{
	"id": "70742c2e-4050-4b4f-b61f-5e7868ebdfa2",
	"created_at": "2026-04-06T00:14:00.357877Z",
	"updated_at": "2026-04-10T03:22:05.781754Z",
	"deleted_at": null,
	"sha1_hash": "7749c3e89a838c3dfc9dfd8deeb3239db5a5f929",
	"title": "BIND9 - Denial of Service Exploit in the Wild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 69375,
	"plain_text": "BIND9 - Denial of Service Exploit in the Wild\r\nBy Daniel Cid\r\nPublished: 2015-08-02 · Archived: 2026-04-05 23:17:46 UTC\r\nBIND is one of the most popular DNS servers in the world. It comes bundled with almost every cPanel, VPS and\r\ndedicated server installation and is used by most DNS providers.\r\nA week ago, the Internet Systems Consortium (ISC) team released a patch for a serious denial of service\r\nvulnerability (CVE-2015-5477) that allows a remote and unauthenticated attacker to crash the BIND (named)\r\ndaemon, taking down a DNS server.\r\nThis happens because of an error in the way BIND handles TKEY queries, which with a single UDP packet can\r\ntrigger a required assertion failure, causing the DNS daemon to exit.\r\nExploits in the Wild\r\nBecause of its severity we’ve been actively monitoring to see when the exploit would be live. We can confirm that\r\nthe attacks have begun. DNS is one of the most critical parts of the Internet infrastructure, so having your DNS go\r\ndown also means your email, HTTP and all other services will be unavailable.\r\nIf You Have Not Patched Your DNS Server, Do it Now!\r\nAll major Linux distributions (Redhat, Centos, Ubuntu, etc) have already provided patches for it and a simple\r\n“yum update” on Redhat/Centos or “apt-get update” on Debian-based systems will get you protected.\r\nRemember though, for the change to take affect you must restart BIND after the update.\r\nIf you run your own DNS server, a quick way to see if you are being targeted is to look for the “ANY TKEY” in\r\nyour DNS logs:\r\nhttps://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html\r\nPage 1 of 2\n\nAug 2 10:32:48 dns named[2717]: client a.b.c.d#42212 (foo.bar): view north_america: query: foo.bar\r\nANY TKEY + (x.y.z.zz)\r\nIn fact, you can look for any type of TKEY request, as they are not very common, and see if there have been any\r\nattempts. The example above is from one of the public exploits released. Note that you need to have querylog\r\nenabled (which you can do with the command “rndc querylog on“).\r\nClients using our DNS server, part of our Website Firewall, are already protected against this vulnerability. For\r\nexisting customers, you can enable the use of our DNS manager and find instructions in our knowledgebase.\r\nRelated Tags\r\nDDoS\r\nSource: https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html\r\nhttps://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html"
	],
	"report_names": [
		"bind9-denial-of-service-exploit-in-the-wild.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434440,
	"ts_updated_at": 1775791325,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7749c3e89a838c3dfc9dfd8deeb3239db5a5f929.pdf",
		"text": "https://archive.orkl.eu/7749c3e89a838c3dfc9dfd8deeb3239db5a5f929.txt",
		"img": "https://archive.orkl.eu/7749c3e89a838c3dfc9dfd8deeb3239db5a5f929.jpg"
	}
}