Zero-day threat takes out DNS servers across the internet

A zero-day vulnerability has been crashing BIND 9 name servers across the internet, leading to service interruptions for scores of organisations in the US, according to an urgent security advisory from the Internet Systems Consortium (ISC).

The ISC rated the flaw as serious, explaining that it could be remotely exploited and that affected DNS servers crashed after "logging an error in query.c with the following message: 'INSIST(! dns_rdataset_isassociated(sigrdataset))'".

"An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure," the advisory said.

"ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached."

In the meantime, the ISC has issued a patch to prevent the crashes (see link above).

Web consultant Mark Stockley wrote on the Sophos Naked Security blog that most of the DNS servers on the internet run BIND 9, and that the flaw "appears to be a denial-of-service vulnerability being exploited in the wild".

Matt Barrett, senior solutions architect at vulnerability management firm Rapid7, explained that the first attack was discovered at the National Weather Service in the US, and was followed up by 89 separate attacks on US universities.

"Gone unchecked, this attack could potentially affect nearly the entire internet," he added.

"A temporary patch has already been released, but we encourage everyone to submit packet-capture from their own systems to ISC so they can further investigate."