Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: BIND 8 and 9 Vulnerabilities / ISP Blocking Traffic yet / Sharing thoughts - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
BIND 8 and 9 Vulnerabilities / ISP Blocking Traffic yet / Sharing thoughts
BIND 8 and 9 Vulnerabilities

Two vulnerabilities in Internet Systems Consortium, Inc. (ISC) BIND were released today at UNIRAS(UK Gov CERT).


The first one will affect BIND versions v8.4.4 and v8.4.5 and may cause a Denial of Service. According the advisory, this vulnerability is rated as low.


As mitigation, the Internet System Consortium (ISC) recommended the following work-around:


- Disable recursion and glue fetching



A new version was released to fix this: 8.4.6


This advisory is at: http://www.niscc.gov.uk/niscc/docs/al-20050125-00059.html?lang=en


The second one is related to Bind 9 and affects BIND v9.3.0. It is also rated as low but may cause Denial of Service if exploited.


As mitigation, the advisory recommends the following work-around:


- Disable dnssec validation (off by default) at the Options/View level


A new version 9.3.1 was also released.

This advisory is at: http://www.niscc.gov.uk/niscc/docs/al-20050125-00060.html?lang=en


ISP Blocking Traffic yet

SANS ISC Handler John´s diary from yesterday gave a lot of feedback regarding the ISP blocking traffic topic.

While it was John´s opinion, I would like to give mine as well.
We received emails from people that agreed with what he wrote and people that didn't agree. I am in the middle of them.


One model that I like is from one telecom company in Brazil. For the home adsl user, they block ingress traffic to some well known problematic ports, like ´hack-me´ 137-139, 445, and some service ports like 80, 1434, 1433,etc...according this company it reduced a lot the impact of some worms.
They are now thinking about egress traffic, like for port 445. This is a good solution because the ingress block would prevent some worms from reaching the machine and the egress filter would prevent their infected users from scanning and infecting other network(s).


Corporate adsl users with static IP address are far more difficult and I dont believe that any filtering rules would work with them. They ´bought´ a link, and they must have access to all kind of traffic. Of course, if that traffic doesn't violate an AUP (Acceptable Use Policy).

Sharing thoughts...

Some web sites are reproducing an interview with a brazilian guy who wrote a virus for mobile devices and posted the source code in his site.

I was upset with that article because it makes Brazil look like it is something of a 'no-man´s-land'...

I just would like to say some things in this article are wrong.


Is wrong to think that write virus is a good way to disseminate knowledge, like the virus' author says.


Is wrong to think that Brazil is not using it´s resources to fight hackers. They are doing a really nice job over there, fighting and arresting the miscreants. Laws are being changed to get them. The Brazilian CERTs (CAIS/NBSO) are doing great things there.

In short, there are still a lot of things to do, but we are moving on...and there is no 'good thing' in writing and disseminate virus and malwares...


ok...enough rant for my first diary of the year...:)

--------------------------------------------------------

Handler on Duty: Pedro Bueno (pbueno /AT/ isc.sans.org)
Handlers

76 Posts

Sign Up for Free or Log In to start participating in the conversation!