I personally suggest cloudflare.com)


    Some articles related to DNS Reflection attacks:

    http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet
     
    maszd likes this.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice