BIND 8 and 9 Vulnerabilities / ISP Blocking Traffic yet / Sharing thoughts
BIND 8 and 9 Vulnerabilities
Two vulnerabilities in Internet Systems Consortium, Inc. (ISC) BIND were released today at UNIRAS(UK Gov CERT).
The first one will affect BIND versions v8.4.4 and v8.4.5 and may cause a Denial of Service. According the advisory, this vulnerability is rated as low.
As mitigation, the Internet System Consortium (ISC) recommended the following work-around:
- Disable recursion and glue fetching
A new version was released to fix this: 8.4.6
This advisory is at: http://www.niscc.gov.uk/niscc/docs/al-20050125-00059.html?lang=en
The second one is related to Bind 9 and affects BIND v9.3.0. It is also rated as low but may cause Denial of Service if exploited.
As mitigation, the advisory recommends the following work-around:
- Disable dnssec validation (off by default) at the Options/View level
A new version 9.3.1 was also released.
This advisory is at: http://www.niscc.gov.uk/niscc/docs/al-20050125-00060.html?lang=en
ISP Blocking Traffic yet
SANS ISC Handler John´s diary from yesterday gave a lot of feedback regarding the ISP blocking traffic topic.
While it was John´s opinion, I would like to give mine as well.
We received emails from people that agreed with what he wrote and people that didn't agree. I am in the middle of them.
One model that I like is from one telecom company in Brazil. For the home adsl user, they block ingress traffic to some well known problematic ports, like ´hack-me´ 137-139, 445, and some service ports like 80, 1434, 1433,etc...according this company it reduced a lot the impact of some worms.
They are now thinking about egress traffic, like for port 445. This is a good solution because the ingress block would prevent some worms from reaching the machine and the egress filter would prevent their infected users from scanning and infecting other network(s).
Corporate adsl users with static IP address are far more difficult and I dont believe that any filtering rules would work with them. They ´bought´ a link, and they must have access to all kind of traffic. Of course, if that traffic doesn't violate an AUP (Acceptable Use Policy).
Sharing thoughts...
Some web sites are reproducing an interview with a brazilian guy who wrote a virus for mobile devices and posted the source code in his site.
I was upset with that article because it makes Brazil look like it is something of a 'no-man´s-land'...
I just would like to say some things in this article are wrong.
Is wrong to think that write virus is a good way to disseminate knowledge, like the virus' author says.
Is wrong to think that Brazil is not using it´s resources to fight hackers. They are doing a really nice job over there, fighting and arresting the miscreants. Laws are being changed to get them. The Brazilian CERTs (CAIS/NBSO) are doing great things there.
In short, there are still a lot of things to do, but we are moving on...and there is no 'good thing' in writing and disseminate virus and malwares...
ok...enough rant for my first diary of the year...:)
--------------------------------------------------------
Handler on Duty: Pedro Bueno (pbueno /AT/ isc.sans.org)
Two vulnerabilities in Internet Systems Consortium, Inc. (ISC) BIND were released today at UNIRAS(UK Gov CERT).
The first one will affect BIND versions v8.4.4 and v8.4.5 and may cause a Denial of Service. According the advisory, this vulnerability is rated as low.
As mitigation, the Internet System Consortium (ISC) recommended the following work-around:
- Disable recursion and glue fetching
A new version was released to fix this: 8.4.6
This advisory is at: http://www.niscc.gov.uk/niscc/docs/al-20050125-00059.html?lang=en
The second one is related to Bind 9 and affects BIND v9.3.0. It is also rated as low but may cause Denial of Service if exploited.
As mitigation, the advisory recommends the following work-around:
- Disable dnssec validation (off by default) at the Options/View level
A new version 9.3.1 was also released.
This advisory is at: http://www.niscc.gov.uk/niscc/docs/al-20050125-00060.html?lang=en
ISP Blocking Traffic yet
SANS ISC Handler John´s diary from yesterday gave a lot of feedback regarding the ISP blocking traffic topic.
While it was John´s opinion, I would like to give mine as well.
We received emails from people that agreed with what he wrote and people that didn't agree. I am in the middle of them.
One model that I like is from one telecom company in Brazil. For the home adsl user, they block ingress traffic to some well known problematic ports, like ´hack-me´ 137-139, 445, and some service ports like 80, 1434, 1433,etc...according this company it reduced a lot the impact of some worms.
They are now thinking about egress traffic, like for port 445. This is a good solution because the ingress block would prevent some worms from reaching the machine and the egress filter would prevent their infected users from scanning and infecting other network(s).
Corporate adsl users with static IP address are far more difficult and I dont believe that any filtering rules would work with them. They ´bought´ a link, and they must have access to all kind of traffic. Of course, if that traffic doesn't violate an AUP (Acceptable Use Policy).
Sharing thoughts...
Some web sites are reproducing an interview with a brazilian guy who wrote a virus for mobile devices and posted the source code in his site.
I was upset with that article because it makes Brazil look like it is something of a 'no-man´s-land'...
I just would like to say some things in this article are wrong.
Is wrong to think that write virus is a good way to disseminate knowledge, like the virus' author says.
Is wrong to think that Brazil is not using it´s resources to fight hackers. They are doing a really nice job over there, fighting and arresting the miscreants. Laws are being changed to get them. The Brazilian CERTs (CAIS/NBSO) are doing great things there.
In short, there are still a lot of things to do, but we are moving on...and there is no 'good thing' in writing and disseminate virus and malwares...
ok...enough rant for my first diary of the year...:)
--------------------------------------------------------
Handler on Duty: Pedro Bueno (pbueno /AT/ isc.sans.org)
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago