BIND, the Berkley Internet Name Domain service, provides forward (authoritative) and recursive (non-authoritative) DNS lookups for the majority of the internet as we know it. A security vulnerability outlined here shows that a specially crafted packet can cause the DNS daemon to stop functioning. It is imperative that all “master” DNS servers get updated immediately. More general information on BIND can be found on their site here.
CVE Information: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0696
RHEL Bug Information: https://bugzilla.redhat.com/show_bug.cgi?id=514292
The NVD at NIST reports the following overview of this issue:
The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1, when configured as a master server, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an ANY record in the prerequisite section of a crafted dynamic update message, as exploited in the wild in July 2009.
Updating BIND on RHEL/CentOS (4/5)
Updated packages are available to assure you are running the latest release.
Use this command to update bind on yum-based systems:
# yum –y update bind
Updating BIND on Debian / Ubuntu
# apt-get update
# apt-get upgrade
# /etc/init.d/bind9 restart
The RioRey solution is a DDoS protection device not widely used or heard of … yet. First of all let me assure you that I am in no way associated with the RioRey company and my focus is to give an honest and unbiased opinion of their product offerings.
The RioRey device is a rack-mountable device with one copper management port and two copper or fiber (Multimode SX/LC or Singlemode LX/LC) ports. Their products tier in the volume of packets per second they are able to mitigate under a real DDoS attack. They range from 150K packets per second (PPS) to their newest eight rack unit 16M packets per second model. The model I have had the most experience with is their entry-level 150K PPS model. This will be the model I talk about in the remainder of this article.
Using the device is a breeze. Installation is as simple as installing it in line to the closest “edge” of your connection. For most companies and hosting providers this would be at their handoff from their bandwidth provider (e.g. Cogent, ATT) The device can be purchased (at no additional cost) with the ability to fail to bypass. This means that if the device has a hardware failure the device will act as a straight-through cable and continue to pass traffic. In testing this device did not even trip external monitoring when simulating failure.
The device comes with a very primitive web interface which is used for setting up low-level functions like syslog reporting and IP addressing of the management interface. The device comes with a pre-configured IP address to access this web console for first installation. The device also comes with their management software called “rView” This software allows you to view the status of the device, perform reports, get real-time insight into current attacks and customize how the device behaves under attack. The device also has the ability to send SNMP traps, log to syslog and email when an attack is detected.
Real World Experience
I’ve personally and (un)fortunately had this device work for me. This device was blocking a 1.3GBit/sec UDP flood and was currently only linked at 100mbit. All sites/devices/services behind the RioRey were still responsive. The sites did notice a small uptick in response time but no dropped packets or requests. The device performed as advertised and their patented Micro Behavioral Analysis (MBA) algorithms performed beautifully. Within 60 seconds the attack was mitigated and “polluted” traffic was removed. The graph on the right illustrates how fast the traffic was blocked. Notice the blue line grow and then almost instantly disappears. This blue line is the “after filtering” traffic (the traffic passed to the LAN interface.) The attack traffic was almost instantly mitigated- all without human intervention.
This device is a very valuable tool. It’s kind of like a fire extinguisher, when you need it you really need it; when you don’t need it you never really even know or care to know that it’s there. Was it worth the investment? It’s hard to gauge these things after an attack is mitigated. If we didn’t have the device under attacks it would be much harder to identify the attacker and the victim and would cause more downtime simply analyzing the traffic to find the source(s).
I believe the device is well worth it. It’s entry-level pricing is second to none (when compared to other solutions) and it allows a level of protection that most never thought possible for the price. To obtain more information and pricing please visit The RioRey Site.
If you have any questions about the device and would like to contact me for more information please post a comment or email Adam [at] Admo.net for more information!
Symbolic links allow an administrator to point a link (file or directory) to another real location.
How do I create a symbolic link?
# ln –s [target file/directory] /link/location/to/file/or/directory
For example, you wish to link /etc/httpd/conf to point to the real location of /usr/local/apache/conf
The command would look like this:
# ln –s /usr/local/apache/conf /etc/httpd/conf
Assure that the destination for your link (in our example this would be /usr/local/apache/conf) does not already exist.