"ISC would like to point out that the vector identified by Mr. Franke is not the only one possible, and that operators of *ANY* recursive *OR* authoritative nameservers running an unpatched installation of an affected version of BIND should consider themselves vulnerable to this security issue," Wright said. "We wish, however, to express agreement with the main point of Mr. Franke's comment, which is that the required complexity of the exploit for this vulnerability is not high, and immediate action is recommended to ensure your nameservers are not at risk."
This bug could be a serious threat considering the widespread use of BIND 9, according to Dan Holden, director of the security engineering and response team at DDoS mitigation vendor Arbor Networks. Attackers might start targeting the flaw given the media attention surrounding DNS in the recent days and the low complexity of such an attack, he said Friday via email.
Several security companies said earlier this week that a recent DDoS (distributed denial-of-service) attack targeting an anti-spam organization was the largest in history and affected critical Internet infrastructure. The attackers made use of poorly configured DNS servers to amplify the attack.
"There is a fine line between targeting DNS servers and using them to perform attacks such as DNS amplification," Holden said. "Many network operators feel that their DNS infrastructure is fragile and often they go through additional measures to protect this infrastructure, some of which exacerbate some of these problems. One such example is deploying inline IPS devices in front of DNS infrastructure. Designing appropriate filters to mitigate these attacks with stateless inspection is near impossible."
"If operators are relying on inline detection and mitigation, very few security research organizations are proactive about developing their own proof-of-concept code on which to base a mitigation upon," Holden said. "Thus, these types of devices will very rarely get protection until we see semi-public working code. This gives attackers a window of opportunity that they may very well seize."
Also, historically DNS operators have been slow to patch and this may definitely come into play if we see movement with this vulnerability, Holden said.