What is A BIND Birthday Attack on DNS and How To Eliminate This Threat?

We live in a world where troubles are never ending. They keep coming one after the other. Same goes for the world of computers. Viruses, bugs, trojan horses and other such disastrous elements keep showing up time and again. DNS (Domain name server) attacks have been such elements which have kept the users daunting for quite some time now. Engineers keep researching about various cache poisoning methods and try to come up with better ways to defend against these kinds of attacks and ensure proper DNS protection. One such attack is the BIND (Berkeley Internet Name Domain) birthday attack. The nomenclature has got a lot to do with the Birthday paradox which states that if there are 23 people in a room, the chances of two of them sharing the same birth date is 50-50. What has this paradox got to do with the BIND attack? Well, let’s make the concept of this BIND birthday attack clear:

The Mechanism:

When your computer gets connected to the internet, a local DNS server is assigned to you. For every symbol entered by you, your system contacts the local server for resolution. The returned value is then stored in a local cache. If not resolved properly, the request is then transferred to another DNS server which has more information. It forms a chain when there are continuous requests to different servers and is hence called recursive. The final result looks like it was returned by the local DNS server to your computer. In the early 2000s, the information spread that BIND allowed false DNS server resolutions, which came to be known as cache poisoning. This attack takes place when the cache of the local DNS server is poisoned with false resolutions and then following the chain, the client cache is poisoned as well.

So, how does the DNS server is made to accept false resolutions? It’s a bit tricky yet simple. Let me explain how. The attacker makes a name request to the victim server. The request is intentionally set in a way so as to yield a recursive solution. The attacker then feeds the false information to the recursive request too! The attack becomes successful due to some loopholes in the DNS and BIND. Both of them share implicit trust with each other, which means that there is no authentication required over the implementation of DNS by BIND.

Moreover, an older version of BIND still permits multiple simultaneous requests for the same name! The attacker then chooses the 16-bit Identifier (It is the only thing that connects a request to its reply) and guesses it to have accepted a false response. N recursive requests and N replies with random identifiers are then sent by the attacker. When this N reaches to about 700, the Birthday Paradox prevails, which means that the probability of one of the requests by the victim server matching one of the generated responses will be high.

How To Defend Against It?

There can be various situations you have to face as a BIND user. For example, there can be instances where your users are returned false information or your server gets hijacked. Let’s categorically look at what different people do to defend against this kind of attacks:

  • As a Domain owner: It is sometimes beyond your control to defend your server against those spoofing your name for a fake nameserver. You can use SSL for authentication to your browsers. However, detection of such attacks would still be difficult. Also, there can be people trying to slow your server down, which may put up a negative impact before your visitors.
  • Nameserver Admin: Updating BIND to the latest version would prove to be the best method for you. As already mentioned, in the older versions, BIND still permits multiple requests under the same name which is not the case with the newer versions. You can also choose to disable the requests coming from the outside world which would yield a recursive result.
  • As an End user: If your company doesn’t upgrade BIND, you can try running your own recursive resolver. Stick to the basic security features such as antiviruses and firewalls to prevent your computer from any alien malware.
  • As a Vendor: You can fix the problem yourself by limiting the number of requests under the same name to one. If you have already updated it to the latest version, it’s fine enough.

Moreover, you should regularly inspect your DNS server as these attacks come uninvited. Security should be the most basic priority for any website, as cyber-crime has reached new levels. Take care of your DNS server and prevent it from any further BIND birthday attacks!