I. Overview

Internet Systems Consortium (ISC) has released a security notice that disclosed the BIND security vulnerability (CVE-2020-8616). In order for a server performing recursion to locate records in the DNS graph it must be capable of processing referrals, such as those received when it attempts to query an authoritative server for a record which is delegated elsewhere. In its original design BIND does not sufficiently limit the number of fetches which may be performed while processing a referral response. A malicious attacker who intentionally exploits this vulnerability can, through the use of specially crafted referrals, cause a recursion server to issue a very large number of fetches in an attempt to process the referral.

The team that discovered this vulnerability has officially published details about the vulnerability and named this type of vulnerability NXNSAttack. Reference links:

https://kb.isc.org/docs/cve-2020-8616

https://www.zdnet.com/article/nxnsattack-technique-can-be-abused-for-large-scale-ddos-attacks/

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected Versions:

BIND

9.0.0 to 9.11.18

9.12.0 to 9.12.4-P2

9.14.0 to 9.14.11

9.16.0 to 9.16.2

9.17.0 to 9.17.1 of the 9.17 experimental development branch

9.13 and 9.15 development branches

9.9.3-S1 to 9.11.18-S1

Secure Versions:

BIND 9.11.19

BIND 9.14.12

BIND 9.16.3

BIND 9.11.19-S1

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

Download link:

https://www.isc.org/download/

The Anti-DDoS service, provided by HUAWEI CLOUD, offers a defense policy against DNS reflection amplification attacks, which can cleanse the attacking traffic resulting from exploiting this vulnerability.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.