Microsoft DNS Server Attacks Continue
In an advisory this morning borrowing language used during previous statements about completely different exploits, Microsoft's Security Response Center team confirmed that it has seen at least one new wave of attacks based on proof-of-concept code impacting its DNS server software in Windows Server-based systems.
The concept enables malicious users to run code remotely under the system privileges generally granted to the DNS service itself. Although technically, the exploit does not directly threaten Internet routing the same way as the crafted IPv6 header problem in Cisco routers that also periodically rears its ugly head (or heads its ugly rear), this exploit can impact the routing of e-mail and other IP traffic within an enterprise or limited domain.
Yesterday, Microsoft acknowledged that the proof-of-concept code discovered by engineers and reported by BetaNews was responsible for the first rash of attacks. But that acknowledgment was confused by multiple press sources as having been an indication that the code was just released, when in fact, the code may have been publicly disseminated for at least a matter of weeks, if not longer.
ZDNet blogger George Ou told BetaNews that Windows Server systems using DNS services could protect themselves more practically than Microsoft suggested. In a post for TechRepublic, he suggests users employ host-based firewalls in addition to external firewalls. Those external firewalls, he suggests, should block all ports by default except for UDP port 53 to the DNS server that's connected to the broader Internet.
In the host-based system, policies can be crafted to open incoming ports 1024 through 5000 only for stations that may be managing the DNS server remotely. Then port 3389 can be opened for stations to be reached via Remote Desktop. This way, internal traffic on the affected ports is more open, though controlled, while access to those ports remains blocked from outside the gateway.