A flaw was found in Bind that incorrectly handles certain crafted TCP streams. The vulnerability allows TCP connection slots to be consumed for an indefinite time frame via a specifically crafted TCP stream sent from a client. This flaw allows a remote attacker to send specially crafted TCP streams with ‘keep-response-order’ enabled that could cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period, even after the client has terminated the connection. This issue results in BIND consuming resources, leading to a denial of service.
To mitigate this issue in all affected versions of BIND, use the default setting of :
keep-response-order { none; }