BIND 9 NS Selection SRTT Algorithm Weakness

Aleph Research Advisory

Identifier

ALEPH-2013001

Severity

Moderate

Product

ISC BIND

Technical Details

An off-path attacker can influence the SRTT algorithm implemented by BIND, in order to derandomize the NS selection, i.e. the attacker can easily and deterministically control the queried name server chosen by BIND’s resolver. The attack reduces the time and effort required to successfully poison BIND’s cache.

Timeline

01-Mar-17
: Added as ALEPH-2013001.
13-Aug-13
: Public disclosure.

Credit

Roee Hay (@roeehay) of Aleph Research, HCL Technologies
Jonathan Kalechstain
Gabi Nakibly

External References

USENIX WOOT '13
Operational Notification - A Vulnerability in the SRTT Algorithm affects BIND 9 Authoritative Server Selection