Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security The Internet IT

DNS Problem Linked To DDoS Attacks Gets Worse 69

itwbennett writes "The percentage of devices on the Internet that are configured to accept DNS queries from anywhere — what networking experts call an 'open recursive' or 'open resolver' system — has jumped from around 50 percent in 2007 to nearly 80 percent this year, according to research sponsored by DNS appliance company Infoblox. As more consumers demand broadband Internet, service providers are rolling out modems configured this way to their customers, said Cricket Liu, vice president of architecture with Infoblox. Georgia Tech researcher David Dagon agreed that open recursive systems are on the rise, in part because of 'the increase in home network appliances that allow multiple computers on the Internet. ... Almost all ISPs distribute a home DSL/cable device. Many of the devices have built-in DNS servers. These can sometimes ship in "open by default" states.' What's worse, says Dagon, is that many of these devices do not include patches for a widely publicized DNS flaw discovered by researcher Dan Kaminsky last year."
This discussion has been archived. No new comments can be posted.

DNS Problem Linked To DDoS Attacks Gets Worse

Comments Filter:
  • For starters (Score:3, Insightful)

    by sopssa ( 1498795 ) * <sopssa@email.com> on Sunday November 15, 2009 @09:16AM (#30105554) Journal

    Why would a cable/adsl modem have an open recursive DNS server? There's not a single reason for that - either use your ISP's autodefined DNS servers, change them to something else or set up your own.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      One reason is to cut the # of queries coming into the ISP's servers. The modem can be a local cache.

    • Re: (Score:1, Informative)

      by Anonymous Coward

      Why would a cable/adsl modem have an open recursive DNS server? There's not a single reason for that - either use your ISP's autodefined DNS servers, change them to something else or set up your own.

      They don't. What the article is trying to say is that many ISP's are now distributing routers either stand-alone or as a modem/router combo unit. Which are almost always set to the ISP's DNS servers and not just hanging wide open as the article is claiming. Hell, most of these don't have the capability to do more than support either a hardcoded DNS number, or auto-learn it from the cable company's CMTS. I have never seen one that will just take updates from 3rd party DNS, although there is a possiblity if t

      • Umm, say what?!

        This is not FUD. The routers have DNS proxies in them. Some of those routers do the equivalent of "listen" on 0.0.0.0:53 and don't block queries arriving on the external interface.

        A small query sent to the router from the outside is then forwarded to the ISP's DNS server, which duly sends the answer back to the router, which the router then sends back to the original UDP source address, which was probably spoofed. That response packet can be much larger than the original request, and as f

    • "Why would a cable/adsl modem have an open recursive DNS server?"

      Why not? In fact, why any DNS over there shouldn't be opened to recursive searchs? I know why I don't want an opened resolver on my facilities and I know why buggy software shouldn't be opened to the Internet, but that is not what I'm asking.

    • Actually most routers don't have a fully recursive server - they have a "proxy" (or "forwarder").

      See my RFC 5625 [ietf.org] for more details, and some explanation for why the router even has this feature. The short answer is that it's so that the router can give a consistent DHCP OFFER before it knows what the upstream DNS servers are. See also slides I presented at the IETF DNSOP working group last week: http://tools.ietf.org/agenda/76/slides/dnsop-5.ppt [ietf.org]

      If the proxy is open on the WAN port then it'll forward all q

  • is this a problem (Score:3, Insightful)

    by hey ( 83763 ) on Sunday November 15, 2009 @09:18AM (#30105564) Journal

    Open DNS servers don't seem so bad to me.
    Like an open website -- OMG everyone can access it.

    • Re:is this a problem (Score:5, Informative)

      by RiotingPacifist ( 1228016 ) on Sunday November 15, 2009 @09:38AM (#30105686)

      1) If there is a flaw in the software, i can tell you DNS server that I slashdot is at 80.65.228.129 or that your bank resolves to my MITM attack site.
      2) I can use up all of your routers resources and then you can't lookup any sites yourself

      • by sopssa ( 1498795 ) *

        There's also a DDoS possibility, since the remote computer can send a 50 byte message that results in the DNS server getting 4 kilobytes of data back to query it. DDoS'r does many of those and your network is filled with that crap.

      • I don't understand. Are you saying you can hijack my DSL modem and make it point to your website, instead of my bank website? Does this flaw also affect traditional 33k or 56k dialup modems? Would swapping-out the hijacked modem for a new one eliminate this "hole"?

        Another semi-related question:

        If I swap my current DSL modem with the spare modem in my drawer, would that change my IP address?

        • by mengel ( 13619 )

          Real dialup modems don't do anything nearly as smart as DNS.

          DSL "Modems" are really full-blown routers, and generally have NAT routing setup, and DNS and DHCP servers. So yes, they can be vulnerable to DNS cache poisoning, and then you'll get some Phisher-pholk's server instead of your bank's.

        • by socsoc ( 1116769 )
          these can't be serious questions from someone with your username. if they are, ask your bff jill.
    • by arielCo ( 995647 )

      Like an open website -- OMG everyone can access it.

      This is more like an open website running on IIS 4.0 because it's what it's built into the server.

      Only these devices do not auto-update - funny thing considering that their function requires being connected to the Internet. The only problem would be prompting for authorization.

      • Re: (Score:2, Insightful)

        by iLogiK ( 878892 )
        I'm not sure how the DNS flaw works, but I just thought of something (feel free to mod me down if this is stupid) If you were to target someone specifically that was using a router that supported auto-update, but it didn't update itself with a fix for the vulnerability yet, couldn't you possibly use the DNS flaw to fool it into getting the update from one of your servers? Meaning, you could get the router to do pretty much anything you want, and a router can do a lot of bad stuff.
        • by arielCo ( 995647 )

          Oh, oh, by "auto-update" I meant software updates. (Kids, that's what happens when you post without having had enough sleep).

          My concern is that the software driving modems and routers is rarely updated, but they're standing between you and the wide, wild Internet. Sure they could check for new versions, but how do they prompt you for permission? (I think technically minded consumers would be a bit miffed if the manufacturer pushed patches behind your back)

    • No, more like an open proxy. This isn't about authoritative DNS servers responding to everyone (they do; that's what they're for) it's about DNS caches responding to queries from everyone (not just those on the local net), which wouldn't be so bad except that many of them are insecure.
  • Open by default, instead of closed.
  • by danwesnor ( 896499 ) on Sunday November 15, 2009 @09:45AM (#30105734)
    Yeah, but these devices are designed to name serve on the intranet, not the internet. Mine came with the default to ignore all traffic coming from the outside world.
    • by icebraining ( 1313345 ) on Sunday November 15, 2009 @10:33AM (#30105818) Homepage

      No, they're not, according to the summary: "devices on the Internet that are configured to accept DNS queries from anywhere", "Almost all ISPs distribute a home DSL/cable device. Many of the devices have built-in DNS servers. These can sometimes ship in "open by default" states.'

      Just because yours is closed by default, doesn't mean all are.

      • Re: (Score:3, Interesting)

        by danwesnor ( 896499 )
        OK, you're right, 1 of 1 is not enough to make an assumption. But of the 5 I've bought over the years from 3 different vendors, all 5 were shipped configured to accept DNS request from the intranet but block all requests of any type from the internet.
        • by Sabriel ( 134364 )

          Just check that the manufacturer hasn't been stupid enough to ship it with a internet-accessible backdoor built in.

          Example: http://hardware.slashdot.org/hardware/04/06/05/1250244.shtml [slashdot.org]

        • by greed ( 112493 )

          Note the difference between "ones you've bought" and "ones provided by the cable Internet vendor".

          My experience has been, any software provided by an ISP is to be treated as worse than malware.

          Since I never used 16-bit Windows, I never understood "Internet Dialler" software that Windows users seemed to always install from their ISP... and was always the first thing in the way when trying to fix a busted system. But it has served to convince legions that ISP-provided software is necessary to get on the Inte

  • Slashdot got DDoS'd or Slashdotted?
    • Does anyone else thinks it's funny that this story was posted while /. was showing "guru meditation" errors?

      • by rvw ( 755107 )

        Does anyone else thinks it's funny that this story was posted while /. was showing "guru meditation" errors?

        No

  • ... the RSS feed for this article fails to load!

    Error 503 Service Unavailable

    Service Unavailable

    Guru Meditation:

    XID: 1704629829

    Varnish [varnish-cache.org]

    • by sopssa ( 1498795 ) *

      You kids and your RSS feeds... That was on the whole site.

    • >>>Guru Meditation:

      You're surfing the net from a Commodore Amiga? Isn't that 400 megahertz PPC processor kinda slow? ;-)

      • by macraig ( 621737 )

        They weren't before my time, but I never laid a finger on anything branded Commodore, so the humor you see in it just confuses me! Maybe I should change my account to SinclairQL_love?

        • "Guru Meditation" is the Amiga's version of a kernal panic, and dates back to 1985. That's why I thought you making some in-joke about that machine (or else the website owner was). The screen looks like this:
          http://en.wikipedia.org/wiki/Guru_Meditation [wikipedia.org]

          • by macraig ( 621737 )

            Nice funny story about the origins of it. I'm sure the homage must make a few old Commodore coders feel warm and fuzzy. Hey, did you edit the Trivia section to include the mention of the Varnish homage, or was it already there? Ah, wait, checking History... nope, it's actually been there for a while.

      • by osu-neko ( 2604 )

        >>>Guru Meditation:

        You're surfing the net from a Commodore Amiga? Isn't that 400 megahertz PPC processor kinda slow? ;-)

        God gods, that would be blazing fast. IIRC, my Amiga had a 7 MHz 68000.

      • by jgrahn ( 181062 )

        >>>Guru Meditation:

        You're surfing the net from a Commodore Amiga? Isn't that 400 megahertz PPC processor kinda slow? ;-)

        That message got removed after Kickstart 1.3, when an Amiga had a 8MHz MC68000. Not that it matters -- the Amiga compensated for slow hardware with fast, well-written software.

  • by Anonymous Coward

    Cache poisoning is something you do by returning an answer to a DNS server that's doing a lookup on your behalf. Lets say I was able to sniff your traffic and see that you go to your Bank's web site based on the last DNS query your router did on your behalf. What I can then do is bombard your router back with answers for your bank's web site being a different IP address so that when your router finally does the DNS lookup again at some point, the potential is there for it to accept MY answer for their sit

    • by vlm ( 69642 )

      Lets say I was able to sniff your traffic and see that you go to your Bank's web site based on the last DNS query your router did on your behalf

      What makes it worse, is you don't need such a precision attack. You could have a botnet randomly bombard everyone with "somebankname.com" is 1.2.3.4, and eventually you'd get a hit. Hit rate too slow, get more bots...

  • The problem I have seen is a mixture of ISPs which take years to react to anything and suppliers of these devices not taking responsibility and simply blaming it on the ISP. Because of this I would appreciate a role call of ISPs and hardware involved in this, so that we can either avoid them or get them to fix the problem.

    • You could not be any more wrong on this with that statement. The ISP is not the issue and the hardware is not the issue. If you are to build a recursive DNS server and have it do recursive queries on the internet completely bypassing your Router and ISP's DNS setup - you are still vulnerable.
      • If you are to build a recursive DNS server and have it do recursive queries on the internet completely bypassing your Router and ISP's DNS setup - you are still vulnerable.

        Actually, only if you use NAT.

        If you have a fixed IP range internally and don't use any NAT then you can use the source port randomisation introduced on most servers after Kaminsky and remain very well protected against cache poisoning.

        The real problem is that if you're using NAT each outbound query will have (some of) its source header fields rewritten. So even if the internal recursive server properly picks a random source port, the NAT process in your router might de-randomise it.

        It's very common for NA

  • Several online tools were available to test for vulnerabilities on individual PCs back when Kaminsky discovered the sad state of DNS security. Is there a similar test for available for cable modems? How about a list of susceptible devices? I'd rather not put blind faith in my ISP to keep me out of harms way.
  • Ok, they list 2 ISP's as the leading "culprits".. in Spain, and France I guess.. then they go on to say something about DSL modems supplied with DNS servers ???.. what's that about ? really ? a DNS server on the modem ? .. a hard coded link to a DNS server maybe.. If your going to report a problem, then report a problem.. like the names of the manufacturers, models, and ISP's and give people something to look out for.
    • DNS cache proxies are common on cuonsumer routers.

      Of course almost universally these are set to block all requests from outside, so can't really be accused of causing a jump of open resolvers from 50% to 80% on their own.

      Also any network running authoritative DNS will have an open DNS.. that's unavoidable - although you normally rate limit it with iptables to stop magnification attacks.

      • DNS cache proxies are common on cuonsumer routers.

        Actually most of them don't cache - mostly they just forward. Of the ones I've tested only Apple's Airports had a real cache in them.

        Of course almost universally these are set to block all requests from outside, so can't really be accused of causing a jump of open resolvers from 50% to 80% on their own.

        The increase is interesting, and unexpected. I do know of some brands that are open by default from the outside, but had hoped that the recent research and various realted RFCs might have reduced the incidence of this.

        Also any network running authoritative DNS will have an open DNS.. that's unavoidable - although you normally rate limit it with iptables to stop magnification attacks.

        The number of authoritative servers on the internet isn't that large, and certainly not on the scale of the problem that Wessels et al have found. It's these

  • Is it just, me, or does anyone else have an issue with the name "David Dagon"? I keep imagining the interview taking place with him sitting on a giant basalt throne off the New England coast, at low tide ...
    • by sudog ( 101964 )

      No, it's not just you. I see Dagon and I think Shadow Over Innsmouth, or Dagon (2001) every time. It would be cool to have a name like that.. sort of like being Fred Cthulhu, or Samson Yog-sothoth.

    • And where does Cricket Liu fit in all this?

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...