Vigil@nce - BIND: bypassing SRTT
August 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a weakness of the SRTT algorithm, in order to
force a BIND recursive server to prefer an authoritative server
amongst several ones.
Impacted products: BIND
Severity: 1/4
Creation date: 14/08/2013
DESCRIPTION OF THE VULNERABILITY
A DNS zone can be served by several authoritative servers.
The SRTT (Smoothed Round Trip Time) algorithm associates a weight
to each authoritative server, in order to choose the fastest (the
one with the lower weight). A decay operation progressively lowers
the weight of other servers, so they can also be queried.
An attacker can query a recursive DNS server, for a domain for
which he owns an authoritative server which delegates the reply to
a group of DNS servers. However, if the first ones do not reply,
then the last DNS server obtains a low weight. There are two
attack variants, detailed in the paper. The attacker thus promote
the last DNS server in the recursive server.
An attacker can therefore use a weakness of the SRTT algorithm, in
order to force a BIND recursive server to prefer an authoritative
server amongst several ones. This weakness can be used to
facilitate an attack using spoofed DNS records, located in the DNS
server with the low weight.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN