CVE-2024-0760 Overview
A denial of service vulnerability exists in ISC BIND 9 that allows a malicious client to send a flood of DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases, but the vulnerability cannot be mitigated through the use of Access Control Lists (ACLs), making it particularly concerning for organizations relying on BIND for DNS resolution services.
Critical Impact
Attackers can remotely destabilize BIND 9 DNS servers through TCP message flooding, causing service disruption without requiring authentication or user interaction.
Affected Products
- BIND 9 versions 9.18.1 through 9.18.27
- BIND 9 versions 9.19.0 through 9.19.24
- BIND 9-S (Supported Preview Edition) versions 9.18.11-S1 through 9.18.27-S1
Discovery Timeline
- July 23, 2024 - CVE-2024-0760 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-0760
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), indicating that BIND 9 fails to properly limit the rate or quantity of DNS messages it processes over TCP connections. When a malicious client establishes a TCP connection and begins sending a high volume of DNS messages, the server allocates resources to process each message without adequate throttling mechanisms in place.
The attack exploits the fundamental design of DNS over TCP, where persistent connections allow multiple queries to be sent sequentially. Unlike UDP-based DNS queries, which are connectionless and stateless, TCP connections maintain state and require server resources for the duration of the connection. The vulnerable BIND versions do not adequately restrict the message processing rate per connection, allowing attackers to overwhelm server resources.
Root Cause
The root cause of this vulnerability lies in insufficient resource allocation controls within BIND 9's TCP message handling subsystem. The server lacks proper rate limiting or throttling mechanisms for incoming DNS messages on TCP connections, allowing clients to send messages faster than the server can sustainably process them. This resource exhaustion condition falls under CWE-770 and represents a classic denial of service vector where uncontrolled resource consumption leads to service degradation.
Attack Vector
The attack is network-based and can be executed remotely without authentication or user interaction. An attacker establishes one or more TCP connections to the target BIND 9 server and begins transmitting DNS messages at a high rate. The server attempts to process each message, consuming CPU, memory, and other system resources. As the message volume increases, the server becomes increasingly unstable.
The notable characteristic of this attack is that ACL configurations, which are typically used to restrict access to DNS services, do not provide effective mitigation. This suggests the vulnerability is triggered during or immediately after connection handling, before ACL-based filtering can take effect on the message processing path.
Detection Methods for CVE-2024-0760
Indicators of Compromise
- Unusual increase in TCP connections to port 53 from single or multiple source IPs
- High volume of DNS queries over TCP compared to normal baseline traffic patterns
- BIND server process consuming abnormally high CPU or memory resources
- DNS service response degradation or intermittent unavailability during attack periods
Detection Strategies
- Monitor TCP connection counts and rates to DNS servers for anomalous spikes
- Implement network flow analysis to detect high-volume TCP DNS traffic patterns
- Configure SIEM alerts for BIND process resource utilization anomalies
- Deploy IDS/IPS rules to detect TCP DNS flood patterns targeting BIND servers
Monitoring Recommendations
- Establish baseline metrics for normal TCP DNS query volumes and connection patterns
- Enable BIND query logging to identify suspicious query patterns during incidents
- Monitor system resources (CPU, memory, network) on DNS servers with automated alerting
- Implement network-level visibility for DNS traffic analysis and forensic investigation
How to Mitigate CVE-2024-0760
Immediate Actions Required
- Upgrade BIND 9 to the latest patched version that addresses CVE-2024-0760
- Review DNS infrastructure architecture to implement redundancy and failover capabilities
- Consider implementing network-level rate limiting for TCP connections to DNS servers
- Deploy upstream network filtering to limit exposure of vulnerable BIND instances
Patch Information
ISC has released security updates to address this vulnerability. Organizations should consult the ISC CVE-2024-0760 Details for specific patch information and upgrade guidance. Additional vendor-specific guidance is available from NetApp Security Advisory NTAP-20240731-0004 for NetApp products incorporating BIND.
Security announcements were also published on the Openwall OSS Security Update and subsequent Openwall OSS Security Notice.
Workarounds
- Implement external rate limiting at the network perimeter for TCP connections to port 53
- Deploy DNS traffic analysis and filtering appliances in front of BIND servers
- Consider using a DNS proxy or load balancer that can provide connection rate limiting
- Temporarily restrict TCP DNS access to trusted networks if operationally feasible
# Network-level rate limiting example using iptables
# Limit new TCP connections to port 53 to 100 per second per source IP
iptables -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
