An attacker could exploit vulnerabilities in implementations of the Domain Name System protocol to cause a denial of service in a variety of products, British-based National Infrastructure Security Co-Ordination Centre (NISCC) said.
The NISCC advisory said "many vendors include support for this protocol in their products and may be impacted to varying degrees, if at all." Two DNS experts, Roy Arends and Jakob Schlyter, found several vulnerabilities in the protocol, an Internet service that translates domain names into Internet Protocol (IP) addresses. Noting the importance of the protocol, the NISCC said, "Because domain names are alphabetic, they're easier to remember. However, the Internet is really based on IP addresses; hence, every time a domain name is requested, a DNS service must translate the name into the corresponding IP address."
The advisory said the vulnerabilities "are a result of liberal interpretation of the DNS protocol by implementers. DNS uses a message format to provide a mechanism to resolve domain names into IP addresses; a message can either be a 'query' or a 'response.' By implementing the protocol in such a way in which a 'response' is allowed to be answered with a 'response,' this will cause messages to bounce back and forth between the servers and hence cause a query-response storm that can result in a denial-of-service attack."
Furthermore, the NISCC said, by sending these implementations a query that appears to originate from the local host on UDP Port 53, the server "will respond to itself and will keep responding to these responses," entering a loop that can exhaust system resources and result in a denial-of-service attack.
Several vendors whose products may be affected are listed in the advisory. Of them:
- Swedish video networking firm Axis Communications Inc. said the vulnerability has been eliminated from its products.
- Cisco Systems of San Jose, Calif., is evaluating the vulnerabilities and will release a security advisory if it confirms the vulnerability affects its products.
- VeriSign Inc. of Mountain View, Calif., said the vulnerability had affected its ATLAS platform but has been corrected. New code addressing the issue was deployed in January.
- The other vendors listed in the advisory said they investigated the issues and found their products are not affected.