Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against ISC BIND 9 Denial of Service Vulnerability

Subscribe

Check Point Reference: CPAI-2009-219
Date Published:
Severity:
Last Updated:
Source:  ISC
Industry Reference(s):

CVE-2009-0696
VU#725188
Protection Provided by: Security Gateway
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
BIND 9 (all versions)
Vulnerability Description
ISC BIND 9 contains a vulnerability that may allow a remote attacker to create a denial-of-service condition. The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). It includes support for dynamic DNS updates. BIND 9 can crash when processing a specially-crafted dynamic update packet. By sending a specially-crafted dynamic update packet to a BIND 9 server, a remote, unauthenticated attacker can cause a denial of service by causing BIND to crash.
Vulnerability Status
The vulnerability is being actively exploited in the wild.
Vulnerability Details
ISC notes that the vulnerability affects all servers that are masters for one or more zones (launching the attack against slave zones does not trigger the vulnerability) and is not limited to those that are configured to allow dynamic updates.

Protection Overview
This protection will detect and block DNS update requests for RR of type ANY.

In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > DNS.
2. In the right pane, double-click the BIND 9 DNS Server Dynamic Update Denial of Service protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: DNS Enforcement Violation
Attack Information: BIND 9 DNS server dynamic update denial of service

VPN-1 NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > DNS > BIND 9 DNS Server Dynamic Updated Denial of Service.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: DNS Enforcement Violation
Attack Information: BIND 9 DNS server dynamic updated denial of service

VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > DNS > BIND 9 DNS server dynamic updated denial of service.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: DNS Enforcement Violation
Attack Information: BIND 9 DNS server dynamic updated denial of service

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Network Intelligence > DNS, and select the Labels protection group.
3. Click DNS Update DoS for type ANY RR (CVE-2009-0696) - (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: DNS Names and Labels Alerts
Description: DNS Update DoS for type ANY RR (CVE-2009-0696)